Professional Documents
Culture Documents
European Digital Sovereignty Data Protection and T
European Digital Sovereignty Data Protection and T
2020), https://www.consilium.europa.eu/media/45910/021020-euco-final-conclusions.pdf.
Theodore Christakis, European Digital Sovereignty, Data Protection, and the Push toward Data Localization In: Data
Sovereignty. Edited by: Anupam Chander and Haochen Sun, Oxford University Press. © Oxford University Press 2023.
DOI: 10.1093/oso/9780197582794.003.0015
372 Digital Sovereignty, Data Protection and Localization
tween the “Brussels Effect” and Europe’s Quest for Strategic Autonomy (2020), https://
ssrn.com/abstract=3748098.
6 This chapter covers developments until March 2022.
7 Anupam Chander introduced the term “soft data localization” in order to refer to “a legal re-
gime that puts pressure on companies to localize, not by directly requiring localization of data or
processes, but by making alternatives legally risky and thus potentially unwise.” Anupam Chander, Is
Data Localization a Solution for Schrems II?, 23 J. Int’l Econ. L. 771, 772 (2020).
The Push Toward Data Localization in Europe 373
As far as we Europeans are concerned, our data is the most valuable in-
dustrial asset we have. I have always said that I want Europeans’ data to
be processed, stored and processed in Europe. I have a feeling that Donald
Trump is saying the same thing. The Chinese and the Russians are doing it,
we will do it too.”9
8 Bertille Bayart & Jacques-Olivier Martin, Thierry Breton: “C’est aux Gafa de s’adapter à nos règles,
10 Laura Kayali & Florian Eder, Thierry Breton “Understands” Trump on TikTok, Wants Data Stored
1, 2020).
12 Vincent Manancourt, Europe’s Data Grab, Politico (Feb. 19, 2020), https://www.politico.eu/
article/europe-data-grab-protection-privacy.
13 Id.
Reasons behind Calls for Data Localization 375
credentials already exist, but the market for them is small. If localization is a
key concern, more people would be buying these services.”14
A second hypothesis is that Europe is just following, in a rational or more ir-
rational way, a more general trend of several countries to take physical control of
the network architecture. Indeed, Europe is far from being the first global actor
to call for data localization. As the Global Data Alliance15 (a cross-industry co-
14 Id.
15 Global Data Alliance, https://www.globaldataalliance.org (last visited Aug. 30, 2022).
16 Global Data Alliance, About the Global Data Alliance, https://globaldataalliance.org/
wp-content/uploads/2021/06/aboutgda.pdf (last visited Aug. 30, 2022). For a mapping of data locali-
zation measures in place or proposed in different countries until 2015, see Anupam Chander & Uyên
P. Lê, Data Nationalism, 64 Emory L. Rev. 677 (2015). This “classic” study needs update in the light of
the very important trends toward data localization during the last five years.
17 Manancourt, supra note 11.
18 Laurens Cerulus, French Cyber Czar Promotes European Tech Sovereignty, Politico (Feb. 10,
2020), https://subscriber.politicopro.com/article/2020/02/french-cyber-czar-promotes-european-
tech-sovereignty-1876769.
376 Digital Sovereignty, Data Protection and Localization
Let’s turn now to the very important judgment issued by the CJEU on July
16, 2020,in order to analyze its effects on the debate about data localization in
Europe. I have five observations to make on this subject, following a chrono-
logical order.
Flows of personal data to and from countries outside the Union [. . .] are
necessary for the expansion of international trade and international coop-
eration. The increase in such flows has raised new challenges and concerns
with regard to the protection of personal data. However, when personal
The Schrems II judgment issued by the CJEU in July 2020 constituted an ex-
tremely important development in this respect. In this judgment the Court
affirmed “strongly the importance of maintaining a high level of protection
of personal data transferred from the European Union to third countries
dealing in a comprehensive way with the issue of government access to data
not only by the United States but also by any other country.”21 The Court
not only invalidated the Privacy Shield arrangement between the EU and
the United States but also imposed several conditions on the use of Standard
21 Cf. Theodore Christakis, After Schrems II: Uncertainties on the Legal Basis for Data Transfers and
Constitutional Implications for Europe, Eur. L. Blog (July 21, 2020), https://europeanlawblog.eu/
2020/07/21/after-schrems-ii-uncertainties-on-the-legal-basis-for-data-transfers-and-constitutio
nal-implications-for-europe.
378 Digital Sovereignty, Data Protection and Localization
Contractual Clauses (“SCCs”) as the legal basis for transfers to all countries
for which the European Commission had not already adopted adequacy
decisions. On July 16, 2020, the CJEU thus mostly closed the door on per-
sonal data being allowed to leave Europe without an adequacy decision, but
left some windows open to enable data to find their way out of the bloc.
Immediately after Schrems II, some DPAs in Europe started calling for data
22 Press Release, Berliner Beauftragte für Datenschutz und Informationsfreiheit, “Nach „Schrems
on International Data Transfers (Part 1), Eur. L. Blog (Nov. 13, 2020), https://europeanlawblog.eu/
2020/11/13/schrems-iii-first-thoughts-on-the-edpb-post-schrems-ii-recommendations-on-intern
ational-data-transfers-part-1; Theodore Christakis, “Schrems III”? First Thoughts on the EDPB Post-
Schrems II Recommendations on International Data Transfers (Part 2), Eur. L. Blog (Nov. 16, 2020),
https://europeanlawblog.eu/2020/11/16/schrems-iii-first-thoughts-on-the-edpb-post-schrems-ii-
recommendations-on-international-data-transfers-part-2; Theodore Christakis, “Schrems III”? First
Thoughts on the EDPB Post-Schrems II Recommendations on International Data Transfers (Part 3),
Eur. L. Blog (Nov. 17, 2020), https://europeanlawblog.eu/2020/11/17/schrems-iii-first-thoughts-
on-the-edpb-post-schrems-ii-recommendations-on-international-data-transfers-part-3.
The Influence of the Schrems II Judgment of the CJEU 379
present very briefly the main conclusions of this analysis before submitting
some additional thoughts in relation to the subject matter of this study.
The first conclusion of my analysis was that third countries might rarely
if ever meet the requirements set by the EDPB’s “European Essential
Guarantees” (EEG) Recommendations.”24 This means that, beyond the 10
States/14 entities that have the opportunity of benefiting today from an EU
24 I refer here to one of the two documents published by the EDPB on Nov. 11, 2020,
entitled: “Recommendations 02/ 2020 on the European Essential Guarantees for surveillance
measures” (EEG Recommendations). Eur. Data Prot. Bd., Recommendations 02/2020 on the
European Essential Guarantees for Surveillance Measures (2020), https://edpb.europa.
eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurv
eillance_en.pdf. The objective of these Recommendations is to provide data exporters with a guide,
based on the two European Courts’ jurisprudence, in order to determine whether foreign countries
surveillance laws meet the European human rights requirements and could thus be considered as of-
fering an “essentially equivalent protection.”
25 See Adequacy Decisions: How the EU Determines If a Non-EU Country Has an Adequate Level of
2022 “Guidance on the use of cloud” notes (at 20) that “it is the opinion of the DDPA that (controllers)
may take a “worst case scenario” as the basis of (their) assessment i.e. base (their) assessment on the
assumption that all the concerned third countries have “problematic” legislation and/or practice. . . ”
See Danish Data Prot. Agency, Guidance on the Use of Cloud (2022), https://www.datat
ilsynet.dk/Media/637824108733754794/Guidance%20on%20the%20use%20of%20cloud.pdf.
27 This is the second document adopted on Nov. 11, 2020, by the EDPB. Its full title is
“Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with
the EU level of protection of personal data” (“Recommendations on Supplementary Measures”). Eur.
Data Prot. Bd., Recommendations 01/2020 on Measures That Supplement Transfer Tools
to Ensure Compliance with the EU Level of Protection of Personal Data (2020), https://
edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementa
rymeasurestransferstools_en.pdf. This guidance had been eagerly expected since Schrems II in order
to understand what kind of measures could allow to continue data transfers from the EU to the
United States and to other countries that do not offer an “equivalent” level of protection.
380 Digital Sovereignty, Data Protection and Localization
“It seems to us that in its current form such guidance would make it very
difficult for businesses to rely on SCCs. This is not only in conflict with the
European Commission’s new draft set of SCCs, but even with the Schrems
II decision itself.”30
ope.eu/publications/schrems-ii-impact-survey-report.
The Influence of the Schrems II Judgment of the CJEU 381
This initial EDPB guidance opened a debate about whether such strict
restrictions to transborder flows of personal data and data localization are a
necessary and proportionate response to the existing risks. The initial EDPB
guidance rejected the so-called risk-based approach. The EDPB seemed to
consider that, even if the risk of a foreign government accessing a specific cat-
egory of data is almost inexistent in practice, data should not be transferred
31 See U.S. Dept. of Com. et al., Information on U.S. Privacy Safeguards Relevant to
SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II (2020),
https://www.commerce.gov/sites/default/files/2020-09/SCCsWhitePaperFORMATTEDFINAL5
08COMPLIANT.PDF.
382 Digital Sovereignty, Data Protection and Localization
of data, however improbable its effective realization might be, prohibits the
transfer.32 Faced with criticism, the EDPB revised, nonetheless, its posi-
tion on this point and adopted a more flexible approach in its final guidance
published in June 2021.
32 For a detailed analysis of this issue, see Christakis, supra note 4, at 72–74.
33 See Commission Implementing Decision on Standard Contractual Clauses for the Transfer of
Personal Data to Third Countries Pursuant to Regulation (EU) 2016/679 of the European Parliament
and of the Coun, Annex, at 22–23, C (2021) 3972 final (June 4, 2021), https://commission.europa.eu/
system/files/2021-06/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf.
The Influence of the Schrems II Judgment of the CJEU 383
the EDPB noted in the section of its final guidance for the attention of data
exporters conducting a Transfer Impact Assessment that:
Alternatively, you may decide to proceed with the transfer without being
required to implement supplementary measures, if you consider that you
have no reason to believe that relevant and problematic legislation will
The EDPB followed this guidance with a series of conditions and safeguards
intended to “objectivise” the process and prevent abuse. Nevertheless,
by referring to the “practice related to the transferred data,” the EDPB left
a degree of room for a risk-based approach to international data transfers.
However, a few recent DPAs decisions in Europe seem to reject this approach.
34 Id. at 18.
35 Eur. Data Prot. Supervisor, Decision of the European Data Protection Supervisor
in Complaint Case 2020–1013 Submitted by Members of the Parliament Against the
European Parliament (Jan. 5, 2022), https://noyb.eu/sites/default/files/2022-01/Case%202020-
1013%20-%20EDPS%20Decision_bk.pdf.
36 A translation of the decision can be found here: https://noyb.eu/sites/default/files/2022-01/E-
DSB%20-%20Google%20Analytics_EN_bk.pdf.
384 Digital Sovereignty, Data Protection and Localization
Taking all of these elements into consideration, one could ask this: What
is the likelihood that the NSA or other U.S. Intelligence agencies will try
to access Sephora cookie-related data (to use this website known to have
been targeted by a NoyB complaint as an example)? If one believes Google’s
37 See Gabriela Zanfir- Fortuna, Understanding Why the First Pieces Fell in the Transatlantic
Transfers Domino, Future of Privacy Forum (Jan. 27, 2022), https://fpf.org/blog/understanding-
why-the-first-pieces-fell-in-the-transatlantic-transfers-domino.
38 See Kent Walker, It’s Time for a New EU-US Data Transfer Framework, Google (Jan. 19, 2022),
https://blog.google/around-the-globe/google-europe/its-time-for-a-new-eu-us-data-transfer-
framework.
Conclusion 385
IV. Conclusion
39 One should bear in mind however that, as the EDPB guidance and the model SCCs published by
the Commission show, the burden of proof that the “the law is not interpreted and/or applied in prac-
tice so as to cover” a specific category of transferred data, lies with the data exporter. It is therefore
essential to deal adequately with this question in the Transfer Impact Assessment (TIA).
40 See Commission Nationale Informatique & Libertés, Décision n° [...] du [...] mettant en
wording that the processing of public sector data “should be limited to the
European Union” and intended to create a new blocking statute, for non-
personal data, which goes far beyond that which is already provided for per-
sonal data by Article 48 of the GDPR.41 To be more precise, the draft included
a provision as follows:
These provisions met with strong reaction43 and finally disappeared in the of-
ficial draft published by the Commission less than a month later.44 However,
as discussed elsewhere, this official draft also included indirect and complex
mechanisms that might result in some form of “soft” data localization.45 Ken
Propp published more recently a critical comment on the “restrictive data
transfer features” of the final version of the DGA, as well as the more recent
“Data Act” proposed by the European Commission on February 23, 2022.
According to Propp:
The Commission has not yet explained in any detail why existing
protections against intellectual property theft and industrial espionage are
insufficient for international flows of non-personal data. Borrowing the
data transfer safeguards originally developed to protect individuals’ pri-
vacy seems a cumbersome and imprecise solution, in any case. The imme-
diate consequence, as the Data Act begins to wind through the legislative
41 See Theodore Christakis, Transfer of EU Personal Data to U.S. Law Enforcement Authorities
after the CLOUD Act: Is There a Conflict with the GDPR?, in Cybersecurity and Privacy in a
Globalized World -Building Common Approaches 60 (Randal Milch et al. eds., 2019).
42 This leaked draft is available here: Melissa Heikkilä, Read the Commission’s Proposal on the Data
Data Governance (Data Governance Act), COM (2020) 767 final (Nov. 25, 2020).
45 See Christakis, supra note 4, at 74–80.
Conclusion 387
labyrinth, could be a foreign concern that the EU’s bid for greater autonomy
in the data economy is once again headed in a protectionist direction.46
European calls in favor of data localization are often motivated by genuine and
legitimate concerns, related to data protection, privacy considerations, and the
fear of foreign snooping into European personal and industrial data.
46 Kenneth Propp, Cultivating Europe’s Data Garden, Lawfare (Mar. 4, 2022), https://www.lawf
areblog.com/cultivating-europes-data-garden.
47 Christopher Kuner, Data Nationalism and Its Discontents, 64 Emory L. J. Online 2089, 2097
(2015).
48 See Peter Swire & De Brae Kennedy-Mayo, The Effects of Data Localization on
ography appearing there. See also Nigel Cory & Luke Daskoli, How Barriers to Cross-Border Data
Flows Are Spreading Globally, What They Cost, and How to Address Them, Info. Tech. & Innovation
Found. (July 19, 2021), https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-
flows-are-spreading-globally-what-they-cost.
50 According to the Politico’s Newsletter Cyber Insights of Oct. 9, 2020.
388 Digital Sovereignty, Data Protection and Localization
51 Vincent Manancourt & Melissa Heikkilä, EU Eyes Tighter Grip on Data in ‘Tech Sovereignty’
with Ken Propp and Peter Swire, see Theodore Christakis et al., EU/US Adequacy Negotiations and
the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers, Eur.
L. Blog (Feb. 16, 2022), https://europeanlawblog.eu/2022/02/16/eu-us-adequacy-negotiations-and-
the-redress-challenge-how-to-create-an-independent-authority-with-effective-remedy-powers.
Conclusion 389
56 See Theodore Christakis & Fabien Terpan, EU-US Negotiations on Law Enforcement Access to
Data: Divergences, Challenges and EU Law Procedures and Options, 11 Int’l Data Privacy L. 81
(2021).
57 See Gabriela Zanfir Fortuna, Dispatch from the Global Privacy Assembly: The Brave New World of
International Data Transfers, Future of Privacy Forum (Nov. 10, 2021), https://fpf.org/blog/dispa
tch-from-the-global-privacy-assembly-the-brave-new-world-of-international-data-transfers.
58 Theodore Christakis et al., Towards OECD Principles for Government Access to Data: Can