1. Proportionality overlooked
With the recent publication of their guidance on international personal data transfers (a draft of Recommendation 01/2020 and a final version of 02/2020; November 2020), the European Data Protection Board (EDPB) has provided advice on how such transfers should occur within the framework of the General Data Protection Regulation (GDPR). This was long-awaited, especially since the Court of Justice of the European Union’s (CJEU) seminal judgment in Case C-311/18 (Schrems II) in July 2020, in which the CJEU (yet again) struck down a general mechanism for data transfers to the private sector in the United States (US) (technically, an adequacy decision, called “Privacy Shield”) and furthermore declared that the so-called “appropriate safeguards” – a group of legal mechanisms for such transfers (Articles 46-47 GDPR) – might not always be appropriate.
Both the Schrems II judgment and the aforementioned EDPB guidance have immediately sparked much debate in academia (for example, here) and among data protection practitioners (for example, here) on how to actually transfer personal data, especially towards the US, without breaching the GDPR. These vivid debates tend to focus mainly on compliance issues, though from a broader perspective, both the judgment and the guidance also demonstrate that one of the most complex yet uncharted legal concepts has gained more and more prominence in the GDPR – proportionality. In our view, both Schrems II and the EDPB guidance confirm and endorse the entrance of proportionality to the area of data transfers. However, this is not the only use of proportionality in the GDPR.
The increased usage of proportionality in the GDPR has, in our view, so far not received sufficient academic and professional attention, despite its significance and the practical difficulties it brings to the fore. This stands in a stark contrast with the rich debate on proportionality per se and on parallel, equally significant elementary recent developments in the GDPR, e.g. the risk-based approach or the strengthening of the principle of accountability.
Putting aside the critical appraisal of the Schrems II judgment and the EDPB guidance, with this exploratory blog post we intend to draw attention to the increasing usage of proportionality in the GDPR and to its significance. We further intend to map its use in the GDPR, direct or indirect, focusing on the example of the most recent developments in data transfers, this way paving a way for further research. To paraphrase Leonard Cohen, proportionality has come to the GDPR, yet this does not mean it had not been there before, in data protection law, e.g. in the Data Protection Directive (DPD), the predecessor of the GDPR. It rather means – as in Cohen’s song Democracy – that the GDPR is nowadays “really where the experiment is unfolding” and this “experiment” of proportionality makes the GDPR a “real laboratory” thereof, bringing ramifications for the broader field of EU data protection law and – even – human rights law. This “experiment” brings to the fore profound consequences for both theory and practice of personal data protection, hence meriting both academic and professional attention.