top of page

Protection of Personal Data in Cyberspace: The EU-US E-Market Regime

Professors Tossapon Tassanakunlapan and Milagros Alvarez explain how personal data are managed in the EU-US context as well as the consequences of future agreements.


The goal of this article is studying the provision and implementation of Personal Data Protection in the EU-US Bloc, in order to initiate an International or Universal Regime.

Firstly, it reviews the old regime, which was enacted before the reformation process of EU and US. It shows that the legal consequences of each agreement will be different because their legal nature depends on their launching institution. The different scopes on actors and jurisdiction are critical; IT corporations are multi-national legal persons, under the appliance of the law of specific territory but their activities are trans-border. Moreover, these instruments have been created for decades so there are some out-of date provisions maintained in those legal documents. The implementation of data subjects’ rights is increasingly complicated because data is decentralized and under the control of various organizations, private companies and state authorities. Furthermore, the data controller/processor has relationship with state authorities, or the existences of a conflict of interests. Hence, the individual’s appeal for remedy is complex as well as the monitoring of duty bearer practice. The hard cases are presented in many court cases of the US Courts andCourt of Justice of European Union, and in official reports of competent organizations.

Right to personal data protection often deals with the relationship between exercise of rights and state of emergency or prosecution of criminal and terrorism. As state authorities and courts weight up the reasons for accessing certain data and the potential effect on an individual of such state surveillance, a better necessary precondition and proportionate solution must be provided. The EU had launched set of regional instruments in 2016. Nonetheless, the problems come from US entities, intelligence authorities and IT corporations, which are subjects under US national security laws. Accordingly, the rights of global netizens are in the realm of US jurisdiction when their personal data is transferred and it may be compromised by US Government. Thus, US was contracted to agree on bilateral instruments with the EU concerning the harmonization of data protection policies, as trade partner in a single e-market, as well as the earlier responses US took for supporting EU data subjects. These reforms of EU and EU-US regime could be extracted or used, as a model, for initiating a universal regime.


The introduction section will outline all of preliminary issues, the prerequisite knowledge and framework of the research, on personal data protection on cyberspace. The studies of this article are based on the EU and EU-US e-market regime.

The uses of personal data from internet are no longer performed locally, or even within well-scoped physical territories. Besides, trans-border personal data processing became personalized. Domestic data controllers are no longer needed to transmit their data subjects’ data across borders to other data controllers in order for trans-border exchanges to occur.1 At present, social network applications enable users to upload their personal data to the “Account” or “Webpage”, going to and from unidentified destination. With regard to data protection, it must be decided how, if at all, data can be protected to the same extent in the cyberspace as in the “real” world. (2) It is usual that attempts to create a safe online society is even harder than in an offline environment because the amount of processed data is far greater than the past.

The result of Study

The objective of this research is to analyze the personal data protection in EU and EUUS regime through the time of reforms. Firstly, the research will differentiate the old regime to protect the right to personal data in the digital age by 3 main issues and the failures the US system generated. Then the controversial cases revealed during 2013 and the benchmarks from EU and US Court decisions for leveling-up the data protection standard will be discussed and, after that, the springing up of reforms of personal data protection regimes that the EU and the US have launched to harmonize single e-market regulation.

1.1. Personal Data Protection under the EU and EU-US E-market legal regime prior to the 2013 reforms: main deficiencies/shortcomings and problems

Even though, the goal of this research is to harmonize the provision and implementation of personal data protection for creating an international regime, the starting point will show the overlap and insufficiency of the old instruments. The old set of personal data protection laws, which was enacted before the reformation process of EU and US, had been heavily based on implementation at the domestic level.(3)

1.1.1. Predominance of US entities and its effects on global netizens

Most prominently, the discontents the US system brought to the personal data protection recourse came from a direct clash with the state intelligence operation in the national security realm.(4) The intention of US government to conduct mass electronic surveillance on activities relate to terrorism, especially on foreigners who were not under full US constitutional protection, may put further complicated situations for internet users around the world.(5) Since most of the dominant IT corporations are subjected to US or transfer personal data to servers in US territory, the different standard would be the main threat to non-US citizen internet users.

US IT corporation are subject to US domestic laws whereas the rights of global netizens are in the realm of US jurisdiction when such data is transferred to US territory or a US entity and it may be compromised by the exercise of US authorities.

The data controller, ie the US IT corporation, has an obligation to secure their data system and notify data subjects and the state Data Protection Authority (DPA), when data breaches happen. US DPA and the Federal Trade Commission, under Ministry of Commerce, have a duty to provide preparatory and supporting advice(6) especially when there were wide spread of massive electronic data surveillance by US National Security Agency. (7) Before the revelations on June 5th of 2013, both US DPA and IT corporations had done nothing. To meet the Adequacy Criterion of EU,(8) the transfer of data across the Atlantic had been under a provision of the EU-US Safe Harbor Agreement, legalizing trans-border data flows.

The effectiveness of the enforcement regimes in various countries depends on the extent of judicial interpretation and on other comparative aspects of data protection laws.(9) There are processing dispute resolution procedures in the EU but not in the Safe Harbor Agreement. (10) The mass transfer of data of non-US citizens to US companies and authorities and the lack of appropriate redress mechanism for them is an issue of extreme concern.(11)

The EU data protection regulators had launched an investigation into Google's data retention and privacy practices, which was extended to cover other search engines as well.(12) In 2012 the EPIC appealed to the United States District Court for the District of Columbia seeking disclosure of any communications between the National Security Agency (NSA) and Google Inc. regarding encryption and cyber security.(13) Many cases lead to the revelation of cooperation between NSA and IT corporations which impacted personal data protection.

The NSA‘s PRISM project collects data from the most powerful IT corporations of the world such as Google,(14) Yahoo, Facebook etc. The identification of the place, time and activity of people could be tracked and traced orderly from big data collection(15) that gathers from cyberspace globally, including data for non-US citizens outside US territory.

Since the US Courts have made decisions which set the precedent on data collecting and sharing by IT corporations and state authorities because they are the subjects under US jurisdiction.(16) On December 16, 2013, the U.S. District Court ruled in Klayman v. Obama, that the NSA's bulk collection of domestic telephone call detail records likely violated the Fourth Amendment (right to privacy and personal data protection).(17) This case celebrated the full constitutional rights enjoyed by the US citizen but the protection for the non-US citizen still remains.(18)

On other side of the Atlantic, Court of Justice of the European Union CJEU had launched a series of decisions relating to personal data protection by IT corporations and states, especially US national entities. Since then, there was the LIBE Report on Mass Electronic Surveillance, the MUSCULAR program, which collects more than twice as many data points compared to PRISM. The MUSCULAR program requires no warrants(19) and operates by the coordination with UK, an EU Member State at that time, and has made direct breaches on personal data of data subjects around the world.

A Facebook user, who claims his data was breached by US Agencies, filed the case called the Schrems Case after his name.(20) The CJEU ruling found that U.S. national security, public interest, and law enforcement requirements have “primacy” over the Safe Harbor principles, and that US undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements.(21) Consequently, the CJEU observed that the Safe Harbor scheme “enables interference” by US authorities “with the fundamental rights of the persons whose personal data is or could be transferred from the EU to the US.”(22)

The CJEU concluded that Safe Harbor and US legislation do not provide for any possibility for an individual to pursue legal remedies in order to have access to personal data relating him or to obtain the rectification or erasure of such data, and this compromises the essence of this fundamental right, which is an important component of the rule of law.(23) Thus, the Safe Harbor decision did not contain sufficient remedies for individuals in case of violations by IT corporations or a state national authority.

Therefore, CJEU invalidated Safe Harbor on 6 October 2015. The EU and the US needed to renegotiate a new agreement to regulate data flows between both sides of Atlantic.

In conclusion, the difficulties came from the failure of the US legal system to protect the personal data of data subjects. The inadequacy of the US system brought deterioration to the personal data protection. The program of the US government to conduct mass electronic surveillance on activities related to terrorism, especially on foreigners who are out of the full US constitutional protection, may present further obscure scenarios for internet users globally.

Keep reading and access the full article here.

Suggested Citation:

Tassanakunlapan, Tossapon and Álvarez-Verdugo, Milagros, Protection of Personal Data in Cyberspace: The EU-US E-Market Regime (December 6, 2018). ASEAN Journal of Legal Studies, Vol. 1, No. 1, 2018. Available at SSRN:

Faculty of Law, Chiang Mai University

University of Barcelona


bottom of page