The sanctioning of illegal transatlantic personal data transfers after the General Data Protection Regulation and the CJEU’s Schrems judgment

Show full item record

Title: The sanctioning of illegal transatlantic personal data transfers after the General Data Protection Regulation and the CJEU’s Schrems judgment
Author: Hallivuori, Tiia
Other contributor: Helsingin yliopisto, Oikeustieteellinen tiedekunta
University of Helsinki, Faculty of Law
Helsingfors universitet, Juridiska fakulteten
Publisher: Helsingin yliopisto
Date: 2017
Language: eng
Thesis level: master's thesis
Discipline: Rikosoikeus
Criminal law
Abstract: The subject of this thesis is the sanctioning of illegal personal data transfers between the EU and the United States after the General Data Protection Regulation (GDPR) and the case of Maximilian Schrems v Data Protection Commissioner of the Court of Justice of the European Union (CJEU), where the Court invalidated Safe Harbor, a mechanism specifically designed for personal data transfers to the U.S. The subject is approached from the point of view of criminal policy with the aim of creating recommendations based on practical arguments and the balancing of different normative considerations. Before the GDPR, Finland has relied solely on criminal sanctions with regard to personal data protection. However, the EU and the growing use of administrative sanctions have started to redefine the Finnish legislative landscape and the traditional views on criminal policy. The administrative fines of the GDPR are a part of this development, forming an interesting research topic along with the current, undeniably complex situation related to transatlantic personal data transfers. The first chapter aims to demonstrate the current issues related to the applicability of the data protection offence. After describing the new developments resulting from the GDPR and the CJEU case of Schrems concerning transatlantic personal data transfers, the administrative fines of the GDPR are assessed in light of the principles of legality, proportionality and culpability. In the final chapters, both criminal and administrative sanctions are assessed and compared with each other by taking into account their effectiveness and the objectives of Finnish criminal policy. As perhaps the majority of transborder data flows occur online, theories of technology regulation are also taken into account. While the administrative fines of the GDPR can be seen as a welcome improvement due to the shortcomings of criminal law as an enforcement method, there are still several issues which need to be addressed. While the EU’s requirement of effectiveness has been assessed by legislators, it seems that proportionality and coherence have not been given as much attention. This, in turn, has led to the inconsistency of sanctions. The Ministry of Justice recently set up a working group whose task is to assess whether there is a need for general legislation concerning punitive administrative sanctions and draft the proposals necessary for the enactment of such legislation. Hopefully this will lead to the development of a more consistent approach to the entire control policy including both criminal penalties and administrative sanctions of a penal nature.

Files in this item

Files Size Format View

There are no files associated with this item.

This item appears in the following Collection(s)

Show full item record