Key Points

• The GDPR deploys various notions to describe the standard(s) of protection required for international transfers of personal data depending on the basis on which the transfer is carried out. However, in Schrems II the Court has established that one single standard of protection should be achieved for all types of transfers, namely the ‘essentially equivalent standard of protection’. This finding is motivated by the will to ensure a continuity of the GDPR-like protection but finds little support in the text and architecture of the GDPR.
• The finding of a single standard of protection made it necessary for the Court to equate the content of Articles 45 and 46 GDPR as to the elements the two provisions indicate as relevant in achieving the desired level of protection. This equation introduces confusion as to which elements constitute requirements and which mere criteria to be taken into consideration while adopting appropriate safeguards. Such ‘defined’ standard clashes with the principle of legal certainty, in particular considering that a non-compliance with the GDPR can generate serious financial repercussions for data controllers and processors.
• The attempt to unveil the content of the single standard of protection allows to draw some broad conclusions about what the essential equivalence is. However, a closer look at the Court’s case law reveals that this standard is much higher than the Court would like to admit, making the distinction between equivalence and essential equivalence very theoretical.
• The level of protection of personal data required from third countries (always compared to EU law) is—in the instances falling outside of the scope of EU law such as national security—even higher than the one followed by Member States (which are bound by the ECHR in this regard). This paradox is not only an inconvenience for the EU’s relations with third countries undermining its leverage to improve the protection of personal data globally, but in the context of Convention 108, it may amount to a violation of legal obligations incumbent upon Member States. In addition, such approach might ultimately disserve the objective of improving data protection globally.

中文翻译：

---

根据 GDPR 对个人数据国际传输的一定保护标准

关键点

• GDPR 部署了各种概念来描述国际传输个人数据所需的保护标准，具体取决于进行传输的基础。然而，在Schrems II中，法院已确定所有类型的转让都应达到一个单一的保护标准，即“基本等效的保护标准”。这一发现的动机是确保类似 GDPR 的保护的连续性，但在 GDPR 的文本和架构中几乎没有得到支持。
• 单一保护标准的发现使得法院有必要将 GDPR 第 45 条和第 46 条的内容等同于这两个条款表明与实现所需保护水平相关的要素。这个等式会混淆哪些要素构成要求，以及在采用适当的保障措施时应考虑哪些标准。这种“定义”的标准与法律确定性原则相冲突，特别是考虑到不遵守 GDPR 可能会对数据控制者和处理者产生严重的财务影响。
• 试图揭示单一保护标准的内容，可以得出一些关于什么是基本等效的广泛结论。然而，仔细研究法院的判例法会发现，该标准远高于法院愿意承认的标准，这使得等效和基本等效之间的区别非常理论化。
• 第三国要求的个人数据保护水平（总是与欧盟法律相比）——在国家安全等欧盟法律范围之外的情况下——甚至高于成员国所遵循的水平（受欧洲人权法院在这方面）。这一悖论不仅给欧盟与第三国的关系带来不便，削弱了其在全球范围内改善个人数据保护的影响力，而且在第 108 号公约的背景下，它可能违反了成员国应承担的法律义务。此外，这种方法最终可能会损害改善全球数据保护的目标。