W. Gregory Voss
Associate Professor of Business Law at TBS Business School (Toulouse Business School), W. Gregory Voss teaches on TBS’s Toulouse and Barcelona and campuses. Voss is a member of TBS's Artificial Intelligence & Business Analytics Cluster. He is an associate member of IRDEIC (Research Institute in European, International and Comparative Law), a Jean Monnet Centre of Excellence, Toulouse 1 Capitole University, a member of the Editorial Board (a Staff Editor) of the American Business Law Journal, and a member of the Board of Directors of the French Academy of Legal Studies in Business (AFD&M).
Voss also is admitted as an attorney (New York), and was formerly admitted as an avocat (Toulouse - 2009-2017), and solicitor (England and Wales, not practicing). Prior to teaching, he worked in private practice and in industry. He was a Past Co-Chair of the American Bar Association Section of International Law (ABA SIL)’s Privacy, E-Commerce, and Data Security Committee, and was a Past Chair of their International Intellectual Property Rights Committee, as well. He also is a member of numerous other scientific institutes and academies and professional organizations and has written (see publications below) and spoken (in France, Spain, Portugal (via webinar), the Netherlands, Canada and the U.S.) on European Union and American Law, primarily in the fields of fundamental rights (privacy and data protection), business and human rights, legal strategy, data security law, and e-commerce law.
Voss holds a Juris Doctor degree from the University of Michigan Law School, a Master 2 degree in Law and Information Systems from the Toulouse 1 Capitole University, and a Bachelor of Science in Foreign Service (specialization in International Economics, with a focus on International Commerce and Finance) from Georgetown University.
Phone: +33 (0)5 61 29 47 46
Address: Toulouse Business School
1, place Alphonse Jourdain
CS 66810
31068 Toulouse cedex 7
France
Voss also is admitted as an attorney (New York), and was formerly admitted as an avocat (Toulouse - 2009-2017), and solicitor (England and Wales, not practicing). Prior to teaching, he worked in private practice and in industry. He was a Past Co-Chair of the American Bar Association Section of International Law (ABA SIL)’s Privacy, E-Commerce, and Data Security Committee, and was a Past Chair of their International Intellectual Property Rights Committee, as well. He also is a member of numerous other scientific institutes and academies and professional organizations and has written (see publications below) and spoken (in France, Spain, Portugal (via webinar), the Netherlands, Canada and the U.S.) on European Union and American Law, primarily in the fields of fundamental rights (privacy and data protection), business and human rights, legal strategy, data security law, and e-commerce law.
Voss holds a Juris Doctor degree from the University of Michigan Law School, a Master 2 degree in Law and Information Systems from the Toulouse 1 Capitole University, and a Bachelor of Science in Foreign Service (specialization in International Economics, with a focus on International Commerce and Finance) from Georgetown University.
Phone: +33 (0)5 61 29 47 46
Address: Toulouse Business School
1, place Alphonse Jourdain
CS 66810
31068 Toulouse cedex 7
France
less
InterestsView All (18)
Uploads
Papers by W. Gregory Voss
partner of the United States—the European Union—places restrictions on crossborder transfers of personal data exported from the European Union. Destination countries must benefit from a decision by the European Commission that their data protection practice is “adequate” to import data, or transfer tools must be used to further protect those data. The United States does not benefit from such a decision and an arrangement that previously allowed data to continue to flow to the United States—the Privacy Shield—was invalidated by the Court of Justice of the European Union in 2020 in a case that is known as Schrems II.
This study focuses on EU-U.S. personal data transfers. It provides a holistic
view of the legal parameters involved in transatlantic data transfer compliance post-Schrems II, relevant developments past and future, and potential compliance actions, supplemented with relevant guidance and an analysis of enforcement actions. Such compliance is considered the most difficult task of privacy professionals today. The aim is to give a fuller understanding in this context of the EU General Data Protection Regulation (GDPR), which sets out the crossborder data transfer restriction, with a view to potential pathways to navigate those challenges.
Following the Introduction, this study dives into both the cross-border transfer restriction contained in the GDPR, and into the Schrems II ruling. EU-U.S. negotiations to try to build a replacement for the Privacy Shield are discussed. A new 2021 version of the standard contractual clauses transfer tool, used to allow data exports, is analyzed. In addition, the requirement to respect the essence of fundamental rights and freedoms set out in the Schrems II judgment is explained. Supplemental measures to ensure data protection and to allow transfers to jurisdictions with problematic legislation, such as the United States (with its surveillance laws), are detailed. Furthermore, European Economic Area data protection enforcement action in the domain of cross-border transfers is studied, including a recent case relating to the use of the popular Google Analytics tracking cookies. Finally, lessons for compliance are drawn, prior to concluding remarks.
NB: This article is available for download in full text via the Journal's website, currently at this address: https://www.bu.edu/jostl/current-issue/
The lack of harmonization of Member State implementing legislation and the development of new technologies led to the adoption of a uniform EU law in the form of the General Data Protection Regulation (GDPR), which has had international impact. The GDPR develops further individual rights and continues cross-border transfer restrictions, while including clearer extraterritorial application when the personal data of individuals in the European Union are collected, thus recognizing that cyberspace does not end at borders.
Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large
part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and on the other hand, truly dissuasive administrative fines must be issued by supervisory authorities when they are justified, in order for the sanctions to have their necessary deterrence effect.
The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.
The General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside of the European Economic Area (EEA) to countries without “adequate” privacy protections. As the United States is considered to have insufficient protections, the EC requires that an approved mechanism, such as the Privacy Shield—its agreement with the United States that permits U.S. companies to self-certify that they will meet certain minimum privacy protections—be used for such transfers. Alternative mechanisms include standard contractual clauses (SCCs). Suspension of any one approved mechanism may call into question the legitimacy of the others.
Although the Privacy Shield survived its first EC review in 2017, many called for the EC to suspend the Privacy Shield at its second review due to a number of factors: the continuation of the Schrems case; the failure of the U.S. government to enact the recommendations made in the 2017 Privacy Shield review; and recent U.S. government actions demonstrating disregard for data privacy protection; the EC chose to back down instead of proceeding to a clash.[7] On In a report issued on December 19, 2018 (2018 Report), the EC indicated that the Privacy Shield had passed its second review, subject to the United States appointing a permanent Privacy Shield Ombudsperson by February 28, 2019. Before analyzing the 2018 Report, it is important to understand why the U.S.’s commitment to the Privacy Shield mechanism seems tenuous, at best.
EU Data Protection Agencies have been vigorously enforcing violations of regional and national data protection law in recent years against U.S. tech companies, but few changes have been made to their business model of exchanging free services for personal data. With the Cambridge Analytica debacle revealing how insufficient American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is not the onerous 99 article regulation to be feared, but rather a creation years ahead of its time. This paper will explain how the differences in U.S. and EU privacy and data protection law and ideology have led to a wide divergence in enforcement actions and what U.S. companies will need to do in order legally process the data of their users in the EU. The failure of U.S. tech companies to fulfill the requirements of the GDPR, which has extraterritorial application and becomes applicable on May 25, 2018, could result in massive fines (up to $4 billion using the example of Google). The GDPR will mandate a completely new business model for these U.S. tech companies that have been operating for well over a decade with very loose restrictions under U.S. law. Will the GDPR be the end of Google and Facebook or will it be embraced as the gold standard of how companies ought to operate?
This final formatted copy of the article was first published in 50 (3) Revue juridique Thémis de l'Université de Montréal (RJTUM) 783-820 and is available on the journal's website at https://ssl.editionsthemis.com/revue/article-4951-internal-compliance-mechanisms-for-firms-in-the-eu-general-data-protection-regulation.html.
In the first case, Article 29 Working Party guidance on anonymization techniques – so important in the field of big data – is discussed and distinguished from pseudonymization. Next, Google privacy policy enforcement action by various EU Member State data protection agencies (inter alia, France, Germany, Italy, the Netherlands and Spain) is chronicled, with lessons being drawn for businesses regarding privacy policies and data protection compliance generally. Thirdly, European Union Court of Justice joined cases Digital Rights Ir. Ltd. V. Minister for Comm. Marine & Natural Res., invalidating the EU Data Retention Directive, which was applicable to providers of publicly available electronic communications services and public communications networks, such as ISPs and telecom operators, is analyzed and the WP29 reaction to the decision is discussed.
The Data Retention Directive decision and recent legislative action on the proposed EU General Data Protection Regulation (GDPR) highlight the importance in Europe of the protection of individuals’ fundamental rights to privacy and freedom of expression in the internet and telecommunications context. Finally, this article discusses recent developments regarding the GDPR, while the revelations of U.S. NSA mass surveillance programs continued to preoccupy European lawmakers.
Research in Law, which presents true specificities, is inseparable from legal teachings. The impact of this research on all those who use the Law and, more generally, on society, is real. The measurement of the extent of this impact, however, remains a delicate operation, even if some options are worth exploring.
partner of the United States—the European Union—places restrictions on crossborder transfers of personal data exported from the European Union. Destination countries must benefit from a decision by the European Commission that their data protection practice is “adequate” to import data, or transfer tools must be used to further protect those data. The United States does not benefit from such a decision and an arrangement that previously allowed data to continue to flow to the United States—the Privacy Shield—was invalidated by the Court of Justice of the European Union in 2020 in a case that is known as Schrems II.
This study focuses on EU-U.S. personal data transfers. It provides a holistic
view of the legal parameters involved in transatlantic data transfer compliance post-Schrems II, relevant developments past and future, and potential compliance actions, supplemented with relevant guidance and an analysis of enforcement actions. Such compliance is considered the most difficult task of privacy professionals today. The aim is to give a fuller understanding in this context of the EU General Data Protection Regulation (GDPR), which sets out the crossborder data transfer restriction, with a view to potential pathways to navigate those challenges.
Following the Introduction, this study dives into both the cross-border transfer restriction contained in the GDPR, and into the Schrems II ruling. EU-U.S. negotiations to try to build a replacement for the Privacy Shield are discussed. A new 2021 version of the standard contractual clauses transfer tool, used to allow data exports, is analyzed. In addition, the requirement to respect the essence of fundamental rights and freedoms set out in the Schrems II judgment is explained. Supplemental measures to ensure data protection and to allow transfers to jurisdictions with problematic legislation, such as the United States (with its surveillance laws), are detailed. Furthermore, European Economic Area data protection enforcement action in the domain of cross-border transfers is studied, including a recent case relating to the use of the popular Google Analytics tracking cookies. Finally, lessons for compliance are drawn, prior to concluding remarks.
NB: This article is available for download in full text via the Journal's website, currently at this address: https://www.bu.edu/jostl/current-issue/
The lack of harmonization of Member State implementing legislation and the development of new technologies led to the adoption of a uniform EU law in the form of the General Data Protection Regulation (GDPR), which has had international impact. The GDPR develops further individual rights and continues cross-border transfer restrictions, while including clearer extraterritorial application when the personal data of individuals in the European Union are collected, thus recognizing that cyberspace does not end at borders.
Among the several sub-goals of sanctions, this study determines that the most relevant for an analysis of GDPR sanctions—which are administrative, regulatory and financial sanctions, in large
part—is the deterrence function, beyond the symbolic functions. This demands effective and substantial administrative fines. While these are not the only sanctions available under the GDPR—this study also sets out a range of possible sanctions, such as judicial compensation and orders to halt data processing—they are perhaps the most characteristic of data protection enforcement. However, through what is referred to as the one-stop-shop mechanism, the Irish DPA is the lead authority for most of the U.S. Tech Giants, and it has failed to act against them up to now, resulting in a potential lack of deterrence. This study argues that, on the one hand, companies should embrace compliance, and on the other hand, truly dissuasive administrative fines must be issued by supervisory authorities when they are justified, in order for the sanctions to have their necessary deterrence effect.
The European Union's General Data Protection Regulation (GDPR) became applicable in May 2018. Due to the GDPR's extraterritorial scope, which could result in massive fines for U.S. companies, comparative data privacy law is of great current interest. In June 2018, California passed its own Consumer Privacy Act, echoing some of the provisions of the GDPR. Despite the many articles comparing the two schemes of law, little attention has been given to the foundation of these laws, that is, what exactly encompasses the data referred to by these laws? By understanding how the term “personal data” or “personal information” is defined in both jurisdictions, and why these definitions and the treatment of protected data are so different, companies can strategize to take advantage of these developments in the European Union. After explaining the differences in how data is treated in the United States and the European Union by exploring the definitions, regulations, and court cases, we will explore the five legal strategy pathways that companies might pursue with respect to the legal aspects of data transfer and privacy law compliance. While these strategies range from ignoring the law to adopting the European model worldwide, this analysis of legal strategy reveals a means for companies to gain a competitive advantage through their adoption of a worldwide compliance scheme.
The General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside of the European Economic Area (EEA) to countries without “adequate” privacy protections. As the United States is considered to have insufficient protections, the EC requires that an approved mechanism, such as the Privacy Shield—its agreement with the United States that permits U.S. companies to self-certify that they will meet certain minimum privacy protections—be used for such transfers. Alternative mechanisms include standard contractual clauses (SCCs). Suspension of any one approved mechanism may call into question the legitimacy of the others.
Although the Privacy Shield survived its first EC review in 2017, many called for the EC to suspend the Privacy Shield at its second review due to a number of factors: the continuation of the Schrems case; the failure of the U.S. government to enact the recommendations made in the 2017 Privacy Shield review; and recent U.S. government actions demonstrating disregard for data privacy protection; the EC chose to back down instead of proceeding to a clash.[7] On In a report issued on December 19, 2018 (2018 Report), the EC indicated that the Privacy Shield had passed its second review, subject to the United States appointing a permanent Privacy Shield Ombudsperson by February 28, 2019. Before analyzing the 2018 Report, it is important to understand why the U.S.’s commitment to the Privacy Shield mechanism seems tenuous, at best.
EU Data Protection Agencies have been vigorously enforcing violations of regional and national data protection law in recent years against U.S. tech companies, but few changes have been made to their business model of exchanging free services for personal data. With the Cambridge Analytica debacle revealing how insufficient American privacy law is, we now find ourselves questioning whether the General Data Protection Regulation (GDPR) is not the onerous 99 article regulation to be feared, but rather a creation years ahead of its time. This paper will explain how the differences in U.S. and EU privacy and data protection law and ideology have led to a wide divergence in enforcement actions and what U.S. companies will need to do in order legally process the data of their users in the EU. The failure of U.S. tech companies to fulfill the requirements of the GDPR, which has extraterritorial application and becomes applicable on May 25, 2018, could result in massive fines (up to $4 billion using the example of Google). The GDPR will mandate a completely new business model for these U.S. tech companies that have been operating for well over a decade with very loose restrictions under U.S. law. Will the GDPR be the end of Google and Facebook or will it be embraced as the gold standard of how companies ought to operate?
This final formatted copy of the article was first published in 50 (3) Revue juridique Thémis de l'Université de Montréal (RJTUM) 783-820 and is available on the journal's website at https://ssl.editionsthemis.com/revue/article-4951-internal-compliance-mechanisms-for-firms-in-the-eu-general-data-protection-regulation.html.
In the first case, Article 29 Working Party guidance on anonymization techniques – so important in the field of big data – is discussed and distinguished from pseudonymization. Next, Google privacy policy enforcement action by various EU Member State data protection agencies (inter alia, France, Germany, Italy, the Netherlands and Spain) is chronicled, with lessons being drawn for businesses regarding privacy policies and data protection compliance generally. Thirdly, European Union Court of Justice joined cases Digital Rights Ir. Ltd. V. Minister for Comm. Marine & Natural Res., invalidating the EU Data Retention Directive, which was applicable to providers of publicly available electronic communications services and public communications networks, such as ISPs and telecom operators, is analyzed and the WP29 reaction to the decision is discussed.
The Data Retention Directive decision and recent legislative action on the proposed EU General Data Protection Regulation (GDPR) highlight the importance in Europe of the protection of individuals’ fundamental rights to privacy and freedom of expression in the internet and telecommunications context. Finally, this article discusses recent developments regarding the GDPR, while the revelations of U.S. NSA mass surveillance programs continued to preoccupy European lawmakers.
Research in Law, which presents true specificities, is inseparable from legal teachings. The impact of this research on all those who use the Law and, more generally, on society, is real. The measurement of the extent of this impact, however, remains a delicate operation, even if some options are worth exploring.
In the light of this evolution both in terms of ENISA’s fundamental regulation and its role, this chapter first provides an overview of theoretical perspectives regarding the accountability of EU agencies, as they are relevant to assess ENISA’s accountability, and describes ENISA as an expert body. Next, ENISA’s role in connection with certain aspects of EU legislation in data protection, eprivacy, and cybersecurity is detailed, and most notably its creation of ‘soft law’ in these domains. An early challenge to ENISA’s legal basis is also discussed. The evolution of ENISA’s mandate, evidencing its growing importance, is detailed, and changes to its governance structures, as one solution to accountability challenges, are studied. Finally, additional discussion of accountability of ENISA in connection with its increased law ensues, with particular attention paid to its ‘soft law’ role, and potential need for a higher level of ex ante control in the form of greater ‘proceduralisation’ of law-making, prior to a making a forward-looking conclusion.
During the reading of Benabou and Rochfeld's book, we note that an important actor in the creation of value—the consumer—does not necessarily receive his or her share of the resulting value. The law, which has a role in defending certain values, whether it be copyright law, competition law, or contract law, has difficulties dealing with new paradigms created by new technologies and information. In Europe, fundamental rights and consumer law are supposed to help the web user, but do they go far enough? The book's authors propose beginnings of solutions to the law's difficulties in this context— based on transparency, technical mastery of content by the consumers who created it, control of consent, and collective action. Although the book leaves us hungry for more, it also leaves us thought-provoked as the reviewer comments. Citation: 2017 U. ILL. J.L. TECH. & POL’Y 469-485 (Fall 2017, Issue 2).
In the light of this evolution both in terms of ENISA’s fundamental regulation and its role, this chapter first provides an overview of theoretical perspectives regarding the accountability of EU agencies, as they are relevant to assess ENISA’s accountability, and describes ENISA as an expert body. Next, ENISA’s role in connection with certain aspects of EU legislation in data protection, ePrivacy, and cybersecurity is detailed, and most notably its creation of ‘soft law’ in these domains. An early challenge to ENISA’s legal basis is also discussed. The evolution of ENISA’s mandate, evidencing its growing importance, is detailed, and changes to its governance structures, as one solution to accountability challenges, are studied. Finally, additional discussion of accountability of ENISA in connection with its increased law ensues, with particular attention paid to its ‘soft law’ role, and potential need for a higher level of ex ante control in the form of greater ‘proceduralisation’ of law-making, prior to a making a forward-looking conclusion.