Is the EU Engaging in Impermissible Indirect Regulation of UN Action? Controversies over the General Data Protection Regulation

The General Data Protection Regulation (GDPR), a robust and ambitious framework for the protection of the personal data of natural persons adopted by the European Union in 2016, has found an unlikely stakeholder. On 14 May 2020, the United Nations Secretariat sent an eloquent and detailed set of comments to the European Data Protection Board, outlining the ways in which the GDPR comes to the detriment of the organizations of the UN System, and making legal objections to certain aspects of the regulation.

In a nutshell, under Articles 44 to 50 of the GDPR, personal data may only be transferred to – or for processing in – a third country or an international organization if the latter offers a level of privacy rights protection that is “essentially equivalent” to that provided within the EU (as confirmed in strong terms by the recent judgment of the Court of Justice of the EU in Schrems II). That this condition has been met can be certified by a decision of the European Commission to the effect that the relevant country or organization “ensures an adequate level of protection”. In the alternative, the controller or processor of the data must offer “appropriate safeguards” that the data will be properly handled, but this option is only open if the relevant country or organization recognises essentially equivalent “enforceable data subject rights” and “effective legal remedies for data subjects”. Other than that, the GDPR allows for “derogations for specific situations”, such as when “the transfer is necessary for important reasons of public interest”.

In its comments, the UN claims that this legal regime unduly interferes with its activities in three ways. First, it notes that that the GDPR is jeopardising the relationship of UN-System organizations with “implementing parties” and “vendors” who, apprehensive of the imposition of significant penalties by the supervisory authorities of EU member states, are reluctant to transfer personal data that is necessary for those organizations to do their job. Second, it points out that the GDPR has made it difficult for the UN to conclude suitable agreements with service providers. Third, it complains that the GDPR has been posing  obstacles to voluntary funding that the European Commission and EU member states offer to UN programmes and operations. To ensure that those interferences are addressed, the UN urges the EU, among other things, to issue additional guidelines to clarify that the GDPR applies neither to UN-System organizations nor to private entities processing or transferring data on their behalf.

International law limits to indirect regulation

To the extent that a regulation issued by a state or an international organization constitutes a lawful exercise of territorial or personal jurisdiction, its extra-territorial effects will not be problematic from the viewpoint of general international law. Sovereign equals may neither exercise public power over one another nor intervene coercively in each other’s internal affairs, but international law does not prevent them from nudging others in certain directions by regulating the conduct of private parties, even when such regulation is perceived as illegitimate. The UN is no ‘sovereign equal’, tough, and what makes its objections to the GDPR interesting, and distinct from those of countries such as the United States, is the fact that they are distinctively based on international law.

The UN complains that the GDPR conflates third states and international organizations and is inconsistent with the privileges and immunities owed by EU member states to UN-System organizations. As I have argued elsewhere, third states are for the most part entitled – and indeed required – to treat an international organization as if it were a foreign State. But the same is not true of member states that undertake, under constituent instruments or other relevant treaties, to accord to their organization a higher level of legal protection than that which foreign states are owed. In the UN’s case, all members are bound by Article 105(1) of the UN Charter to ensure that the organization enjoy, in their territory, “such privileges and immunities as are necessary for the fulfilment of its purpose”. The 162 states that are party to the 1946 Convention on the Privileges and Immunities of the United Nations, including all EU states, must accord “immunity from every form of legal process” to UN “property and assets wherever located and by whomsoever held”.

The legal picture is complicated, however, by the fact that the EU is not a party to the UN Charter or to the 1946 Convention, and is thus not bound by the rules found in those instruments as a matter of public international law. In contrast, an obligation to comply with the UN Charter in certain cases has been affirmed, as a matter of EU law, through a reading of Articles 3 and 21 of the Treaty on European Union alongside Article 351 of the Treaty on the Functioning of the European Union. As a result, in its exchanges with the EU over the GDPR, the UN is put in the awkward position of having to rely on the individual obligations of EU member states (which are required to give priority to UN law over EU law by Article 103 of the Charter) and on provisions of EU law (which the UN has no standing to invoke).

Normative anxieties created by EU’s indirect regulation of UN action

The exchanges between the UN and the EU have so far struck a conciliatory tone. The European Data Protection Board recognises that the GDPR is not applicable to UN-System organizations, and that the application of the GDPR to private entities providing services to international organizations may require some adjustments. The Board also acknowledges the questions raised by the UN and signals a willingness to resolve them. Yet, that exchange invites reflection on the somewhat precarious position in which even an organization as powerful as the UN finds itself in dealing with a supranational institution like the EU. I shall highlight two points.

First, despite the conciliatory tone, it is hard not to look at the exchange without thinking about Kadi and the spectre of ‘EU law exceptionalism’. In its landmark judgment of 2008, the CJEU upheld EU law over the obligations of EU member states to comply with resolutions of the UN Security Council. The Court of Justice observed that EU law forms the “autonomous legal system” of a “community based on the rule of law”, which “is not to be prejudiced by an international agreement” and comprises “a complete system of legal remedies and procedures”. That kind of dualistic institutional sensibility, coupled with the fact that the EU is not formally bound by the UN Charter, creates some anxiety that EU institutions may be more willing, and more able, to challenge multilateral efforts at the UN than the EU states would individually.

There can be benefits, of course, in the kind of ‘peer review’ of UN action that the EU has proved capable of conducting. Kadi was, after all, the catalyser of much needed reform in the delisting process at the Security Council. It is thus only appropriate that the UN, in its comments, takes pains to declare its longstanding commitment to the protection of privacy rights, most recently articulated in the 2018 Personal Data Protection and Privacy Principles. But to what extent should the EU be entitled to interfere with UN action in the name of protecting the rights of EU citizens? In a veiled rebuke to ‘EU law exceptionalism’, the UN emphasises that the GDPR is “similar in nature, vis-à-vis international law, to the internal law of its Member States”, the upshot being that “European Union Member States would not be able to assert that their failure to comply with obligations under international law is justified by virtue of contrary European Union law provisions”.

Secondly, the exchange between the UN and the EU reminds us of the challenges that a universal organization which lacks the supranational institutional features of the EU faces when operating in the territory of its member states. The crux of the discussions between the UN and the EU, as noted above, are the detrimental effects of the GDPR on the relationship between the UN and the private entities on the services of which the UN depends. Areas of UN action impaired by the GDPR are said to include care for refugees, health research and migration.

It is tempting to picture UN-System organizations as unaccountable entities shielded by exorbitant privileges and immunities. That may well be a fair criticism sometimes, but it is important to remember that one of the reasons why those organizations enjoy extensive privileges and immunities is that, unlike states, they are exposed to the rules of myriad domestic legal systems whenever they need to engage in transactions with private parties. They do not have the luxury of dealing with private parties under their own legal system, for they are not political communities with a territory and population. That is why, when contracting with private parties in the territory of a member state, the UN becomes exempt from certain forms of domestic regulation (direct taxation being the classic example) and from the jurisdiction of domestic courts. In contrast, private parties remain, in principle, subjected to the domestic law of the state(s) where they find themselves.

Which gives rise to a tricky question: when does respecting the privileges and immunities of an international organization require member States to exempt not only the organization itself, but also private entities, from certain forms of domestic regulation? The UN’s current stance on the GDPR is that data collected by, or on behalf of, the UN-System organizations constitute “property and assets” that must not be subjected to any form of interference. On that basis, the UN argues that it would be “impermissible for States” (and, a fortiori, for the EU) “to interfere, legislatively or otherwise, with the handling of data” by “implementing partners and vendors of United Nations System Organizations… instructed to act on behalf of those Organizations and in furtherance of their mandates”. The question of where to draw the line between permissible and impermissible interference with UN action through rules imposed on private entities is bound to remain controversial, but it is easy to apprehend why UN-System organizations may need some protection from such forms of “indirect regulation”. The UN argues that “the reasons of public interest for which the United Nations operates must be defined at the international level by reference to the will of its Member States collectively, and not under European Union law”. Whether or not one agrees with this position, it merits serious engagement.