Answer given by Ms Kroes on behalf of the Commission
The Commission is particularly mindful of third countries' legislation, whose possible extraterritorial application could jeopardise the individuals' fundamental right to protection of their personal data in the EU. As a matter of international public law, no foreign legal act as such can overrule relevant EU legislation or Member States laws, including the data protection acquis. Any processing of personal data in the EU has therefore to respect applicable EU data protection law. It is primarily for national authorities, in particular the independent data protection authorities, to monitor compliance with data protection rules and monitor and investigate any violations thereof. This subject is also being regularly raised by the Commission with the US authorities in the context of ongoing dialogue on different matters, including in the framework of the negotiation of a comprehensive EU-US agreement on the exchange of personal data between judicial and police authorities that should provide a high level of privacy protection for all individuals, while facilitating the exchange of data needed to fight crime.
The Commission also proposed a new Data Protection Package(1), which addresses this question in Recital (90). Moreover, the Cloud Computing Communication(2) addressed some aspects of international data transfers in the context of cloud computing services. It aims to review standard contractual clauses applicable to the transfer of personal data to third countries, adapt these to cloud services and call upon national data protection authorities to approve Binding Corporate Rules for cloud service providers.