Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-E > Chapter 12 (International Data Transfers) > Flashcards

Chapter 12 (International Data Transfers) Flashcards

1
Q

Transfers of personal data to any country outside of the European Economic Area (EEA) May only take place under what 3 conditions laid out in Chapter 5 of the GDPR?

A
  1. The third country ensures an adequate level of protection (as determined by the Commission) for the personal data
  2. In the absence of adequate levels of protection, the controller or processor wishing to transfer the data provides appropriate safeguards on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.
  3. In the absence on an adequate level of protection or of appropriate safeguards, a transfer or set of transfers of personal data fits within one of the derogations for specific situations covered by the GDPR.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What element of the GDPR will continue to be a serious barrier to international commerce?

A

Meeting adequacy requirements for data transfers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are 3 situations not within the scope of a data transfer for GDPR purposes?

A
  1. Technical routing of packet-switching technology, such as internet email, which may involve random transfers of personal data between computer servers located anywhere in the world.
  2. Electronic access to personal data by travelers who happen to be physically located for a very short time in a place that doesn’t afford an adequate level of protection.
  3. Merely loading personal info onto a website that is hosted in that state or another member state so the info can be accessed by anyone who connects to the internet
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Does an intentional exchange of info about individuals with the intention of automatically processing that personal info after it has been exchanged qualify as a transfer for purposes of the GDPR

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What 3 elements does the Commission take into consideration when assessing whether a third country or an international org has an adequate level of protection?

A
  1. The rule of law; respect for human rights and fundamental freedoms; relevant legislation re public security, defense, national security, and criminal; implementation of such legislation, data protection rules, professional rules and security measures; and effective and enforceable data subject rights
  2. The existence and effective functioning of one or more independent supervisory authorities charged with ensuring and enforcing data protection rules.
  3. The international commitments the third country or international org concerned has entered into, or the other obligations arising from legally binding conventions or instruments.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If the Commission determines an adequate level of protection exists it creates an implementing act that provides what 3 things?

A
  1. Mechanism for a periodic review (at least every 4 years) considering all recent developments in the third country or international org.
  2. Specificity of its territorial and sectoral application
  3. Identification of the supervisory authority or authorities for ensuring and enforcing compliance with the data protection rules (where applicable)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Under the Directive, what 11 countries did the Commission recognize as having adequate protection for personal data?

A
  1. Andorra
  2. Argentina
  3. Canada
  4. Faroe Islands
  5. Guernsey
  6. The Isle of Man
  7. Israel
  8. Jersey
  9. New Zealand
  10. Switzerland
  11. Uruguay
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Under the GDPR what 3 countries has the Commission recognized as having adequate protection for personal data?

A
  1. Japan
  2. South Korea
  3. United Kingdom
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Due to the large volume of data transferred between the US and the EU the Commission and the US Department of Commerce originally developed what as a self-regulatory framework allowing the Directive’s requirements for cross-border data transfers to be met?

A

The Safe Harbor mechanism

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What were 2 perceived weaknesses of the Safe Harbor framework?

A
  1. The fact that participants didn’t perform required annual compliance checks
  2. Lack of active enforcement by the FTC compared to other domestic cases
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What had a very visible effect on the way the EU regulated international transfers of personal data?

A

The disclosures by Edward Snowden in June 2013 about the mass surveillance operations carried out be the NSA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What 4 broad priorities did the Commission focus on to help address the Safe Harbor’s weaknesses and ensure a mechanism for facilitating commercial trans-Atlantic data flows?

A
  1. Transparency
  2. Redress
  3. Enforcement
  4. Access to data by US authorities
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

On October 6, 2015 the CJEU issued a decision on Maximilian Schrems case against Facebook Ireland that decided what?

A

That the Safe Harbor adequacy decision was invalid so Facebook couldn’t rely on it to legitimize cross-border data transfers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What framework replaced the Safe Harbor framework?

A

The EU-US Privacy Shield Framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

When did the Commission release its draft decision of the new EU-US Privacy Shield Framework?

A

February 29, 2016

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What 5 concerns did the WP29 raise regarding the 2016 Privacy Shield framework?

A
  1. The commercial aspects of the Privacy Shield
  2. Ability for US public authorities to access data transferred under the Privacy Shield
  3. Lack of certain key data protection principles from EU law
  4. Protection for onward data transfers
  5. Allowing massive and indiscriminate collection of personal data originating from the EU by US intelligence agencies
17
Q

When did the Privacy Shield formally enter into effect?

A

August 1, 2016

18
Q

What were the 7 principles included in the Privacy Shield?

A
  1. Notice
  2. Choice
  3. Accountability for onward transfer
  4. Security
  5. Data integrity and purpose limitation
  6. Access
  7. Recourse, enforcement, and liability
19
Q

The Privacy Shield required companies self-certifying compliance to take what 3 steps?

A
  1. Conduct an internal compliance assessment to determine the company’s ability to comply with the principles with respect to info covered by the certification.
  2. Registering with a third-party arbitration provider to handle any complaints from EU individuals about the handling of their info that the company was unable to fully resolve and paying any registration fee.
  3. Adopting a Privacy Shield notice containing 13 specified details about the company’s privacy practices and publishing the notice online.
20
Q

What did the Schrems II decision issued by the CJEU in July 2020 declare?

A

It invalidated the Privacy Shield because it determined domestic US law regulating access and use by US authorities of personal data transferred from the EU to the US were not circumscribed in a way to provide protections essentially equivalent to those required by EU law.

21
Q

What is the name of the framework being worked on to replace the Privacy Shield?

A

Trans-Atlantic Data Privacy Framework

22
Q

What are 7 possible mechanisms that provide appropriate safeguards for international data transfers?

A
  1. A legally binding and enforceable instrument between public authorities or bodies
  2. BCRs
  3. Standard data protection clauses adopted by the Commission
  4. Standard data protection clauses adopted by a supervisory authority and approved by the Commission
  5. An approved code of conduct pursuant to article 40, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards
  6. An approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards
  7. Contractual clause between the controller or processor
23
Q

Traditionally, the most frequently used mechanism to legitimize international data transfers to countries that are not deemed to provide an adequate level of protection are what?

A

Standard Contractual Clauses (SCCs)

24
Q

What did the Schrems II decision say about SCCs?

A

That they could continue to be used for the purpose of legitimizing data transfers, but in some circumstances it might be necessary to supplement them with additional safeguards.

25
Q

On June 4, 2021 the Commission adopted revised SCCs that cover what 4 transfer scenarios?

A
  1. Controller-to controller transfers
  2. Controller-to-processor transfers
  3. Processor-to-processor transfers
  4. Processor-to-controller transfers
26
Q

What are the 6 steps the EDPB has provided for assessing whether SCCs provide an adequate level of protections for international data transfers?

A
  1. Know your transfers
  2. Identify the transfer tools you’re relying on
  3. Assess whether the Article 46 GDPR transfer tool relied upon is effective in light of all circumstances of the transfer
  4. Adopt supplementary measures
  5. Procedural steps if you have identified effective supplementary measures
  6. Re-evaluate at appropriate intervals
27
Q

The Commission’s 2021 SCCs did what to address the CJEU’s decision in Schrems II?

A

Added a number of provisions that strengthen the ability of the contractual parties to control the extent to which government agencies outside of the EU May access personal data.

28
Q

What was the most significant development in the area of international data transfers under the GDPR?

A

The inclusion of BCRs as a mechanism available to both controllers and processors to legitimize international data transfers within their corporate group.

29
Q

According to the GDPR, EU DPAs must approve a set of BCRs following what?

A

The consistency mechanism (provided the BCRs are legally binding and expressly confer enforceable rights on data subjects).

30
Q

What 14 elements must a full and valid set of BCRs contain?

A
  1. The structure and contact details of the corporate group and each of its members
  2. The details on the data transfers or set of transfers (e.g. type of processing and its purposes, type of data affected, id of third country in question)
  3. Their legally binding nature both internally and externally
  4. The application of the general data protection principles and the requirements in respect of onward transfers to bodies not bound by the BCRs
  5. The rights of data subjects re processing and means to exercise those rights
  6. The acceptance by the controller or processor established in the territory of a member state of liability for any breaches of the BCRs by any member concerned not established in the EU
  7. The way the info in the BCRs is provided to the data subjects
  8. The task of any DPO or any other person or entity in charge of monitoring compliance with the BCRs
  9. The compliant procedures
  10. The mechanisms for ensuring the verification of compliance with the BCRs
  11. The mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authorities
  12. The cooperation mechanism with the supervisory authority to ensure compliance
  13. The mechanism for reporting to the competent supervisory authority any legal requirements to which a member of the corporate group is subject in a 3rd country which is likely to have substantial adverse effect on the guarantees provided by the BCRs
  14. The appropriate data protection training to personnel having permanent or regular access to personal data
31
Q

The EDPB confirmed that derogations should be interpreted how and only relied upon when?

A

Derogations should be interpreted restrictively and only relied upon as a last resort, when provisions of adequate protection or appropriate safeguards for the personal data transferred isn’t possible.

32
Q

What are basis for the 7 derogations under the GDPR?

A
  1. Consent (explicit)
  2. Contract performance
  3. Substantial public interest (e.g. crime prevention, national security, tax collection)
  4. Legal claims (exercising, establishing, or defending)
  5. Vital interests (relates to matters of life or death)
  6. Public registers
  7. Not repetitive transfers
33
Q

What 4 elements must be in place for the derogation re non-repetitive transfers to apply?

A

Transfer
1. Isn’t repetitive
2. Concerns only a limited number of data subjects
3. Is necessary for the purposes of complete legit interests pursued by the controller which aren’t overridden by the interests or rights and freedoms of the data subjects
4. The controller has assessed all circumstances surrounding the data transfer and on the basis of that assessment provided suitable safeguards with regard to the protection of the personal data

34
Q

If a company is relying on the non-repetitive transfer derogation who must be informed about the transfer?

A
  1. Supervising authority
  2. Data subject of the transfer

CIPP-E (18 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions