Chapter 2I: International Data Transfers Flashcards
Transfers of personal data to any country outside the EEA may only take place subject to the conditions of Chapter 5 of the regulation, namely…
The country ensures an adequate level of protection as determined by the European Commission
In the absence of adequate level of protection, the controller or processor wishing to transfer the data provides appropriate safeguards on the condition that enforceable data subject rights/effective legal remedies are available for data subjects
Or in the absence of adequate level of protection, a transfer fits within one of the derogations for specific situations covered by the Regulation.
Do the rules regarding international transfers apply to an international organisation?
Yes.
Recital 101 recognises that cross-border flows of personal data are necessary for the expansion of international trade but level of protections should not be undermined.
What impact has the rule re: international transfers and multi-national organisations had?
The adoption of EU data protection practices across their operations regardless of where the data processing activities actually take place.
Does data transitioning through a third country fall under the remit of the regulation’s requirements?
No - data routed through a third country en route does not bring transfer within the scope of the restriction of the regulation unless some substantive processing operation is conducted on the personal data in that third country.
Two common situations that have been a source of concern in the past but are not subject to conditions dealing with data exports:
- Technical routing of packet-switch technology, such as internet email and web pages, which may involve random transfers of personal data between computers located anywhere
- Electronic access to personal data by travellers who happen to be physically located for a short period of time in a place that does not afford an adequate level of protection (e.g. a person who logs on to a computer system based in the EU to access data from a foreign airport)
What was the Swedish case against Bodil Lindqvist (C-101/01) in November 2003 and what did the European Court of Justice rule?
An individual in a member state loaded personal information onto a website that is hosted in that state or another member state so that personal data can be accessed by anyone who connects to the internet - ECJU ruled that this does not constitute a transfer of data.
When should data movement be classified as a ‘transfer’?
An international exchange of information about individuals with the intention of automatically processing it after the exchange - even if the original exchange does not qualify (e.g. a customer in the EU provides information over to telephone to someone in a third country, which is then entered on a computer)
What elements should be taken into consideration when defining ‘adequate level of protection’? (Article 45(1))
The rule of the law, respect for human rights and fundamental freedoms, relevant legislation, data protection rules, enforceable rights and judicial redress for data subjects
The existence and effective functioning of an independent supervisory authority in the country to which an international organisation is subject, including adequate enforcement powers
International commitments the third country or international organisation has entered into or other obligations arising from legally binding conventions or instruments
Who assesses / decides whether a third country provides adequate protection?
The European Commission.
The Commission is guided by the criteria set out in WP29’s Adequacy Referential dated 6 February 2018 when assessing adequacy of a country - what does this referential document do?
Establishes the core data protection principles that have to be present in a third-country framework or international organisation in order to ensure essential equivalence with the EU framework.
How often should adequacy decisions be reviewed?
Every 4 years - taking into account all relevant developments in the third country. The commission is entitled/required to repeal, amend or suspend the decision.
What countries have been recognised as having adequate protection by the Commission (under the directive or the regulation)?
Directive:
Andorra,
Argentina,
Canada,
Faroe Islands,
Guernsey,
Isle of Man,
Israel,
Jersey,
New Zealand,
Switzerland,
Uruguay
Regulation -
Japan
What was Safe Harbor?
The Safe Harbor mechanism was a self-regulatory framework that would allow organisations to satisfy the requirements of EU data protection law in respect of transatlantic data transfers.
When did the Commission issue a decision that Safe Harbour Privacy Principles provided adequate protection for personal data transferred from the EU?
26 July 2000 following extensive negotiations - this decision enabled transfers to US based companies who agreed to abide by the Safe Harbour Privacy Principles.
What about Safe Harbour attracted criticism?
Self-certification nature and non-EU style of its provisions
Participants did not perform required annual compliance checks
Lack of active enforcement by the Federal Trade Commission (FTC).
What was the ‘Snowden effect’?
Disclosures by Edward Snowden in June 2013 about mass surveillance operations carried out by the US National Security Agency (NSA) which has a very visible knock-on effect on the way the EU regulates international transfers of personal data.
This, combined with existing criticisms of Safe Harbour, led to calls for the suspension of the framework - the commission rejected this on fears that suspending the framework would adversely effect EU business interests and transatlantic economy - they reopened the dialogue with the US to strengthen framework.
When was renegotiation of Safe Harbour announced?
27 November 2013 via two communications to the European Parliament and the Council of the European Union - recognised that the Snowden revelations had damaged trust and that this needed to be rebuilt.
When did the Commission begin discussions with US authorities re: updating Safe Harbour Framework?
January 2014.
How many recommendations did the Commission provide on the revision of Safe Harbour?
13 specific recommendations aimed at addressing Safe Harbor’s weaknesses and ensuring that the framework remained as an effective mechanism in facilitating commercial transatlantic data flows; focused on four broad priorities - transparency, redress, enforcement and access to data by US authorities.
In June 2014, the Commissioner provided an update on negotiations re Safe Harbour II, reporting that…
The Department of Commerce (DOC) has agreed to 12 of the commission’s 13 recommendations - the final recommendation that the national security exception was to be applied only when strictly necessary and proportionate.