Chapter 2I: International Data Transfers Flashcards

1
Q

Transfers of personal data to any country outside the EEA may only take place subject to the conditions of Chapter 5 of the regulation, namely…

A

The country ensures an adequate level of protection as determined by the European Commission

In the absence of adequate level of protection, the controller or processor wishing to transfer the data provides appropriate safeguards on the condition that enforceable data subject rights/effective legal remedies are available for data subjects

Or in the absence of adequate level of protection, a transfer fits within one of the derogations for specific situations covered by the Regulation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Do the rules regarding international transfers apply to an international organisation?

A

Yes.

Recital 101 recognises that cross-border flows of personal data are necessary for the expansion of international trade but level of protections should not be undermined.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What impact has the rule re: international transfers and multi-national organisations had?

A

The adoption of EU data protection practices across their operations regardless of where the data processing activities actually take place.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Does data transitioning through a third country fall under the remit of the regulation’s requirements?

A

No - data routed through a third country en route does not bring transfer within the scope of the restriction of the regulation unless some substantive processing operation is conducted on the personal data in that third country.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Two common situations that have been a source of concern in the past but are not subject to conditions dealing with data exports:

A
  • Technical routing of packet-switch technology, such as internet email and web pages, which may involve random transfers of personal data between computers located anywhere
  • Electronic access to personal data by travellers who happen to be physically located for a short period of time in a place that does not afford an adequate level of protection (e.g. a person who logs on to a computer system based in the EU to access data from a foreign airport)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What was the Swedish case against Bodil Lindqvist (C-101/01) in November 2003 and what did the European Court of Justice rule?

A

An individual in a member state loaded personal information onto a website that is hosted in that state or another member state so that personal data can be accessed by anyone who connects to the internet - ECJU ruled that this does not constitute a transfer of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

When should data movement be classified as a ‘transfer’?

A

An international exchange of information about individuals with the intention of automatically processing it after the exchange - even if the original exchange does not qualify (e.g. a customer in the EU provides information over to telephone to someone in a third country, which is then entered on a computer)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What elements should be taken into consideration when defining ‘adequate level of protection’? (Article 45(1))

A

The rule of the law, respect for human rights and fundamental freedoms, relevant legislation, data protection rules, enforceable rights and judicial redress for data subjects

The existence and effective functioning of an independent supervisory authority in the country to which an international organisation is subject, including adequate enforcement powers

International commitments the third country or international organisation has entered into or other obligations arising from legally binding conventions or instruments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Who assesses / decides whether a third country provides adequate protection?

A

The European Commission.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

The Commission is guided by the criteria set out in WP29’s Adequacy Referential dated 6 February 2018 when assessing adequacy of a country - what does this referential document do?

A

Establishes the core data protection principles that have to be present in a third-country framework or international organisation in order to ensure essential equivalence with the EU framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How often should adequacy decisions be reviewed?

A

Every 4 years - taking into account all relevant developments in the third country. The commission is entitled/required to repeal, amend or suspend the decision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What countries have been recognised as having adequate protection by the Commission (under the directive or the regulation)?

A

Directive:
Andorra,
Argentina,
Canada,
Faroe Islands,
Guernsey,
Isle of Man,
Israel,
Jersey,
New Zealand,
Switzerland,
Uruguay

Regulation -
Japan

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What was Safe Harbor?

A

The Safe Harbor mechanism was a self-regulatory framework that would allow organisations to satisfy the requirements of EU data protection law in respect of transatlantic data transfers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When did the Commission issue a decision that Safe Harbour Privacy Principles provided adequate protection for personal data transferred from the EU?

A

26 July 2000 following extensive negotiations - this decision enabled transfers to US based companies who agreed to abide by the Safe Harbour Privacy Principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What about Safe Harbour attracted criticism?

A

Self-certification nature and non-EU style of its provisions
Participants did not perform required annual compliance checks
Lack of active enforcement by the Federal Trade Commission (FTC).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What was the ‘Snowden effect’?

A

Disclosures by Edward Snowden in June 2013 about mass surveillance operations carried out by the US National Security Agency (NSA) which has a very visible knock-on effect on the way the EU regulates international transfers of personal data.

This, combined with existing criticisms of Safe Harbour, led to calls for the suspension of the framework - the commission rejected this on fears that suspending the framework would adversely effect EU business interests and transatlantic economy - they reopened the dialogue with the US to strengthen framework.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

When was renegotiation of Safe Harbour announced?

A

27 November 2013 via two communications to the European Parliament and the Council of the European Union - recognised that the Snowden revelations had damaged trust and that this needed to be rebuilt.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

When did the Commission begin discussions with US authorities re: updating Safe Harbour Framework?

A

January 2014.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How many recommendations did the Commission provide on the revision of Safe Harbour?

A

13 specific recommendations aimed at addressing Safe Harbor’s weaknesses and ensuring that the framework remained as an effective mechanism in facilitating commercial transatlantic data flows; focused on four broad priorities - transparency, redress, enforcement and access to data by US authorities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

In June 2014, the Commissioner provided an update on negotiations re Safe Harbour II, reporting that…

A

The Department of Commerce (DOC) has agreed to 12 of the commission’s 13 recommendations - the final recommendation that the national security exception was to be applied only when strictly necessary and proportionate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Who lodged a complaint with the Irish Data Protection requesting the termination of any transfers of personal data by Facebook Ireland to the US, questioning the validity of Safe Harbor?

A

Maximillian Schrems, Austrian Law Student. Schrems claimed that Facebook (as data controller) could no longer rely on the Safe Harbour framework to legitimise transfers of his data to the US because of the wide access that US intelligence agencies had to such data revealed by Snowden.

22
Q

What happened with Schrem’s complaint re Facebook Ireland <> US?

A

Escalated to Irish High Court and then onto the CJEU - on Oct 6 2015, CJEU declared the Safe Harbor adequacy decision invalid - placing pressure on the Commission to agree a more robust mechanism for transfers of data from the EU to the US.

23
Q

When was the draft decision on the adequacy of the new EU-US Privacy Shield released?

A

29 February 2016 after more than two years of negotiations with the DOC.

24
Q

What were the increased benefits of Privacy Shield?

A

Documentation is significantly more detailed, imposing specific and exact measures on organisations wishing to join the framework.

Also includes additional checks and baalnces designed to ensure privacy rights of EU individuals can be exercised when their data is being processed in the US.

25
Q

On 13 April 2016, WP29 published an opinion setting out a detailed analysis of Privacy Shield, in which they set out concerns…

A
  • Commercial aspect of Privacy Shield
  • The ability for US public authorities to access data transferred under Privacy Shield
  • Privacy Shield did not include key data protection principles from EU law
  • Concern re: onward data transfers
  • Redress procedure too complex
  • Documentation did not exclude massive and indiscriminate collection of personal data by US intelligence agencies
  • New ombudsperson not sufficiently independent or powerful

Opinion concluded urging for these concerns to be resolved to improve the Privacy Shield.

26
Q

After further negotiations to address WP29’s concerns, the commission finally issued its adequacy decision concerning Privacy Shield on… and entered it into force on…

A

Issued - 12 July 2016

Entered into operation 1 August 2016

27
Q

How could businessed subject to the jurisdiction of the FTC or Department of Transportation register with Privacy Shield?

A

Filling out an online registration with the Department of Commerce.

28
Q

What were the 7 principles of Privacy Shield?

A
Notice
Choice
Accountability for onward transfer
Security
Data integrity and purpose limitation
Access
Recourse, enforcement and liability
29
Q

Companies who self certified compliance with Privacy Shield had to demonstrate compliance by…

A

Conducting an internal compliance assessment and, to the extent that there any gaps in its ability co comply, adopt internal controls policies and procedures to make compliance.

Register with a third party arbitration provider to handle any complains from EU individuals about handling of their information if unable to resolve. and pay registration fees.

Adopt a Privacy Shield notice that contains 13 specified details about the company’s privacy practices and publish online.

30
Q

Why was Privacy Shield invalidated?

A

The CJEU’s reasoning for the invalidation of Privacy Shield was twofold: US law gives US authorities the right to collect personal data about EU data subjects without adequate safeguards. EU data subjects lack effective means to seek redress against the U.S. government.

31
Q

What solutions are in place for countries deemed inadequate?

A

There are several possible mechanisms:

  • Legally binding and enforceable instrument between public authorities/bodies
  • Binding corporate rules in ac. with Article 47
  • Standard data protection clauses adopted by the commission or supervisory authority
  • An approved code of conduct (Article 40) and binding enforceable commitments to apply appropriate safeguards and data rights
  • Approved certification mechanism (Article 42) and binding enforceable commitments to apply appropriate safeguards and data rights
  • Contractual clauses between controller/processor/third country or provisions inserted into administrative arrangement between public authorities or bodies, specifically approved for that purpose by the competent data protection supervisory authority
32
Q

What are standard contractual clauses?

A

A contract preapproved by the Commission establishing certain obligations applicable to exporters and importers aimed at safeguarding personal data in accordance with EU standards.

33
Q

When did the Commission adopt the decision that set out standard contractual clauses, obliging member states to recognise companies using these clauses in contracts concerning personal data transfers outside the EEA were offering adequate protection to data?

A

15 June 2001 and second decision in 27 December 2001

Second version 27 December 2004.

34
Q

The inflexible nature of the original 2001 controller to processor clauses led to a further proposal by…

A

The International Chamber of Commerce (ICC), which resulted in the Commission on 5 February 2010 updated and replaced the original controller to processor standard clauses with a new set of model clauses. These have had to be used since 2010 for new processing operations.

35
Q

Sets of standard contractual clauses will remain valid until replaced or amended by new versions - what are they?

A

2001 Controller to controller
2004 Alternative controller to controller
2010 controller to processor

36
Q

Who challenged the ‘existing’ (previous) SCCs?

A

Irish Data Protection Commissioner, who asked High Court of Ireland to refer their validity to the CJEU.

37
Q

Some technology companies have pioneered the idea of getting their own clauses approved to enjoy greater flexibility in how they commit to data protection - companies such as…

A

Microsoft, Google, Amazon Web Services

38
Q

Code of conduct and certification mechanisms are yet to be tested; true or false?

A

True

39
Q

The regulation includes BCRs as a mechanism available to…

A

Both controllers and processors to legitimise transfers within corporate groups.

40
Q

In 2003, the EU DPAs developed the concept of BCRs to…

A

Allow multinational organisations and groups of companies to make intra-organisational transfers of personal data across borders in compliance with EU data protection law.

41
Q

What are BCRs?

A

A global set of rules based on European privacy standards which multinational organisations draw up and follow voluntarily and national regulators approve in accordance with their own legislations.

42
Q

Where was the idea of using BCRs to create adequate safeguards originally devised?

A

By WP29 in Working Document WP74.

43
Q

EU DPAs increased level of cooperation to streamline the BCRs approval process, which led to the adoption of…

A

A mutual recognition process, effectively incorporated into the regulation.The WP29 issued detailed guidance on the approval process in WP263.

44
Q

According to the Regulation, DPAs must approve a set of BCRs following the so-called consistency mechanism provided that it is legally binding and expressly confers enforceable rights on data subjects. A full and valid set of BCRs should include…

(Later endorsed by the EDPB)

A

Structure and contact details of the corporate group

Data transfers including categories of personal data, type of processing and purposes, type of data subjects affected and identification of third country

Legally binding nature

Application of general data protection principles

Rights of data subjects

Acceptance of liability for any breaches of BCRs

The way information on BCRs is provided to DSs

Tasks of any DPO or other person in charge of monitoring compliance

Complaints procedures

Mechanisms for ensuring verification of compliance

Mechanisms for reporting/recording changes of rules to the supervisory authority

Cooperation mechanism with the Supervisory Authority

Mechanisms for reporting to the competent supervisory authority any legal requirements

Appropriate DP training to personnel having permanent or regular access to PD

45
Q

In the absence of an adequate level of protection or of appropriate safeguards, a transfer or a set of transfers of personal data may still take place if it fits within one of the derogations for specific situations covered by the Regulation.
The EDPB confirmed that deorgations must be…

A

Interpreted restrictively and only relied on as a last resort, when the provision of adequate protection/appropriate safeguards for personal data transferred is not possible.

46
Q

Consent is a derogation for international transfers, but must be…

A

Specific, informed and explicit.
Individual must be informed of possible risks of such transfers due to absence of an adequacy decision and appropriate safeguards.

Public authorities are not able to rely on this derogation.

47
Q

Contract performance is a derogation for international transfers, but must be…

A

Entered into at the individual’s requests or in their interests, or necessary for the performance or conclusion of the contract.

If a transfer is not necessary and the exporter has chosen to structure its operations in a way that involves transferring data overseas, this is not enough. It must be necessary.

48
Q

Substantial public interest is a derogation for international transfers, but is most likely to apply when…

A

Transfer is necessary for reasons of crime prevention and detection, national security and tax collection.

49
Q

Legal claims is a derogation for international transfers, which means…

A

Transfers can be made when necessary for establishing, exercising or defending legal claims.

50
Q

Vital interests is a derogation for international transfers, which means…

A

That this relates to matters of life or death, such as the transfer of medical records of an individual who has become seriously ill or involved in a serious accident abroad.

51
Q

Public registers is a derogation for international transfers, which means…

A

Exports of personal data can also be made from information available on a public register provided that the person to whom the information is transferred complies with any restrictions on access to or use of the information in the register.

52
Q

Not repetitive transfers is a derogation for international transfers, which means…

A

a transfer may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.
In these situations, the controller must inform the supervisory authority and the data subject of the transfer. The individual must also be informed of the compelling legitimate interests pursued by the controller.