Data transfers to 3rd countries

Question 1

What is data transfer?

Answer 1

1. Not defined in GDPR
2. Not sufficient that personal data is just loaded on an internet page
3. Communication, disclosure or otherwise making available of personal data conducted with the knowledge or intention of a sender that the recipient will have access to it

Question 2

When is it allowed?

Answer 2

1. If the Commission has issued an adequacy decision to declare that jurisdiction as adequate
2. If there are appropriate safeguards and remedies
3. If there is a derogation
4. If there is an international agreement

Question 3

When is it allowed? Adequacy decision

Answer 3

1. Dynamic – Must be reviewed every 4 years
2. Based on the respect of that jurisdiction for the rule of law, the existence of independent supervisory authorities and the international commitment of that 3rd country
3. Must provide for individual redress

Question 4

When is it allowed? Sufficient safeguards and remedies

Answer 4

1. Art. 46 GDPR
2. Standard Contractual Clauses (adopted either by the Commission or by the Supervisory Authorities with the public authorities)
3. Binding Corporate Rules (adopted by a company)
4. Codes of Conduct and Regulations

Question 5

When is it allowed? Derogations

Answer 5

1. Art. 49 GDPR – For these derogations to apply, all other criterion from the GDPR must be upheld
2. Consent
3. Contractual necessity
4. Public interest
5. Vital interest of an individual
6. Legitimate interests of the Controller

Question 6

When is it allowed? International agrement

Answer 6

1. Without which there can be no data transfer with the EU but with one of these you do not need any of the other agreements mentioned under the GDPR
2. Not regulated by the GDPR but recognised (check (102))
3. Must be in line with EU law and respect the rights of data subjects

Question 7

Scherms

Answer 7

1. Austrian citizen which moved to the US – He agreed to the Facebook terms and conditions
2. He challenged the Safe Harbor agreement because the American data protection is not as high as the EU one:
   (1) Too broad (allowed data to be stored with no differentiation for personal data or personal data subjects, no purpose)
   (2) Public authorities had access to any data – Does not respect the right to private life under Art. 7 of the Charter
   (3) No access to personal remedies for individuals to complain about the use of their personal data to obtain access to it or to rectify it
3. The US was not an ‘adequate’ country - ‘Adequate’ means that the level of protection must be equivalent to the level of protection of the EU but does not need to be exactly the same

Question 8

What is the US-EU privacy shield?

Answer 8

1. The ‘new Safe Harbor’
2. Digital Right Ireland v. Commission – Not admissible because no personal interest
3. La Quadrature du Net v Commission – Admissible but pending, any idea on the outcome?
   (1) (From Scherms) Has not been resolved
   (2) (From Scherms) Has not been resolved
   (3) (From Scherms) Has been resolved
4. So it might be invalidated

Question 9

What are the remedies available under the US-EU privacy shield?

Answer 9

(1) You can complain to the company (or organisation) directly
(2) The individual can complain to the independent dispute resolution body
(3) Individuals can complain to the DPA
(4) Individuals can complain to the Department of Commerce (as it is the Department that created and concluded the Privacy Shield)
(5) Individuals can complain to the Federal Trade Commission
(6) Individuals can complain as last resort to the Privacy Shield Panel, which is a binding arbitration panel
(7) Individuals can seek remedies under US law
(8) Go to the Ombudsman