International Data Transfers Flashcards

1
Q

What are the various data transfer options?

A
  1. Adequacy Decisions
  2. Appropriate safeguards
  3. Derogations

*Should be considered in order from 1-3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What must be considered before standards for data transfers?

A

Whether there is a legal basis to process the personal data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are controller obligations to data subjects with data transfers?

A

Must inform data subjects:

  • existence or absence of an adequacy decision
  • intent to transfer personal data internationally
  • safeguards being used to protect the data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an adequacy decision?

A

Based on an assessment of third-country laws.

Determination that certain third countries adequately protect EU data. Under the GDPR, adequacy has broadened to include territories, sectors (ie. regulated financial or healthcare sectors) and international organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Who determines adequacy?

A

The European Commission

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How often are adequacy decisions reviewed? What happens if a country has fallen short?

A

Every four years

The adequacy decision can be repealed, suspended, or amended.

*Decisions made under the Data Protection Directive will remain in force until amended, repealed, or appealed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the criteria for adequacy?

A

Respect of the rule of law

Access to justice

International human rights standards

General and sectoral law, and case law

Effective and enforceable rights for individuals, including effective administrative and judicial redress

Data protection rules, professional rules and security measures, including specific rules for onward transfers

Other international commitments and obligations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which countries are deemed adequate?

A
Canada, Argentina, Uraguay
Faroe Islands, Isle of Man, Guernsey and Jersey, Andorra, Switzerland
Israel
South Korea, Japan
New Zealand
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When did Brexit occur?

A

UK voted to leave the EU in 2016

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the Trade and Cooperation Agreement and when was it signed?

A

Signed between EU and UK on December 24, 2020

Allows the transfer of personal data from the EU to the UK to continue for up to six months while the Commission proceeds with adequacy assessments under the EU GDPR and the Law Enforcement Directive

The UK had already indicated that it considers the EU data protection regime adequate so that personal data could flow freely form the UK to the EU

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When was the UK Data Protection Act enacted and what did it replace?

A

May 2018

Replaced Data Protection Act of 1998 and set new standards for data protection in accordance with GDPR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are appropriate safeguards and when may they be used?

A

In the absence of an adequacy decision

Legal tools designed to ensure recipients of personal data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard

Intended to provide enforcement and effective rights to individuals

Include: Binding corporate rules, standard contractual clauses, approved codes of conduct and certification mechanisms, ad hoc contractual clauses, reliance on international agreements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What do appropriate safeguards require?

A

Prior approval from a supervisory authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Binding corporate rules (include article)

A

Designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company

If competent supervisory authorities sign off on those rules, the company is considered free to transfer personal data within their organization around the world. They are internal and legally binding rules that expressly confer enforceable rights of data subjects.

Article 47 explains what is necessary for BCRs, including GDPR principles. Note: different BCRs for controllers and processors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Standard contractual clauses

A

Also known as model clauses

Created and/or approved by the European Commission

A company in the EEA that wants to send data to a company outside the EEA may use SCCs (different types for controllers and processors)

Standard form that is non-negotiable

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the most commonly used appropriate safeguards?

A

Standard contractual clauses/model clauses

17
Q

What happened to SCCs in the wake of Schrems II?

A

The legality of SCCs was upheld, but to align the SCCs with the GDPR, the European Commission has adopted revised SCCs which are modular in nature.

18
Q

What are the requirements for the revised SCCs?

A

Companies need to use them for all NEW data transfer contracts beginning in late September 2021 and incorporate them into EXISTING data transfer contracts beginning in late December 2022.

19
Q

What is a Transfer Impact Assessment?

A

Process of assessing data protection equivalence. It’s an industry coined term, not used by the EDPB or European Commission.

Companies must still conduct case-by-case assessments on the laws in each recipient country to ensure equivalence to EU law for personal data being transferred under the SCCs or BCRs.

If the laws are not essentially equivalent, companies must provide additional safeguards or suspend transfers. Such additional safeguards can involve additional technical controls and contractual obligations on how to manage onward transfers and compelled disclosures to authorities.

20
Q

Codes of Conduct and Certification Mechanisms

A

Industries can create their own codes of conduct and certification mechanisms that will be reviewed by the European Data Protection Board.

If approved, companies may have to adhere to them and be considered safe to receive transfers of personal data from the EU.

21
Q

Ad Hoc Contractual Clauses

A

Must have authorization from supervisory authority

Allow for individual tailoring to a company’s needs

Provisions for such clauses may differ at the member state level

22
Q

Reliance on international agreements

A

Two countries may enter into an agreement between themselves to provide for the protection of personal data

Example: Passenger name records. If an individual flies from Europe to the US, European authorities have to transfer information about the individual as a traveller over to the US authorities. The US has an agreement with the EU to facilitate the transfer of this data.

23
Q

Derogations (+ options for them)

A

Should be used as a last resort

An exemption on the prohibition on transferring personal data outside the EU. For limited circumstances and allow orgs. to transfer data across borders under very specific circumstances.

Carried over from the Data Protection Directive, but criteria are now stricter and narrower.

Consent: To give valid consent, data subjects must understand the possible risks of transferring their personal data outside the EU. For this reason, consent is difficult to obtain.

Where it’s necessary for the performance of a contract with the data subject: There must be no way to fulfil the contract unless the data is transferred. For example, if an individual books a hotel in a third country, their data must be sent there. However, simply being based outside the EU would not be a good enough reason.

Establishment, exercise or defense of legal claims: Designed to cover international litigation scenarios.

Public interest: personal data may be transferred outside the EEA for reasons of public interest recognized by EU or member state law only.

Protection of vital interests of the data subject or other persons: Designed for emergency situations (i.e. if an individual must be provided with emergency medical care)

Transfer from a register of public information: must be in compliance with any restriction on access to or use of the information and honor any conditions imposed by the org that compiled the register

Legitimate interests of the controller: transfer must be non-repetitive and concern a limited number of individuals. Provisions are very narrow. They are: protection of individuals’ rights, assessment and documentation, suitable safeguards, and notification to the data subject and supervisory authority of the transfer.

24
Q

GDPR Article 48

A

Third-country court, tribunal or administrative authority orders may not be authorized unless the request is made under the basis of EU or member state law or through a mutual legal assistance treaty that is enforced in the EU.