International Data Transfers Flashcards
What are the various data transfer options?
- Adequacy Decisions
- Appropriate safeguards
- Derogations
*Should be considered in order from 1-3
What must be considered before standards for data transfers?
Whether there is a legal basis to process the personal data
What are controller obligations to data subjects with data transfers?
Must inform data subjects:
- existence or absence of an adequacy decision
- intent to transfer personal data internationally
- safeguards being used to protect the data
What is an adequacy decision?
Based on an assessment of third-country laws.
Determination that certain third countries adequately protect EU data. Under the GDPR, adequacy has broadened to include territories, sectors (ie. regulated financial or healthcare sectors) and international organizations.
Who determines adequacy?
The European Commission
How often are adequacy decisions reviewed? What happens if a country has fallen short?
Every four years
The adequacy decision can be repealed, suspended, or amended.
*Decisions made under the Data Protection Directive will remain in force until amended, repealed, or appealed.
What are the criteria for adequacy?
Respect of the rule of law
Access to justice
International human rights standards
General and sectoral law, and case law
Effective and enforceable rights for individuals, including effective administrative and judicial redress
Data protection rules, professional rules and security measures, including specific rules for onward transfers
Other international commitments and obligations
Which countries are deemed adequate?
Canada, Argentina, Uraguay Faroe Islands, Isle of Man, Guernsey and Jersey, Andorra, Switzerland Israel South Korea, Japan New Zealand
When did Brexit occur?
UK voted to leave the EU in 2016
What is the Trade and Cooperation Agreement and when was it signed?
Signed between EU and UK on December 24, 2020
Allows the transfer of personal data from the EU to the UK to continue for up to six months while the Commission proceeds with adequacy assessments under the EU GDPR and the Law Enforcement Directive
The UK had already indicated that it considers the EU data protection regime adequate so that personal data could flow freely form the UK to the EU
When was the UK Data Protection Act enacted and what did it replace?
May 2018
Replaced Data Protection Act of 1998 and set new standards for data protection in accordance with GDPR
What are appropriate safeguards and when may they be used?
In the absence of an adequacy decision
Legal tools designed to ensure recipients of personal data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard
Intended to provide enforcement and effective rights to individuals
Include: Binding corporate rules, standard contractual clauses, approved codes of conduct and certification mechanisms, ad hoc contractual clauses, reliance on international agreements
What do appropriate safeguards require?
Prior approval from a supervisory authority
Binding corporate rules (include article)
Designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company
If competent supervisory authorities sign off on those rules, the company is considered free to transfer personal data within their organization around the world. They are internal and legally binding rules that expressly confer enforceable rights of data subjects.
Article 47 explains what is necessary for BCRs, including GDPR principles. Note: different BCRs for controllers and processors.
Standard contractual clauses
Also known as model clauses
Created and/or approved by the European Commission
A company in the EEA that wants to send data to a company outside the EEA may use SCCs (different types for controllers and processors)
Standard form that is non-negotiable