International Data Transfers

Question 1

What are the various data transfer options?

Answer 1

1. Adequacy Decisions
2. Appropriate safeguards
3. Derogations

*Should be considered in order from 1-3

Question 2

What must be considered before standards for data transfers?

Answer 2

Whether there is a legal basis to process the personal data

Question 3

What are controller obligations to data subjects with data transfers?

Answer 3

Must inform data subjects:

• existence or absence of an adequacy decision
• intent to transfer personal data internationally
• safeguards being used to protect the data

Question 4

What is an adequacy decision?

Answer 4

Based on an assessment of third-country laws.

Determination that certain third countries adequately protect EU data. Under the GDPR, adequacy has broadened to include territories, sectors (ie. regulated financial or healthcare sectors) and international organizations.

Question 5

Who determines adequacy?

Answer 5

The European Commission

Question 6

How often are adequacy decisions reviewed? What happens if a country has fallen short?

Answer 6

Every four years

The adequacy decision can be repealed, suspended, or amended.

*Decisions made under the Data Protection Directive will remain in force until amended, repealed, or appealed.

Question 7

What are the criteria for adequacy?

Answer 7

Respect of the rule of law

Access to justice

International human rights standards

General and sectoral law, and case law

Effective and enforceable rights for individuals, including effective administrative and judicial redress

Data protection rules, professional rules and security measures, including specific rules for onward transfers

Other international commitments and obligations

Question 8

Which countries are deemed adequate?

Answer 8

Canada, Argentina, Uraguay
Faroe Islands, Isle of Man, Guernsey and Jersey, Andorra, Switzerland
Israel
South Korea, Japan
New Zealand

Question 9

When did Brexit occur?

Answer 9

UK voted to leave the EU in 2016

Question 10

What is the Trade and Cooperation Agreement and when was it signed?

Answer 10

Signed between EU and UK on December 24, 2020

Allows the transfer of personal data from the EU to the UK to continue for up to six months while the Commission proceeds with adequacy assessments under the EU GDPR and the Law Enforcement Directive

The UK had already indicated that it considers the EU data protection regime adequate so that personal data could flow freely form the UK to the EU

Question 11

When was the UK Data Protection Act enacted and what did it replace?

Answer 11

May 2018

Replaced Data Protection Act of 1998 and set new standards for data protection in accordance with GDPR

Question 12

What are appropriate safeguards and when may they be used?

Answer 12

In the absence of an adequacy decision

Legal tools designed to ensure recipients of personal data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard

Intended to provide enforcement and effective rights to individuals

Include: Binding corporate rules, standard contractual clauses, approved codes of conduct and certification mechanisms, ad hoc contractual clauses, reliance on international agreements

Question 13

What do appropriate safeguards require?

Answer 13

Prior approval from a supervisory authority

Question 14

Binding corporate rules (include article)

Answer 14

Designed to allow large multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company

If competent supervisory authorities sign off on those rules, the company is considered free to transfer personal data within their organization around the world. They are internal and legally binding rules that expressly confer enforceable rights of data subjects.

Article 47 explains what is necessary for BCRs, including GDPR principles. Note: different BCRs for controllers and processors.

Question 15

Standard contractual clauses

Answer 15

Also known as model clauses

Created and/or approved by the European Commission

A company in the EEA that wants to send data to a company outside the EEA may use SCCs (different types for controllers and processors)

Standard form that is non-negotiable

Question 16

What are the most commonly used appropriate safeguards?

Answer 16

Standard contractual clauses/model clauses

Question 17

What happened to SCCs in the wake of Schrems II?

Answer 17

The legality of SCCs was upheld, but to align the SCCs with the GDPR, the European Commission has adopted revised SCCs which are modular in nature.

Question 18

What are the requirements for the revised SCCs?

Answer 18

Companies need to use them for all NEW data transfer contracts beginning in late September 2021 and incorporate them into EXISTING data transfer contracts beginning in late December 2022.

Question 19

What is a Transfer Impact Assessment?

Answer 19

Process of assessing data protection equivalence. It’s an industry coined term, not used by the EDPB or European Commission.

Companies must still conduct case-by-case assessments on the laws in each recipient country to ensure equivalence to EU law for personal data being transferred under the SCCs or BCRs.

If the laws are not essentially equivalent, companies must provide additional safeguards or suspend transfers. Such additional safeguards can involve additional technical controls and contractual obligations on how to manage onward transfers and compelled disclosures to authorities.

Question 20

Codes of Conduct and Certification Mechanisms

Answer 20

Industries can create their own codes of conduct and certification mechanisms that will be reviewed by the European Data Protection Board.

If approved, companies may have to adhere to them and be considered safe to receive transfers of personal data from the EU.

Question 21

Ad Hoc Contractual Clauses

Answer 21

Must have authorization from supervisory authority

Allow for individual tailoring to a company’s needs

Provisions for such clauses may differ at the member state level

Question 22

Reliance on international agreements

Answer 22

Two countries may enter into an agreement between themselves to provide for the protection of personal data

Example: Passenger name records. If an individual flies from Europe to the US, European authorities have to transfer information about the individual as a traveller over to the US authorities. The US has an agreement with the EU to facilitate the transfer of this data.

Question 23

Derogations (+ options for them)

Answer 23

Should be used as a last resort

An exemption on the prohibition on transferring personal data outside the EU. For limited circumstances and allow orgs. to transfer data across borders under very specific circumstances.

Carried over from the Data Protection Directive, but criteria are now stricter and narrower.

Consent: To give valid consent, data subjects must understand the possible risks of transferring their personal data outside the EU. For this reason, consent is difficult to obtain.

Where it’s necessary for the performance of a contract with the data subject: There must be no way to fulfil the contract unless the data is transferred. For example, if an individual books a hotel in a third country, their data must be sent there. However, simply being based outside the EU would not be a good enough reason.

Establishment, exercise or defense of legal claims: Designed to cover international litigation scenarios.

Public interest: personal data may be transferred outside the EEA for reasons of public interest recognized by EU or member state law only.

Protection of vital interests of the data subject or other persons: Designed for emergency situations (i.e. if an individual must be provided with emergency medical care)

Transfer from a register of public information: must be in compliance with any restriction on access to or use of the information and honor any conditions imposed by the org that compiled the register

Legitimate interests of the controller: transfer must be non-repetitive and concern a limited number of individuals. Provisions are very narrow. They are: protection of individuals’ rights, assessment and documentation, suitable safeguards, and notification to the data subject and supervisory authority of the transfer.

Question 24

GDPR Article 48

Answer 24

Third-country court, tribunal or administrative authority orders may not be authorized unless the request is made under the basis of EU or member state law or through a mutual legal assistance treaty that is enforced in the EU.