International Data Transfers (7) Flashcards
What are the 3 options for data transfers outside of the EEA?
- Adequacy decision
- Appropriate safeguards (enforceable rights and legal remedies)
- Derogations
(should be considered in this order)
Is the controller under obligation to inform data subjects about data transfers?
Yes
must communicate: existence or absence of adequacy decision, intent to transfer, safeguards being used
What is adequacy under GDPR?
adequate level of data protection as determined by the European Commission for a country, territory, sector and IO, that allows for transferring without the need for additional authorization
What is the criteria for adequacy?
respect of rule of law
access to justice
international human rights standards
general and sectoral laws and case law
effective and enforceable rights for individuals
data protection rules
other international commitments
Which countries are deemed adequate by European Commission?
andorra, argentina, canada (with exceptions), faroe islands, guernsey, israel, isle of man, japan, jersey, new zealand, south korea, switzerland, UK, uruguay
What happened in Schrems v Data Protection Commissioner?
Reject Safe Harbor as adequacy determination
Schrems was a Facebook user in Austria, complained to Irish SA that Facebook Ireland was improperly transferring his data to the US where it could be accessed by NSA.
What was the subsequent ruling in Schrems 2?
CJEU invalidated the Privacy Shield citing that:
- US surveillance was not limited to what was strictly necessary and proportional
- EU data subjects lacked actionable judicial redress and no right to remedy
- need for case by case assessments of sufficiency of foreign protections
What is “essential equivalence’’?
Equivalence between EU law and where you’re transferring
Does the UK have adequacy?
Yes, under the GDPR and the Law Enforcement DIrective
What is the name of the privacy regulation in the UK?
UK Data Protection Act (2018)
What are appropriate safeguards under Article 46?
Approved codes of conduct and certification mechanisms
Binding corporate rules
Standard contractual clauses
Ad hoc contractual clauses
Reliance on international agreements
What are standard contractual clauses?
Model Clauses
Standard form that is non-negotiable, to allow a company in the EEA that wants to send data to a company outside EEA
Still companies must conduct case-by-case assessments on the laws in each recipient country to ensure essential equivalence to EU law for personal data transferred under SCCs or BCRs
What is a TIA?
Transfer Impact Assessment
process of assessing data protection equivalence (industry term)
What are codes of conduct as an appropriate safeguard for data transfers?
compliance-signaling tools for controllers and processors
created/revised by other bodies in representation of controllers/processors
binding and enforceable
What are certification mechanisms as appropriate safeguards for data transfers?
recognized by the GDPR as acceptable mechanisms for demonstrating compliance
may be issued by accredited bodies, supervisory authorities and the EDPB
good for no more than 3 years
consequences for non-compliance
What are Binding Corporate Rules?
internal and legally binding rules between companies engaged in joint economic activity, corporate groups or controllers and processors
What are derogations under Article 49?
an exemption from prohibition on transferring personal data outside EEA
a last resort for limited circumstances / specific conditions, narrowly interpreted
What are the potential conditions for derogations?
- explicit consent from data subject
- necessary for performance of a contract or conclusion of a contract
- public interest
- establishment, exercise, or defense of legal claims
- vital interests
- transfer from a register of public information
- legitimate interests of controller
What are the step by step recommendations for data transfers post Schrems II?
Step 1: know your transfers (document and map PI transferred)
Step 2: identify your transfer mechanism (tools under Chapter 5 GDPR). If country is adequate, no further steps.
Step 3: assess sufficiency of non EEA protections (is there a law or practice that might infringe on effectiveness of safeguards)
Step 4: identify and adopt supplementary measures
Step 5: take formal procedural steps to adopt supplementary measure
Step 6: re-evaluate level of protection at appropriate intervals
What are the European Essential Guarantees?
1) processing based on clear, precise and accessible rules
2) necessity and proportionality need to be demonstrated with regard to legitimate objective
3) independent oversight mechanism
4) effective remedies available to individual
What needs to take place for the movement of data to be considered a “transfer”?
substantive processing operation is conducted on the personal data in a third country
What does the EC take into account when considering the adequacy of level of protection for a transfer?
- rule of law
- indepedent supervisory authority
- international committments entered into by the country
What were the 7 principles of the Privacy Shield?
- Notice
- Choice
- Accountability for onward transfer
- Security
- Data integrity and purpose limitation
- Access
- Recourse, enforcement, liability
What steps did the Privacy Shield require companies to take to self-certify compliance?
- internal compliance assessment to determine ablity to comply with principles
- register wih 3rd party arbitration provider for complaints from EU individuals
- adopt a privacy shield notice and publish online
What are possible mechanisms to safeguard international transfers?
legally binding and enforceable instrument between public bodies
Binding Corporate Rules
Standard data protection clauses
Codes of Conduct
Certification Mechanism
Contractual Clauses
What are the steps of the Transfer Impact Assessment?
- Know your transfers
- Identify transfer tools
- Assess effectiveness of transfer tool (article 46)
- Adopt supplementary measures
- Procedural steps to supplementary measures
- Reevaluate at appropriate intervals
What elements must full and valid BCRs include?
Structure and contact details of corporate group
Data transfers, type of data, processing, purposes, data subjects, third party countries
Legally binding nature of BCRs
Application of data protection principles
Rights of data subjects
Acceptance of liability for breaches
Information provision to data subjects
Tasks of Data Protection Officer
Complaint procedures
Verification of compliance with BCRs
Reporting and recording changes to rules
Cooperation with SA
Reporting to SA
Data Protection training
