International transfers Flashcards
Which European body is responsible for making adequacy decisions?
The European Commission
How often are adequacy decisions reviewed?
Every four years
Which countries are adequacy decisions in place with?
Argentina Uruguay Faroe Islands Isle of Mann Guernsey and Jersey Andorra Switzerland Israel Japan (only covers private sector organisations) New Zealand Also USA (under privacy shield) Canada (data protected by PIPEDA only, which is applicable to commercial organisations. Adequacy doesn’t cover all all forms of personal data)
How often does Privacy Shield certification need to be renewed?
Annually
If you load personal data onto a UK server which is then available through a website, and you plan or anticipate that the website may be accessed from outside the EEA, is this a restricted transfer?
you should treat this as a restricted transfer (ICO)
If you want to transfer personal data to a US organisation under the Privacy Shield, what are the two things you need to check?
- Check on the Privacy Shield list to see whether the organisation has a current certification
- Make sure the certification covers the type of data you want to transfer.
What are the options are available if you want to make a restricted transfer (in order of preference)
- Adequacy decisions
- Appropriate safeguards (which are set out in the GDPR)
- Derogations
If none of these apply, then the transfer would be in breach of GDPR
What are the 3 things you’re obliged to tell the data subject about data transfers?
- Intent to transfer data internationally
- Existence (or lack of) an adequacy decision
- Safeguards that are in place
What are “appropriate safeguards”?
They are legal tools designed to ensure recipients of data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard
Mechanisms that can be used to recipients to commit to protecting personal data and facilitate ongoing, systematic cross-border transfers
Give some examples of appropriate safeguards when it comes to international transfers of data outside the EU
- Binding corporate rules
- Standard contractual clauses
- Approved codes of conduct and certification mechanisms
- Ad hoc contractual clauses
- Reliance on international agreements
What are the three over-arching options for international transfers under the GDPR?
- Adequacy decisions
- International safeguards
- Derogations
Before you even think about data transfers, what do you need to make sure you have?
A legal basis for processing the data
If you’re transferring data internationally, what are you obliged to tell the data subject(s)?
- Notify them of your intent to transfer personal data internationally
- Existence of an adequacy decision
- what Safeguards are in place
As well as territories, what else can adequacy decisions apply to?
Under GDPR, adequacy decisions can also apply to sectors (e.g. regulated financial or healthcare sectors)
And
International organisations
Which European body is responsible for making adequacy decisions?
The European Commission
How often are adequacy decisions made under the Data Protection Directive reviewed?
Decisions made under the Data Protection Directive will remain in force until amended, replaced or repealed
What factors must the European Commission take into account when making adequacy decisions?
Respect of the rule of law
Access to justice
International human rights standards
Law (inc case law)
Effective and enforceable rights for individuals (inc judicial redress)
Data protection rules, professional rules and security measures (inc around onward transfers)
Other international commitments and obligations
Is EU-US Privacy Shield self-certified?
Yes
What recourse mechanisms does Privacy Shield offer?
- Internal complaint process
- Independent dispute resolution provider
- Department of Commerce or Federal Trade Commission
- Binding arbitration
What are “appropriate safeguards”?
They’re legal tools designed to ensure that recipients of data, who are outside the EEA, are bound to continue to protect personal data to a European-like standard
What are binding corporate rules?
BCR are a form of appropriate safeguard
they’re designed to allow large, multinational companies to adopt a policy suite with rules for handling personal data that are binding on the company.
They have to be signed off by a competent supervisory authority and are legally binding
They confer enforceable rights on data subjects
What are standard contractual clauses also known as?
Model clauses
They are a form of appropriate safeguard
They are a standard form which is non-negotiable
What is most commonly used tool for appropriate safeguards?
Standard contractual clauses (aka model clauses)
What must ad hoc contractual clauses have if they are to be used as a tool for delivering Appropriate Safeguards?
They must have supervisory authority authorisation
Appropriate Safeguards: reliance on international agreements
Give an example
Passenger name records when someone flies from EU to US
The US has an agreement with the EU to facilitate the transfer of this data
What is a derogation and when should it be used?
A derogation is an exemption from the prohibition on transferring personal data outside of the EAA
Derogations are used as a last resort, when an there isn’t an adequacy decision and appropriate safeguards are not in place
They allow organisations to transfer personal data across borders under very specific conditions
What options exist for derogations?
- Explicit consent from the data subject
- Where it is necessary for performance of a contract with the data subject
- Public interest (when recognised by EU/member state law only)
- Establishment, exercise or defence of legal claims (to cover international litigation scenarios)
- Protection of vital interests of the data subject (or other person) - emergency situations only (e.g. provision of medical care)
- Transfer from a register of public information
- Legitimate interests of the controller - BUT must be limited and concern a limited number of individuals. Provisions are very narrow
Do we have an adequacy decision with Argentina?
Yes
Are approved codes of conduct and certification mechanisms appropriate safeguards for international data transfers?
Yes
Along with standard contractual clauses and binding corporate rules
What is a derogation?
An exemption from the prohibition on transferring personal data outside of the EEA.
Used when there isn’t an adequacy decision and appropriate safeguards aren’t in place
Derogations are for limited circumstances
List out the circumstances in which derogations can apply
- Consent (subjects must understand the possible risks of the transfer)
- Performance of contract (there must be no way to fulfil the contract unless the data is transferred. Good example, is hotel booking in 3rd country)
- Public Interest (must be recognised in EU or member state law)
- Establishment, exercise or defence of legal claims (int’l litigation)
- Protection of vital interests of data subject or other persons (e.g. emergency medical care)
- Transfer from a register of public information (conditions apply)
- Legitimate Interests (must be non-repetitive and concern a Ltd number of individuals). Also have to notify the data subject and supervisory authority of the transfer
What do BCRs deal with (and what do they not cover)?
They (only) deal with intra-organisational transfers and not with transfers to 3rd parties
BCRs are specifically designed to provide adequate safeguards within multiple-national corporations who move data within their corporation
Organisations that are not established in the EU, but that monitor behaviour are subject to the GDPR - when?
A) the offering of goods and services to data subjects in the EU
B)When the behaviour being monitored occurs within the EU
EDPB: The behaviour monitored must first relate to a data subject in the Union and, as a cumulative criterion, the monitored behaviour must take place within the territory of the union
Note - the monitoring bit covers a lot of advertising and marketing use cases including behavioural advertising, geo-localisation activities for marketing, fingerprinting etc
