GDPR Lecture 3: International Data Transfer and Mechanisms PDF

International transfer of data and GDPR Mechanisms GDPR LECTURE III Michaela Stavridou Content International transfer of data Enforcement Free movement/fl ow of personal data between Member States of the EU and from the EU to third countries Free flow of data in the EU and EEA Transfer of personal data between EU Member States must be free from restrictions. In other words, it is prohibited to restrict/prohibit the free movement of personal data between EU Member States. The area of free data flow has been extended by the ‘Agreement on the European Economic Area (EEA)’ which also allows such free movement of data to Iceland, Liechtenstein, and Norway. Free flow of data in the EU and EEA Example: If an affiliate of an international group of companies is established in several Member States, including the Netherlands and France. Personal data can be sent from the Netherlands to France and Dutch national law must not prohibit/restrict such flow of data. However, this is not the case when a Dutch affiliate wants to transfer data to Australia (third country/non-EU). Transfer of personal data to third countries or international organizations There are two ways of allowing the transfer of personal data to third countries or an international organization: 1. An adequacy decision by the European Commission; or 2. In the absence of an adequacy decision, where the controller/processor provides appropriate safeguards, including enforceable rights and legal remedies for the data subject. Note: in the absence of either an adequacy decision or appropriate safeguards, derogations are available. Data transfer to third countries or international organizations: Adequacy decisions Article 45 GDPR Article 45 1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. Adequacy decisions – Art 45 GDPR “Adequate level of protection” requires the third country to ensure a level of protection of fundamental rights and freedoms that is “essentially equivalent” to the guarantees ensured by law in the EU. At the same time, the means to which a third country has recourse for the purposes of ensuring such a level of protection may differ from those employed within the EU The adequacy standard does not require a point-to-point replication of EU rules. (CJEU, C-362/14, Maximillian Schrems v. Data Protection Commissioner [GC], 6 October 2015, para. 96, 74) Adequacy decisions – Art 45(2) GDPR How does the EC assess the level of data protection in third countries? Article 45(2) GGDPR: 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case- law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred; Article 45(2) GDPR (b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and (c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data. Article 45(3) GDPR Once the Comission concludes that the third country or international organization adheres to an adequate level of protection, the issues a binding adequacy decision. The decision includes a mechanism for a period review, at least every four years, which shall consider all relevant developments in the third country or international organization and asses the revision of the adequacy decision. The CJEU can review and invalidate adequacy decisions by the Commission – for example, The Schrems Saga. Updated list of third countries with an adequacy decision Transfers of personal data to the USA – Schrems I (2014)  Austrian citizen Maximilian Schrems was a Facebook user.  Schrem’s data was transferred from Facebook’s Irish subsidiary to servers in the US.  Schrems was concerned about US surveillance activities (revealed by Edward Snowden).  Schrems filed a complaint with the Irish data protection authority, arguing that US laws did not adequately protect his data. The Irish authority rejected the complaint, citing the EU’s ‘Safe Harbour’ decision, which deemed US data protection adequate.  Schrems took the case to the Irish High Court.  The Irish High Court referred the case to the Court of Justice of the European Union (CJEU) for a preliminary ruling.  The CJEU rules that the Commission’s decision on the adequacy of the Safe Harbour framework was invalid. Transfers of personal data to the USA – Schrems I  The decision allowed Safe Harbour principles to be limited by national security, public interest, law enforcement, or US legislation and it enabled interference with the fundamental rights of individuals whose data was transferred to the US.  The CJEU did not find any US rules that limited such interference or effective legal protection against it.  Therefore, the US protection level was NOT essentially equivalent to the EU’s, violating the EU Law.  US legislation allowed generalized access to electronic communications by public authorities.  No legal remedies for individuals regarding access, rectification, or erasure of personal data.  Safe Harbour arrangement led to unlawful processing of personal data. Transfers of personal data to the USA – Schrems II After the CJEU declared the Safe Harbour arrangement invalid, the Commission and the US agreed on a new framework, namely the EU-US Privacy Shield. On 12 July 2016, the Commission adopted a decision declaring that the US ensures an adequate level of protection for personal data transferred from the Union to organizations in the US under the Privacy Shield. Transfers of personal data to the USA – Schrems II In its judgment, the CJEU declared the EU-US Privacy Shield – one of the primary data transfer mechanisms for the safe and free flow of data between EU and US organizations - invalid. The judgment did uphold the use of Standard Contractual Clauses (SCCs). The outcome of the judgment left many organizations having to re-think the way they handle personal data transfers and whether the transfer mechanisms they have in place were compliant with EU data protection law. Transfer subject to appropriate safeguards Transfer subject to appropriate safeguards – Art 46(1) GDPR 1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Transfer subject to appropriate safeguards – Art 46(2) GDPR 2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules (c) standard data protection clauses adopted by the Commission (d) standard data protection clauses adopted by a supervisory authority (e) an approved code of conduct (f) an approved certification mechanism Transfer subject to appropriate safeguards – Art 46(3)(a) GDPR 3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; Transfer subject to appropriate safeguards – Art 46(3)(a) GDPR Customised contractual clauses between the controller and the processor in the EU and data recipients in a third country are another way of providing appropriate safeguards. Such clauses need to be authorized by the competent supervisory authority before they can be relied upon as a tool to transfer data. GDPR MECHANISMS: PROTECTS RIGHTS AND ALLOWS COMPENSATION FOR DAMAGE Right to lodge a complaint with a supervisory authority Right to an effective judicial remedy Liability and the right to compensation Sanctions What is a supervisory authority? Art 4(21) GDPR ‘supervisory authority’ means an independent public authority which is established by a Member State pursuant to Article 51; Examples Our Members | European Data Protection Board includes all supervisory authorities in the EU, including Österreichische Datenschutzbehörde, Croatian Personal Data Protection Agency, Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Hellenic Data Protection Authority Right to lodge a complaint with a supervisory authority – Article 77 GDPR Individuals have the right to lodge requests and complaints with the competent supervisory authority if they consider that the processing of their data is not being carried out per the law. The GDPR requires supervisory authorities to adopt measures to facilitate the submission of complaints, such as the creation of an electronic complaint submission form. (Art 57(2) GDPR). The data subject can complain to the supervisory authority in the Member State of his or her habitual residence, place of work, or place of the alleged infringement. Complaints must be investigated, and the supervisory authority must inform the person concerned of the outcome of the proceedings dealing with the claim. Right to an effective judicial remedy – Art 78 GDPR Individuals must have the right to an effective judicial remedy and to bring their case before a court (Art 47 EU Charter) against a legally binding decision of a supervisory authority concerning them. In cases where a controller or processor infringes a data subject’s rights, data subjects are entitled to bring a complaint before a court. They may choose to do so either in the Member State in which the controller or processor has an establishment, or in the Member State in which the data subjects concerned have their habitual residence. The second possibility greatly facilitates individuals in exercising their rights, as it enables them to bring actions in the state where they reside and within a familiar jurisdiction. While, in most instances, cases concerning data protection rules will be decided in the courts of the Member States, some cases may be brought before the CJEU. For example, when EU Institutions infringe data protection laws. Liability and the right to compensation Article 82 GDPR 1. Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered. Controllers and processors are liable for unlawful processing under the GDPR. Compensation must be ‘full and effective’ in relation to the damage suffered. Where damage is caused by the processing of several controllers and processors, each controller or processor must be held liable for the entire damage Sanctions Article 83 of the GDPR empowers Member States’ supervisory authorities to impose administrative fines for infringements of the regulation. The supervisory authorities have the power to impose administrative fines for infringements of the regulation of up to € 20,000,000 or 4 % of its total worldwide annual turnover – whichever is higher. …When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following: (a) the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; (b) the intentional or negligent character of the infringement; (c) any action taken by the controller or processor to mitigate the damage suffered by data subjects; (d) the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32; (e) any relevant previous infringements by the controller or processor; (f) the degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement; (g) the categories of personal data affected by the infringement; (h) the manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, the controller or processor notified the infringement; (…) (k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement. GDPR Enforcement Tracker - list of G DPR fines

GDPR Lecture 3: International Data Transfer and Mechanisms PDF

Document Details

Tags

Related

Summary

Full Transcript