International Data Transfers GDPR & beyond Jan Tomíšek Institute of Law and Technology ROWAN LEGAL Why do we deal with it • Different regimes in different countries – different levels of protection • Possible loophole – exported data might not be protected • Data Transfers Rules – ensuring data are protected even when transferred abroad • Conflict: adequate protection x free flow of data (one of the origins data protection law) • Data sovereignty? Sources • OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data • Convention 108 (updated) • GDPR • Other frameworks – APEC Approaches • Territorial – example: adequacy decisions • Organizational – example: binding corporate rules • Transfers x scope of application (extrateritoriality) Data transfers under GDPR • Free flows in the EU/EEA • Transfers to „third countries“ • Adequacy • Appropriate safeguards • Derogations Adequacy • Decision of European Commission on adequate level of protection in particular country/sector in country/international organization • Current example: Japan (based on Framework for Mutual and Smooth Transfer of Personal Data between Japan and the EU effective on 23 January 2019) • Assessment of • rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, • the existence and effective functioning of one or more independent supervisory authorities • the international commitments the third country or international organisation concerned • Monitoring, amendment, repeal or suspension • Adequacy decision - Japan Adequacy • States providing adequate protection (as recognized by EC decisions) • Andorra • Argentina • Canada (commercial organizations) • Israel • Japan • New Zealand • Switzerland • Uruguay • USA (limited to Privacy Shield) • + smaller territories (Faroe Islands, Guernsey, Isle of Man, Jersey) Safe Harbor • Adequacy decision for US • Not whole country, only certified companies • „Self-assessment“ • Enforcement by Federal Trade Commission – fraudulent representation if not committed to the principles • Edward Snowden and PRISM affair Schrems Ruling C-362/14 • Safe Harbor adequacy decision invalidated • Individual data protection authorities entitled to review adequate level of protection in particular case, even despite adequacy decision • adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter (para 73) • legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter (para 94) Privacy Shield • New „Safe Harbor“ • Around 5000 participating companies • Principles • Ombudsperson • Dispute resolution • Regular review • Judicial redress for foreigners (Judicial Redress Act) • Kuner, C. Reality and Illusion in EU Data Transfer Regulation Post Schrems, 18 German Law Journal 881 (2017) [full text] Privacy Shield currently • Privacy Shield is annually review and improved • Third review took place recently (October 2019) • „Enforcement action has improved with the Federal Trade Commission taking enforcement action related to the Privacy Shield in seven cases.“ • EC suggests strengthening the (re)certification process for companies who want to participate by shortening the time of the (re)certification process, expanding compliance checks etc. • Pending case C-311/18 (Schrems II) before CJEU (not yet decided) • Full decision expected by early 2020 • EC will assess consequences for the Privacy Shield Appropriate safeguards • Legally binding and enforceable instrument between public authorities or bodies • Binding Corporate Rules • Standard Contractual Clauses • Codes of Conduct • Certifications • Subject to specific approval • Ad hoc contractual clauses • Provisions to be inserted into administrative arrangements Binding Corporate Rules (BCRs) • Intended for multinational corporations / groups of companies (currently +- 130 companies) • Commitment to common policy through a legal act • Policy meeting standards set by GDPR • Serves for intragroup transfers but also receipt of data by the corporation • Recommendation on the approval of the Processor Binding Corporate Rules form (wp265) • Recommendation on the approval of the Controller Binding Corporate Rules form (wp264) • Working Document on the approval procedure of the Binding Corporate Rules for controllers and processors (wp263rev.01) • Working Document on Binding Corporate Rules for Processors (wp257rev.01) • Working Document on Binding Corporate Rules for Controllers (wp256rev.01) Codes of Conduct • To be issued by professional organizations • Detailing the provisions of GDPR for particular sector / association • Independent monitoring body has to be specified • To be approved by DPA / EDPB • EDPB Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679 • Organization commits to the code – compliance has to be certified by the monitoring body • E.g.: Code of conduct for credit reporting systems operated by private entities regarding consumer credit, creditworthiness and punctuality in payments (not yet approved by EDPB) Certification Schemes • May be proposed by anybody • To be approved by DPA / EDPB • Certification by • DPA • Independent third party accredited by (upon choice of member state) • DPA • accreditation body • EDPB Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 • EDPB Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679) Standard/Model Contractual Clauses • Standard contract to be entered between data exporter (in the EU) and data importer (in the third country) • Controller to Controller • Controller to Processor • Issued by the European Commission • Other provisions may be agreed (typically MCC are signed in parallel with a data processing agreement), but must not be conflicting • To be reviewed by CJEU in case C-311/18 (Schrems II) Derogations • Explicit consent, „after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards“ • Performance of a contract • between the data subject and the controller • concluded in the interest of the data subject between the controller and another natural or legal person • Important reasons of public interest • Establishment, exercise or defence of legal claims • Vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent • Transfer is made from a register which according to Union or Member State law is intended to provide information to the public • Escape clasue: necessary for the purposes of compelling legitimate interests – only if transfer is not repetitive, concerns only a limited number of data subjects • The controller shall inform the supervisory authority and the data subject of the transfer. • EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 Open point – article 48 • Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter. Challenges for future • Privacy Shield Reviews • Standard Contractual Clauses before CJEU (Schrems II case) • US Cloud Act – European Commission engaged in negotiations with the US of an international agreement dealing with cross-border access requests to electronic evidence • According to EDPB such international agreement must contain sufficient adequate data protection safeguards Summary • Cornerstone of data protection laws • Territorial and organizational approach • Adequacy, appropriate safeguards, derogations • In practice • Adequacy, including Privacy Shield • Model Contractual Clauses Questions? tomisek@rowan.legal