Cybersecurity Law Compliance with the Adequacy Requirement
LL.B., LL.M.
Technology, Media & Telecoms Institute Centre for Commercial Law Studies Queen Mary, University of London
Key principles and protections
Copyright By Assignmentchef assignmentchef
When can personal data be transferred outside the EU? Derogations from the adequate protection requirement
This session:
GDPR & compliance with the adequacy requirement
Previous lectures:
Transfers of Data outside the EU
Must be Adequate Protection
EU: very high standard for data protection
Not willing to settle for less than own standard Who decides if protection is adequate?
Data controller (risky!)
Member states National Supervisory Authority
(Information Commissioners)
EU Commission Article 31 Committee (binding decisions)
EU Article 29 Working Party (advisory power)
General Adequacy Criteria
Commission adequacy decisions (including legacy decisions) to be be reviewed at least every four years Adequacy decisions may be repealed, amended, suspended
What is adequate protection?
Aim: EU citizens should have same protection when data transferred out of EU
General Adequacy Criteria
All circumstances concerning data transfer considered (Article 45(2)):
(a) Rule of law, respect for human rights & fundamental freedoms, relevant law in third country, professional rules & security measures (including rules for onward transfer of data to another third country / international organisation), case-law, effective and enforceable subject rights & legal remedies
(b) Are there any supervisory authorities who can ensure protections are enforced?
(c) Has the third country committed to any legally binding international rules on protecting personal data?
Nature of the Data
Commission will require higher standards for transferring sensitive personal data to a third country (i.e. one outside the EU)
For example, health data.
Transfer of data that poses little risk to the rights and freedoms of individuals, does not usually require the same level of protection
For example, transfer of a list of internal telephone extensions to overseas subsidiaries of a multinational company
Purpose and duration
Data controller must take into account the purposes for which the data is transferred
some purposes will carry a lesser risk to the rights of data subjects than others
Data exporters must ensure that:
processing time in the third country is kept to a
minimum; and
data is deleted by the data importer as soon as it is no longer required for the intended purpose
Remember, Data Controllers will be held accountable for actions of processors in third countries!
Transfers of Data outside the EU
Which countries have been found to have adequate protection in national laws?
Not very many
Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey,, Switzerland, Uruguay
See further:
http://ec.europa.eu/justice/data-protection/international- transfers/adequacy/index_en.htm
Transfers of Data outside the EU
Other countries
How can data be transferred?
E.g. US: volume of trade between EU and US: worth billions of dollars: requiring transfer of personal data.
Need for an alternative means
There are the derogations (see last lecture), but not ideal for basis of regular business!
Transfers of Data outside the EU
Appropriate safeguards which do not require approval by supervisory authority:
Legally binding and enforceable instruments between public bodies / authorities (Treaties)
Binding Corporate Rules (A47)
European Commissions standard contractual clauses
Standard contractual clauses adopted by national DPA and approved by Commission
Approved Code of Conduct (A40)
Approved certification mechanism (A42)
Transfers of Data outside the EU
Appropriate safeguards which do require approval by supervisory authority:
Contractual arrangements between party in EU (Controller or Processor) and party in third country (controller/processor/recipient) or international organisation
Provisions inserted in administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
Transfers of Data outside the EU
International Binding Legal Instruments (Treaties)
PNR (Air Passenger Name Record Data) EU US/Canada/Australia
TFTP (Terrorist Finance Tracking Programme) EUUS
PIPEDA (Personal Information Protection and Electronic Documents Act)
EU Canada
Controls use of Personal Data by commercial companies
Transfers of Data Outside the EU
Certification GDPR A42
National authorities & European Commission to encourage EU data protection mechanismsseals and marks
Certifying that specific data controllers in third countries provide EU-level of protection (see US Privacy Shield)
Certification must be voluntary and transparent
Must be monitored; can be withdrawn for non-compliance
Certification bodies and processes must be properly approved GDPR A43
Transfers of Data outside the
EUUS Safe Harbor Agreement
2000 Recognised as adequate protection By EC
Opt-in system for US companies who wanted to deal with EU personal data
Limited success Spring 2015 only 5,101 companies registered
Late 2015: Safe Harbor no longer valid
v Data Protection Commissioner (06 October 2015) Case C-362/14
Austrian citizen user of Facebook SNS
US Government access to personal data of EU citizens
Transfers of Data outside the EU
EU-US Privacy Shield
2 February 2016
Agreement on Privacy Shield announced European
12July2016
Commission Adequacy Decision published
Package is much more detailed than Safe Harbor and includes multiple letters and other documents from US government officials
US organisations self-certify with US Department of Commerce and commit to comply with 7 principles
Enforceable by the FTC or DPAs
Dedicated Ombudsperson for complaints about US LEA access
Annual joint review mechanism
Transfers of Data outside the EU
Privacy Shield Principles:
Accountability for Onward Transfers Security
Data Integrity and Purpose Limitation Access
Recourse, Enforcement and Liability
Transfer of Data outside the EU
Key implications of the Privacy Shield?
Exposure to civil & criminal proceedings in US
Public statement of commitment may highlight local differences
Only available to organisations regulated by the Department of Commerce or the Department of Transport
Only covers transfers to the US and only from Europe
How robust is the Privacy Shield?
Vulnerable to attack on similar grounds to Safe Harbor
Digital Rights Ireland and La Quadrature du Net have challenged PS in court
Transfer of Data outside the EU
Privacy Shield (First Annual Review PASS!)
18th 19th Sep 2017: First Annual Review meetings, Washington
18th Oct 2017: European Commission published first annual report on the functioning of the Privacy Shield. Main findings:
the U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield
Certification process handled in an overall satisfactory matter
More than 2,400 companies certified to date
Relevant safeguards remain in place re access to personal data by US public authorities for national security purposes
US continues to ensure adequate protection for data transferred under the PS
Transfer of Data outside the EU
Privacy Shield (recommended improvements)
No public references to PS certification before it is finalised by
DoC should conduct proactive and regular searches for false claims
DoC should conduct compliance checks on a regular basis
Both DoC and DPAs should strengthen awareness raising efforts
DoC + DPAs + FTC should develop guidance on concepts that need further clarification (e.g. accountability for onward transfers)
Study to be commissioned on automated decision-making
Protections for non-Americans should be enshrined in FISA
US administration should appoint permanent Ombudsperson + missing members of Privacy & Civil Liberties Oversight Board ASAP
End of Part One
Cybersecurity Law
Compliance with the Adequacy Requirement Part II
LL.B., LL.M.
Technology, Media & Telecoms Institute Centre for Commercial Law Studies Queen Mary, University of London
Transfers of Data outside the EU
Other forms of adequate safeguards
Binding Corporate Rules (BCR) (GDPR A47)
EU Model Clauses [Standard Contractual Clauses SCC)] (GDPR A93)
Standardcontractualclausesadoptedbynational DPA and approved y Commission (A93)
Approved Code of Conduct (A40)
Approved certification mechanism (A42)
Transfers of Data outside the EU
Binding Corporate Rules
Facilitate TBDF within particular corporate groups saves
Article 47 GDPR sets out requirements
National DPAs / European Commission to approve
https://ec.europa.eu/info/law/law-topic/data- protection/data-transfers-outside-eu/binding- corporate-rules_en
Transfers of Data outside the EU
Binding Corporate Rules GDPR A47
Code of Conduct drafted containing privacy policy of the entire enterprise
Each entity included in the enterprise subscribes Enables data subjects to enforce code against the
enterprise
Advantages and disadvantages
Transfers of Data outside the EU
Binding Corporate Rules Examples of approvals:
General Electric Company (employee data)
Koninklijke Philips Electronics NV (employee data) Atmel Corporation (employee data)
Accenture Limited (employee and client)
Supervisory Authorities (National DPAs) to ensure consistency of applying the rules
Pre-GDPR approvals still valid, though can be reviewed
Transfers of Data outside the EU
Binding Corporate Rules
Read a stinging critique from Googles Legal Counsel in 2007
http://peterfleischer.blogspot.com/2007/03/binding- corporate-rules-data-protection.html
Transfers of Data outside the EU
Standard Contractual Clauses (SCCs)
European Commission or National DPA (e.g. UK ICO) can adopt standard clauses
Businesses can use these without approval or
Companies can come up with their own and seek Commission / DPA approval
Transfers of Data outside the EU
Standard Contractual Clauses (SCCs)
EU has adopted three sets of SCC so far:
EU controller to non-EU or EEA controller Decision 2001/497/EC
http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32001D0497 Decision 2004/915/EC
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 EU controller to non-EU or EEA processor
Decision 2010/87/EU
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087
Transfers of Data outside the EU
Standard Contractual Clauses: The 2010 Version
February 2010: European Commission adopts revised controller-to-processor SCCs.
takes account of the expansion of processing activities outsourced by EU businesses to companies in third countries
includes specific provisions allowing the outsourcing by the data processor of its processing activities to other sub- processors
Transfers of Data outside the EU
Codes of Conduct GDPR A40
National Supervisory Authorities & EC to encourage creation of codes of conduct for various processing sectors
Types of information, business, needs of particular business sector
Associations and other bodies representing categories of
controllers or processors may prepare codes of conduct
Codes to be approved by national DPAs (Supervisory authorities) or European Commission
Transfers of Data outside the EU
Codes of Conduct GDPR A40
Codes not themselves binding law, (though help to obey the
If made binding by legal instrument (e.g. by contract) on party in third country, can provide appropriate safeguards
Day to day monitoring of approved codes can be by accredited body GDPR A41
Concluding Remarks
Covered this session:
Ways to achieve adequate protection to allow
trans-border data flows to third countries
Coming next:
Privacy and online data collection
What threats does the internet present to our information privacy?
How does European Data Protection law address these?
CS: assignmentchef QQ: 1823890830 Email: [email protected]
Reviews
There are no reviews yet.