Upload
johan-vandendriessche
View
117
Download
0
Embed Size (px)
Citation preview
International transfers of personal data after the ‘Schrems’ case and under the GDPRInfosecurity 2016
16 June 2016
Brussels
Status update on the GDPR and international transfers of personal data
GDPR timeline 25 Jan 2012: EC proposal for GDPR
14 April 2016: official adoption
24 May 2016: entry into effect of the GDPR
25 May 2018: application of the GDPR (transition period of 2 years)• With a few exceptions, no specific transitional measures
• No sunset for adequacy decisions
Brussels - Kortrijk | www.crosslaw.be 2
Status update on the GDPR and international transfers of personal data
Safe Harbor timeline 26 July 2000: EC adequacy finding ‘Safe Harbor’ 29 April 2010: German DPAs issue decision requesting active compliance
checks 19 July 2013: criticism from EC Vice President Viviane Reding 24 July 2013: revelations US surveillance programs – German DPAs express
deep concerns 27 November 2013: EC memorandum with recommendations for
improvement of Safe Harbor 12 March 2014: EP calls for immediate suspension of Safe Harbor 19 March 2015: German DPAs pass a resolution: ‘insufficient protection’ 23 September 2015: Advocate-General CJUE findings on Schrems case 6 Oct 2015: invalidation of EC adequacy finding (Schrems case – C-362/14)
Brussels - Kortrijk | www.crosslaw.be 3
Status update on the GDPR and international transfers of personal data
EU/US Privacy Shield timeline 31 January 2016: end of the grace period for Safe Harbor
2 February 2016: announcement of the political agreement on the EU/US Privacy Shield
29 February 2016: presentation of the text
13 April 2016: negative opinion of the Article 29 Working Party
26 May 2016: EP resolution demanding improvements to the EU/US Privacy Shield
30 May 2016: negative opinion of the EDPS
June 2016: several meetings within Article 31 Committee
Brussels - Kortrijk | www.crosslaw.be 4
Principles of international transfers of personal data
General principle: no transfer of personal data outside EEA except if destination country offers an adequate level of protection What is a transfer of personal data? Ad hoc assessment of adequacy of level of protection = not feasible in practice
Countries may be listed (adequate level of protection?) Black list (empty) White list (list is not complete)
• Switzerland• Israel• Uruguay• Argentine• New Zealand• Canada (if recipient is subject to PIPEDA)
Brussels - Kortrijk | www.crosslaw.be 5
Principles of international transfers of personal data
Alternative solutions for international transfers of personal data to countries not offering an adequate level of protection Model Clauses
• Standard pre-approved contract for international data transfers
• Different flavours for C2C and C2P
• Formalities may apply in local member states, but cannot be rejected
• Easy implementation
BCR• Solution proposed by Article 29 WP for intragroup transfers (BCR-C and BCR-P)
• Streamlined implementation process (cooperation procedure between DPAs)
• Lengthy and expensive implementation process
Ad Hoc Contractual Clauses• Possible solution, but subject to approval
Brussels - Kortrijk | www.crosslaw.be 6
Principles of international transfers of personal data
Exceptions to the principle of interdiction of international transfers of personal data Consent Necessary for contractual performance or precontractual measures Necessary or legally required for vital public interest Necessary for the exercise or defence of legal claims Necessary the protection of vital interest of data subject Transfer from public register
Article 29WP guidance Exception mechanism: strict interpretation as a rule Not appropriate for structured, massive and/or repetitive international
transfers of personal data
Brussels - Kortrijk | www.crosslaw.be 7
Safe Harbor and the Schrems case
Safe Harbor Mechanism for data transfers to the USA
Schrems case Complaint of Max Schrems with Irish DPA
Preliminary ruling of the CJEU
Invalidation of the adequacy finding of the EC• Adequacy finding does not prevent a supervisory authority from investigating the
• Safe Harbor does not offer adequate protection• No effective legal protection
• Insufficient enforcement at US side
• Disproportional violation of the fundamental rights of the data subject (massive and indiscriminate surveillance)
Brussels - Kortrijk | www.crosslaw.be 8
EU/US Privacy Shield
EU/US Privacy Shield = Safe Harbor 2.0? Comparable mechanism (self-certification) Principles
• Notice• Choice• Accountability for onward transfer & vendor management• Security• Data integrity and purpose limitation• Access• Recourse, enforcement and liability
• Internal complaint handling• Independent recourse mechanisms or DPA panel
• Complaint with DPA-DOC for complaints + arbitration
• Cooperation with DPA (advice on data processing)
Annual joint review
Brussels - Kortrijk | www.crosslaw.be 9
International transfers of personal data under the GDPR
International transfers of personal data Principles of Directive 95/46/EC are confirmed
• Slight changes apply
• Current adequacy findings remain in place (no ‘sunset’ provision)
Limitations in relation to ‘onward transfers’
Two new mechanisms for international transfers of personal data
BCRs and ‘standard data protection clauses’ are embedded in the GDPR
Heavy administrative fines in case of infringement• Up to 4% of global annual turnover or 20MEUR, whichever is higher
Brussels - Kortrijk | www.crosslaw.be 10
International transfers of personal data under the GDPR
Changes to the exception mechanism Consent is restricted as a mechanism
• Explicit consent
• Additional information
Alternative exception may be used: compelling legitimate interest• Transfer could not be based on adequacy finding, BCR, standard contractual provisions or
any other exception
• Not repetitive and concerns only limited number of data subjects
• Not overridden by interests or fundamental rights of data subjects
• Data controller has adduced suitable safeguards
• Informed DPA
• Informed data subjects (detailed information)
Brussels - Kortrijk | www.crosslaw.be 11
International transfers of personal data under the GDPR
Adequacy decisions of EC are rendered more difficult Conditions
• Take into account legal and jurisprudential provisions
• Enforceable data subject rights
• Effective rules and administrative and judicial redress
• Existence and effective functioning of supervisory authority
• Responsible for ensuring and enforcing data protection rules
• Adequate sanctioning powers
• Co-operation with supervisory authorities of member states
• International commitments
Periodic review (at least every 4 years)
Obligation for ongoing monitoring in third countries and international organisation
Obligation to enter into consultation with third countries or international organisation
Brussels - Kortrijk | www.crosslaw.be 12
International transfers of personal data under the GDPR
Approved codes of conduct Approval mechanism by supervisory authority
Associations or bodies representing data controllers or data processors
May be used as a basis for international transfers of personal data Binding and enforceable commitment to apply safeguards
Contractual or other legal binding instruments
Brussels - Kortrijk | www.crosslaw.be 13
International transfers of personal data under the GDPR
Certification mechanisms, data protection seals and marks Voluntary and transparent
Certification does not reduce responsibility for compliance
Certification period of max. 3 years (subject to renewal)
May be used as a basis for international transfers of personal data Binding and enforceable commitment to apply safeguards
Contractual or other legal binding instruments
Brussels - Kortrijk | www.crosslaw.be 14
Future developments
Is there a future for the current model contractual clauses? Irish DPA announces that it will submit the model contractual clauses to the
Irish High Court• 25 May 2016: announcement
• 1 June 2016: case is submitted to the High Court
• 2017-2018: preliminary ruling?
Consequences• New model contractual clauses?
• Legal uncertainty: many companies are now implementing model contractual clauses as an alternative to Safe Harbor
• BCRs?
Brussels - Kortrijk | www.crosslaw.be 15
Conclusion
GDPR Continuity of existing situation
• Principles are confirmed
• No sunset provision for existing adequacy findings
Some minor changes• If transfers based on consent exist: upgrade to new consent requirement
Safe Habor – EU/US Privacy Shield Safe Harbor should have been phased out already
• Move to model clauses
Legal uncertainty is ongoing• EU/US Privacy Shield is likely to be accepted
• Review of BCR and existing model clauses?
Brussels - Kortrijk | www.crosslaw.be 16
Johan VandendriesschePartner – Crosslaw
Visiting Professor ICT Law – UGent
[email protected] | www.crosslaw.be
Brussels - Kortrijk | www.crosslaw.be 17