CS代写 Cybersecurity Law Compliance with the Adequacy Requirement

Cybersecurity Law Compliance with the Adequacy Requirement
LL.B., LL.M.
Technology, Media & Telecoms Institute Centre for Commercial Law Studies Queen Mary, University of London
 Key principles and protections

Copyright By PowCoder代写 加微信 powcoder

 When can personal data be transferred outside the EU?  Derogations from the “adequate protection” requirement
 This session:
– GDPR & compliance with the adequacy requirement
 Previous lectures:

Transfers of Data outside the EU
 Must be “Adequate Protection”
– EU: very high standard for data protection
 Not willing to settle for less than own standard  Who decides if protection is adequate?
 Data controller (risky!)
 Member states National Supervisory Authority
(Information Commissioners)
 EU Commission Article 31 Committee (binding decisions)
 EU Article 29 Working Party (advisory power)
General Adequacy Criteria
 Commission adequacy decisions (including legacy decisions) to be be reviewed at least every four years § Adequacy decisions may be repealed, amended, suspended
 What is ‘adequate’ protection?
– Aim: EU citizens should have same protection when data transferred out of EU

General Adequacy Criteria
 All circumstances concerning data transfer considered (Article 45(2)):
(a) Rule of law, respect for human rights & fundamental freedoms, relevant law in third country, professional rules & security measures (including rules for onward transfer of data to another third country / international organisation), case-law, effective and enforceable subject rights & legal remedies
(b) Are there any supervisory authorities who can ensure protections are enforced?
(c) Has the third country committed to any legally binding international rules on protecting personal data?
Nature of the Data
 Commission will require higher standards for transferring sensitive personal data to a third country (i.e. one outside the EU)
– For example, health data.
 Transfer of data that poses little risk to the rights and freedoms of individuals, does not usually require the same level of protection
– For example, transfer of a list of internal telephone extensions to overseas subsidiaries of a multinational company

Purpose and duration
 Data controller must take into account the purposes for which the data is transferred
– some purposes will carry a lesser risk to the rights of data subjects than others
 Data exporters must ensure that:
– processing time in the third country is kept to a
minimum; and
– data is deleted by the data importer as soon as it is no longer required for the intended purpose
 Remember, Data Controllers will be held accountable for actions of processors in third countries!
Transfers of Data outside the EU
 Which countries have been found to have ‘adequate protection’ in national laws?
 Not very many…
– Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, , Switzerland, Uruguay
– See further:
 http://ec.europa.eu/justice/data-protection/international- transfers/adequacy/index_en.htm

Transfers of Data outside the EU
 Other countries
– How can data be transferred?
 E.g. US: volume of trade between EU and US: worth billions of dollars: requiring transfer of personal data.
– Need for an alternative means
 There are the derogations (see last lecture), but not ideal for basis of regular business!
Transfers of Data outside the EU
 “Appropriate safeguards” which do not require approval by supervisory authority:
 Legally binding and enforceable instruments between public bodies / authorities (Treaties)
 Binding Corporate Rules (A47)
 European Commission’s standard contractual clauses
 Standard contractual clauses adopted by national DPA and approved by Commission
 Approved Code of Conduct (A40)
 Approved certification mechanism (A42)

Transfers of Data outside the EU
 “Appropriate safeguards” which do require approval by supervisory authority:
 Contractual arrangements between party in EU (Controller or Processor) and party in third country (controller/processor/recipient) or international organisation
 Provisions inserted in administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
Transfers of Data outside the EU
 International Binding Legal Instruments (Treaties)
– PNR (Air Passenger Name Record Data)  EU  US/Canada/Australia
– TFTP (Terrorist Finance Tracking Programme)  EUUS
– PIPEDA (Personal Information Protection and Electronic Documents Act)
 EU Canada
 Controls use of Personal Data by commercial companies

Transfers of Data Outside the EU
 Certification – GDPR A42
– National authorities & European Commission to encourage EU “data protection mechanisms…seals and marks”
 Certifying that specific data controllers in third countries provide EU-level of protection (see US Privacy Shield)
 Certification must be voluntary and transparent
– Must be monitored; can be withdrawn for non-compliance
 Certification bodies and processes must be properly approved GDPR A43
Transfers of Data outside the
 EUUS Safe Harbor Agreement
– 2000 – Recognised as ‘adequate protection’ By EC
– ‘Opt-in’ system for US companies who wanted to deal with EU personal data
– Limited success – Spring 2015 only 5,101 companies registered
– Late 2015: Safe Harbor no longer valid
– v Data Protection Commissioner (06 October 2015) Case C-362/14
 Austrian citizen user of Facebook SNS
 US Government access to personal data of EU citizens

Transfers of Data outside the EU
 EU-US Privacy Shield
– 2 February 2016
 Agreement on Privacy Shield announced European
– 12July2016
 Commission Adequacy Decision published
– Package is much more detailed than Safe Harbor and includes multiple letters and other documents from US government officials
– US organisations self-certify with US Department of Commerce and commit to comply with 7 principles
– Enforceable by the FTC or DPAs
– Dedicated Ombudsperson for complaints about US LEA access
– Annual joint review mechanism
Transfers of Data outside the EU
 Privacy Shield Principles:
– Accountability for Onward Transfers – Security
– Data Integrity and Purpose Limitation – Access
– Recourse, Enforcement and Liability

Transfer of Data outside the EU
 Key implications of the Privacy Shield?
 Exposure to civil & criminal proceedings in US
 Public statement of commitment may highlight local differences
 Only available to organisations regulated by the Department of Commerce or the Department of Transport
 Only covers transfers to the US and only from Europe
 How robust is the Privacy Shield?
– Vulnerable to attack on similar grounds to Safe Harbor
– Digital Rights Ireland and La Quadrature du Net have challenged PS in court
Transfer of Data outside the EU
 Privacy Shield (First Annual Review – PASS!)
– 18th– 19th Sep 2017: First Annual Review meetings, Washington
– 18th Oct 2017: European Commission published first annual report on the functioning of the Privacy Shield. Main findings:
 “the U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield”
 Certification process handled “in an overall satisfactory matter”
 More than 2,400 companies certified to date
 Relevant safeguards remain in place re access to personal data by US public authorities for national security purposes
 US continues to ensure adequate protection for data transferred under the PS

Transfer of Data outside the EU
 Privacy Shield (recommended improvements)
– No public references to PS certification before it is finalised by
– DoC should conduct proactive and regular searches for false claims
– DoC should conduct compliance checks on a regular basis
– Both DoC and DPAs should strengthen awareness raising efforts
– DoC + DPAs + FTC should develop guidance on concepts that need further clarification (e.g. accountability for onward transfers)
– Study to be commissioned on automated decision-making
– Protections for non-Americans should be enshrined in FISA
– US administration should appoint permanent Ombudsperson + missing members of Privacy & Civil Liberties Oversight Board ASAP
End of Part One

Cybersecurity Law
Compliance with the Adequacy Requirement Part II
LL.B., LL.M.
Technology, Media & Telecoms Institute Centre for Commercial Law Studies Queen Mary, University of London
Transfers of Data outside the EU
 Other forms of adequate safeguards
– Binding Corporate Rules (BCR) (GDPR A47)
– EU Model Clauses [Standard Contractual Clauses SCC)] (GDPR A93)
– Standardcontractualclausesadoptedbynational DPA and approved y Commission (A93)
– Approved Code of Conduct (A40)
– Approved certification mechanism (A42)

Transfers of Data outside the EU
 Binding Corporate Rules
– Facilitate TBDF within particular corporate groups – saves
– Article 47 GDPR sets out requirements
– National DPAs / European Commission to approve
https://ec.europa.eu/info/law/law-topic/data- protection/data-transfers-outside-eu/binding- corporate-rules_en
Transfers of Data outside the EU
 Binding Corporate Rules GDPR A47
– Code of Conduct drafted – containing privacy policy of the entire enterprise
 Each entity included in the enterprise subscribes  Enables data subjects to enforce code against the
enterprise
– Advantages and disadvantages

Transfers of Data outside the EU
 Binding Corporate Rules – Examples of approvals:
 General Electric Company (employee data)
 Koninklijke Philips Electronics NV (employee data)  Atmel Corporation (employee data)
 Accenture Limited (employee and client)
 Supervisory Authorities (National DPAs) to ensure consistency of applying the rules
– Pre-GDPR approvals still valid, though can be reviewed
Transfers of Data outside the EU
 Binding Corporate Rules
– Read a ‘stinging’ critique from Google’s Legal Counsel in 2007
 http://peterfleischer.blogspot.com/2007/03/binding- corporate-rules-data-protection.html

Transfers of Data outside the EU
 Standard Contractual Clauses (SCCs)
– European Commission or National DPA (e.g. UK ICO) can adopt standard clauses
 Businesses can use these without approval or
– Companies can come up with their own and seek Commission / DPA approval
Transfers of Data outside the EU
 Standard Contractual Clauses (SCCs)
– EU has adopted three sets of SCC so far:
 EU controller to non-EU or EEA controller – Decision 2001/497/EC
 http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32001D0497 – Decision 2004/915/EC
 http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915  EU controller to non-EU or EEA processor
– Decision 2010/87/EU
 http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087

Transfers of Data outside the EU
 Standard Contractual Clauses: The 2010 Version
 February 2010: European Commission adopts revised “controller-to-processor” SCCs.
 takes account of the expansion of processing activities outsourced by EU businesses to companies in third countries
 includes specific provisions allowing the outsourcing by the data processor of its processing activities to other sub- processors
Transfers of Data outside the EU
 Codes of Conduct GDPR A40
– National Supervisory Authorities & EC to encourage creation of codes of conduct “for various processing sectors”
 Types of information, business, needs of particular business sector
– “Associations and other bodies representing categories of
controllers or processors may prepare codes of conduct…”
 Codes to be approved by national DPAs (Supervisory authorities) or European Commission

Transfers of Data outside the EU
 Codes of Conduct GDPR A40
– Codes not themselves binding law, (though help to obey the
– If made binding by legal instrument (e.g. by contract) on party in third country, can provide “appropriate safeguards”
– Day to day monitoring of approved codes can be by accredited body – GDPR A41
Concluding Remarks
 Covered this session:
– Ways to achieve “adequate protection” to allow
trans-border data flows to third countries
 Coming next:
– Privacy and online data collection
 What threats does the internet present to our information privacy?
 How does European Data Protection law address these?

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com