Cybersecurity Law Compliance with the Adequacy Requirement
LL.B., LL.M.
Technology, Media & Telecoms Institute Centre for Commercial Law Studies Queen Mary, University of London
Key principles and protections
Copyright By PowCoder代写 加微信 powcoder
When can personal data be transferred outside the EU? Derogations from the “adequate protection” requirement
This session:
– GDPR & compliance with the adequacy requirement
Previous lectures:
Transfers of Data outside the EU
Must be “Adequate Protection”
– EU: very high standard for data protection
Not willing to settle for less than own standard Who decides if protection is adequate?
Data controller (risky!)
Member states National Supervisory Authority
(Information Commissioners)
EU Commission Article 31 Committee (binding decisions)
EU Article 29 Working Party (advisory power)
General Adequacy Criteria
Commission adequacy decisions (including legacy decisions) to be be reviewed at least every four years § Adequacy decisions may be repealed, amended, suspended
What is ‘adequate’ protection?
– Aim: EU citizens should have same protection when data transferred out of EU
General Adequacy Criteria
All circumstances concerning data transfer considered (Article 45(2)):
(a) Rule of law, respect for human rights & fundamental freedoms, relevant law in third country, professional rules & security measures (including rules for onward transfer of data to another third country / international organisation), case-law, effective and enforceable subject rights & legal remedies
(b) Are there any supervisory authorities who can ensure protections are enforced?
(c) Has the third country committed to any legally binding international rules on protecting personal data?
Nature of the Data
Commission will require higher standards for transferring sensitive personal data to a third country (i.e. one outside the EU)
– For example, health data.
Transfer of data that poses little risk to the rights and freedoms of individuals, does not usually require the same level of protection
– For example, transfer of a list of internal telephone extensions to overseas subsidiaries of a multinational company
Purpose and duration
Data controller must take into account the purposes for which the data is transferred
– some purposes will carry a lesser risk to the rights of data subjects than others
Data exporters must ensure that:
– processing time in the third country is kept to a
minimum; and
– data is deleted by the data importer as soon as it is no longer required for the intended purpose
Remember, Data Controllers will be held accountable for actions of processors in third countries!
Transfers of Data outside the EU
Which countries have been found to have ‘adequate protection’ in national laws?
Not very many…
– Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, , Switzerland, Uruguay
– See further:
http://ec.europa.eu/justice/data-protection/international- transfers/adequacy/index_en.htm
Transfers of Data outside the EU
Other countries
– How can data be transferred?
E.g. US: volume of trade between EU and US: worth billions of dollars: requiring transfer of personal data.
– Need for an alternative means
There are the derogations (see last lecture), but not ideal for basis of regular business!
Transfers of Data outside the EU
“Appropriate safeguards” which do not require approval by supervisory authority:
Legally binding and enforceable instruments between public bodies / authorities (Treaties)
Binding Corporate Rules (A47)
European Commission’s standard contractual clauses
Standard contractual clauses adopted by national DPA and approved by Commission
Approved Code of Conduct (A40)
Approved certification mechanism (A42)
Transfers of Data outside the EU
“Appropriate safeguards” which do require approval by supervisory authority:
Contractual arrangements between party in EU (Controller or Processor) and party in third country (controller/processor/recipient) or international organisation
Provisions inserted in administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights
Transfers of Data outside the EU
International Binding Legal Instruments (Treaties)
– PNR (Air Passenger Name Record Data) EU US/Canada/Australia
– TFTP (Terrorist Finance Tracking Programme) EUUS
– PIPEDA (Personal Information Protection and Electronic Documents Act)
EU Canada
Controls use of Personal Data by commercial companies
Transfers of Data Outside the EU
Certification – GDPR A42
– National authorities & European Commission to encourage EU “data protection mechanisms…seals and marks”
Certifying that specific data controllers in third countries provide EU-level of protection (see US Privacy Shield)
Certification must be voluntary and transparent
– Must be monitored; can be withdrawn for non-compliance
Certification bodies and processes must be properly approved GDPR A43
Transfers of Data outside the
EUUS Safe Harbor Agreement
– 2000 – Recognised as ‘adequate protection’ By EC
– ‘Opt-in’ system for US companies who wanted to deal with EU personal data
– Limited success – Spring 2015 only 5,101 companies registered
– Late 2015: Safe Harbor no longer valid
– v Data Protection Commissioner (06 October 2015) Case C-362/14
Austrian citizen user of Facebook SNS
US Government access to personal data of EU citizens
Transfers of Data outside the EU
EU-US Privacy Shield
– 2 February 2016
Agreement on Privacy Shield announced European
– 12July2016
Commission Adequacy Decision published
– Package is much more detailed than Safe Harbor and includes multiple letters and other documents from US government officials
– US organisations self-certify with US Department of Commerce and commit to comply with 7 principles
– Enforceable by the FTC or DPAs
– Dedicated Ombudsperson for complaints about US LEA access
– Annual joint review mechanism
Transfers of Data outside the EU
Privacy Shield Principles:
– Accountability for Onward Transfers – Security
– Data Integrity and Purpose Limitation – Access
– Recourse, Enforcement and Liability
Transfer of Data outside the EU
Key implications of the Privacy Shield?
Exposure to civil & criminal proceedings in US
Public statement of commitment may highlight local differences
Only available to organisations regulated by the Department of Commerce or the Department of Transport
Only covers transfers to the US and only from Europe
How robust is the Privacy Shield?
– Vulnerable to attack on similar grounds to Safe Harbor
– Digital Rights Ireland and La Quadrature du Net have challenged PS in court
Transfer of Data outside the EU
Privacy Shield (First Annual Review – PASS!)
– 18th– 19th Sep 2017: First Annual Review meetings, Washington
– 18th Oct 2017: European Commission published first annual report on the functioning of the Privacy Shield. Main findings:
“the U.S. authorities have put in place the necessary structures and procedures to ensure the correct functioning of the Privacy Shield”
Certification process handled “in an overall satisfactory matter”
More than 2,400 companies certified to date
Relevant safeguards remain in place re access to personal data by US public authorities for national security purposes
US continues to ensure adequate protection for data transferred under the PS
Transfer of Data outside the EU
Privacy Shield (recommended improvements)
– No public references to PS certification before it is finalised by
– DoC should conduct proactive and regular searches for false claims
– DoC should conduct compliance checks on a regular basis
– Both DoC and DPAs should strengthen awareness raising efforts
– DoC + DPAs + FTC should develop guidance on concepts that need further clarification (e.g. accountability for onward transfers)
– Study to be commissioned on automated decision-making
– Protections for non-Americans should be enshrined in FISA
– US administration should appoint permanent Ombudsperson + missing members of Privacy & Civil Liberties Oversight Board ASAP
End of Part One
Cybersecurity Law
Compliance with the Adequacy Requirement Part II
LL.B., LL.M.
Technology, Media & Telecoms Institute Centre for Commercial Law Studies Queen Mary, University of London
Transfers of Data outside the EU
Other forms of adequate safeguards
– Binding Corporate Rules (BCR) (GDPR A47)
– EU Model Clauses [Standard Contractual Clauses SCC)] (GDPR A93)
– Standardcontractualclausesadoptedbynational DPA and approved y Commission (A93)
– Approved Code of Conduct (A40)
– Approved certification mechanism (A42)
Transfers of Data outside the EU
Binding Corporate Rules
– Facilitate TBDF within particular corporate groups – saves
– Article 47 GDPR sets out requirements
– National DPAs / European Commission to approve
https://ec.europa.eu/info/law/law-topic/data- protection/data-transfers-outside-eu/binding- corporate-rules_en
Transfers of Data outside the EU
Binding Corporate Rules GDPR A47
– Code of Conduct drafted – containing privacy policy of the entire enterprise
Each entity included in the enterprise subscribes Enables data subjects to enforce code against the
enterprise
– Advantages and disadvantages
Transfers of Data outside the EU
Binding Corporate Rules – Examples of approvals:
General Electric Company (employee data)
Koninklijke Philips Electronics NV (employee data) Atmel Corporation (employee data)
Accenture Limited (employee and client)
Supervisory Authorities (National DPAs) to ensure consistency of applying the rules
– Pre-GDPR approvals still valid, though can be reviewed
Transfers of Data outside the EU
Binding Corporate Rules
– Read a ‘stinging’ critique from Google’s Legal Counsel in 2007
http://peterfleischer.blogspot.com/2007/03/binding- corporate-rules-data-protection.html
Transfers of Data outside the EU
Standard Contractual Clauses (SCCs)
– European Commission or National DPA (e.g. UK ICO) can adopt standard clauses
Businesses can use these without approval or
– Companies can come up with their own and seek Commission / DPA approval
Transfers of Data outside the EU
Standard Contractual Clauses (SCCs)
– EU has adopted three sets of SCC so far:
EU controller to non-EU or EEA controller – Decision 2001/497/EC
http://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32001D0497 – Decision 2004/915/EC
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32004D0915 EU controller to non-EU or EEA processor
– Decision 2010/87/EU
http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087
Transfers of Data outside the EU
Standard Contractual Clauses: The 2010 Version
February 2010: European Commission adopts revised “controller-to-processor” SCCs.
takes account of the expansion of processing activities outsourced by EU businesses to companies in third countries
includes specific provisions allowing the outsourcing by the data processor of its processing activities to other sub- processors
Transfers of Data outside the EU
Codes of Conduct GDPR A40
– National Supervisory Authorities & EC to encourage creation of codes of conduct “for various processing sectors”
Types of information, business, needs of particular business sector
– “Associations and other bodies representing categories of
controllers or processors may prepare codes of conduct…”
Codes to be approved by national DPAs (Supervisory authorities) or European Commission
Transfers of Data outside the EU
Codes of Conduct GDPR A40
– Codes not themselves binding law, (though help to obey the
– If made binding by legal instrument (e.g. by contract) on party in third country, can provide “appropriate safeguards”
– Day to day monitoring of approved codes can be by accredited body – GDPR A41
Concluding Remarks
Covered this session:
– Ways to achieve “adequate protection” to allow
trans-border data flows to third countries
Coming next:
– Privacy and online data collection
What threats does the internet present to our information privacy?
How does European Data Protection law address these?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com