CS代考 EBU6007 Cybersecurity Law

EBU6007 Cybersecurity Law
4. Transfer of Data Outside the EU Gavin L.B., LL.M.
Centre for Commercial Law Studies Queen Mary, University of London
Data Protection Law History: Recap

Copyright By PowCoder代写 加微信 powcoder

 1970s: data protection laws are enacted in several European countries
 1980s: international agreements for the protection of personal data are made
– OECD Guidelines
– Council of Europe Convention
 1995: European Communities adopt the Data Protection Directive (95/46/EC), now replaced by EU General Data Protection Regulation

The Circle of Trust

Data Protection v. Trans-border Data Flows
 Countries with data protection laws prevented data flows into countries without data protection laws
 Those countries’ laws were seen as “inadequate”
=>Data protection impeded trans-border data flows and hindered international trade
Harmonisation of Data Protection
 Harmonisation of data protection laws at European level created minimum standards with which each EU member state must comply
 Created a level playing field and facilitated trans-border data flows
 Expanded the application of data protection laws to countries which did not have protection before

UK enters the Circle of Trust
 EU: very high standards of DP – Limits on Controller/Processor –
 collection and use of data, transfer of information to other parties within EU, security, et cetera
– Rights for Data Subject
 Access, correction, deletion (‘right to be forgotten’), et cetera
 BUT…Can personal data of EU data protection subjects be transferred outside the EU?
 Purpose of DP laws defeated if data sent where no protection!  Third Country laws

Circle of Trust
Third Countries excluded from
One possible post-Brexit future?

Transfers of Data Outside the EU
 Commerce: increasingly international
– Transfers of huge quantities of personal data  Customers
 Employees / staff
– Transfers between and among units of the same corporate enterprise located in different countries
 Several MNCs headquartered in the US
Transfers of Data outside the EU
• Globalisation of trade
– Why process personal data overseas? – Cost & efficiency
• So how is data transferred outside the EU
under the General Data Protection
Regulation?
– Adequate protection of personal data

Transfers of Data outside the EU
 GDPR Article 45
– “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that [it] ensures an adequate level of protection.”
– Where Commission has made an adequacy ruling, no specific authorisation for transfer required
– Note: Lindqvist ruling of the CJEU that uploading to a website is not such a transfer still valid
Transfers of Data outside the EU
 Alternatives routes to adequacy (other than in national law) set out in Article 46. Must provide:
 “appropriate safeguards”
 Enforceable data subject rights available
 Effective legal remedies for data subjects available
– Details to follow in next lecture!

Derogations
 Article 49: exceptions to the ‘adequate protection’ requirement
– Explicit consent of data subject to transfer
 Must be informed of possible risks due to absence of ‘appropriate safeguards’ + adequate protection
 Disadvantages:
 Do individuals really pay attention to warnings?
 Disputable value in employment relationships – consent not given ‘freely’
 What about individuals who do not provide consent, others do, how is data to be segregated?
Derogations
 Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– The transfer is necessary or legally required on important public interest grounds (A49(1)(d))
 For example, the prevention of crime or the fight against terrorism
 Exchange of PNR data between EU member states and US, Canada and Australia

Derogations
 Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– the transfer is necessary or legally required for the establishment, exercise or defence of legal claims (A49(1)(e))
 Includes obtaining legal advice or otherwise for establishing, exercising or defending legal rights
 The legal proceedings do not necessarily have to involve the data controller or the data subject.
Derogations
 Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– The transfer is necessary in order to protect the vital interests of the data subject (A49(1)(f))
 “data subject is physically or legally incapable of giving consent”
 Must be a life-or-death situation!
 For example, example the transfer of medical records where an individual has been in a serious accident abroad

Derogations
 Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– Transfer is made from a register which according to EU/MS law (Article 49(1)(g)) is:
 intended to provide information to the public
 available to general public or “any person who can
demonstrate a legitimate interest”
 Subject to conditions in EU/MS law
Derogations
 Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– Transfer necessary for performance of contract
 between data controller and data subject (Article 49(1)(b)) – or
 Between controller and another natural or legal person in the interests of the data subject (Article 49(1)(c))

When is the transfer of personal data outside EU “necessary”?
Case Study Examples:
1. A French company uses a call centre located in India for customer enquiries?
2. Chinese airline transfers the reservation details of a UK passenger to its main reservation computer in China?
3. A German travel agent confirms the booking of a German tourist to a hotel in Namibia?
Transfers of Data outside the EU
 Of limited use: ‘necessity’ criteria applied strictly
– narrow interpretation given by most data protection authorities

Transfers of Data outside the EU – Case study 1
 French company could alternatively base its call centre in the UK (or anywhere else in EU)
 DPA position: transfer not necessary – (cheaper to process outside EU, but not
necessary)
=> Exception will not apply
Transfers of Data outside the EU – Case study 2
 Chinese airline may transfer the UK passenger’s reservation data to its main reservation computer in China
 DPA position: transfer necessary, but not necessary that computer receiving the data transfer be located outside the EU
=> exception will not apply

Transfers of Data outside the EU – Case study 3
 German travel agent may transfer the German tourist’s reservation data to the hotel owner in Namibia
 DPA position: transfer to hotel in Namibia necessary to confirm the booking
=> exception will apply
Concluding Remarks
 Covered this session:
– EU rules on transfer of personal data outside of EU
 Requirement of ‘Adequate Protection’
 Derogations: when can transfers be made without adequate protection?
 Coming next:
– EU rules on transfer of personal data outside of EU  Compliance & Alternatives to ‘Adequate Protection’
– EU data protection laws and online threats

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com