EBU6007 Cybersecurity Law
4. Transfer of Data Outside the EU Gavin L.B., LL.M.
Centre for Commercial Law Studies Queen Mary, University of London
Data Protection Law History: Recap
Copyright By PowCoder代写 加微信 powcoder
1970s: data protection laws are enacted in several European countries
1980s: international agreements for the protection of personal data are made
– OECD Guidelines
– Council of Europe Convention
1995: European Communities adopt the Data Protection Directive (95/46/EC), now replaced by EU General Data Protection Regulation
The Circle of Trust
Data Protection v. Trans-border Data Flows
Countries with data protection laws prevented data flows into countries without data protection laws
Those countries’ laws were seen as “inadequate”
=>Data protection impeded trans-border data flows and hindered international trade
Harmonisation of Data Protection
Harmonisation of data protection laws at European level created minimum standards with which each EU member state must comply
Created a level playing field and facilitated trans-border data flows
Expanded the application of data protection laws to countries which did not have protection before
UK enters the Circle of Trust
EU: very high standards of DP – Limits on Controller/Processor –
collection and use of data, transfer of information to other parties within EU, security, et cetera
– Rights for Data Subject
Access, correction, deletion (‘right to be forgotten’), et cetera
BUT…Can personal data of EU data protection subjects be transferred outside the EU?
Purpose of DP laws defeated if data sent where no protection! Third Country laws
Circle of Trust
Third Countries excluded from
One possible post-Brexit future?
Transfers of Data Outside the EU
Commerce: increasingly international
– Transfers of huge quantities of personal data Customers
Employees / staff
– Transfers between and among units of the same corporate enterprise located in different countries
Several MNCs headquartered in the US
Transfers of Data outside the EU
• Globalisation of trade
– Why process personal data overseas? – Cost & efficiency
• So how is data transferred outside the EU
under the General Data Protection
Regulation?
– Adequate protection of personal data
Transfers of Data outside the EU
GDPR Article 45
– “A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that [it] ensures an adequate level of protection.”
– Where Commission has made an adequacy ruling, no specific authorisation for transfer required
– Note: Lindqvist ruling of the CJEU that uploading to a website is not such a transfer still valid
Transfers of Data outside the EU
Alternatives routes to adequacy (other than in national law) set out in Article 46. Must provide:
“appropriate safeguards”
Enforceable data subject rights available
Effective legal remedies for data subjects available
– Details to follow in next lecture!
Derogations
Article 49: exceptions to the ‘adequate protection’ requirement
– Explicit consent of data subject to transfer
Must be informed of possible risks due to absence of ‘appropriate safeguards’ + adequate protection
Disadvantages:
Do individuals really pay attention to warnings?
Disputable value in employment relationships – consent not given ‘freely’
What about individuals who do not provide consent, others do, how is data to be segregated?
Derogations
Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– The transfer is necessary or legally required on important public interest grounds (A49(1)(d))
For example, the prevention of crime or the fight against terrorism
Exchange of PNR data between EU member states and US, Canada and Australia
Derogations
Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– the transfer is necessary or legally required for the establishment, exercise or defence of legal claims (A49(1)(e))
Includes obtaining legal advice or otherwise for establishing, exercising or defending legal rights
The legal proceedings do not necessarily have to involve the data controller or the data subject.
Derogations
Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– The transfer is necessary in order to protect the vital interests of the data subject (A49(1)(f))
“data subject is physically or legally incapable of giving consent”
Must be a life-or-death situation!
For example, example the transfer of medical records where an individual has been in a serious accident abroad
Derogations
Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– Transfer is made from a register which according to EU/MS law (Article 49(1)(g)) is:
intended to provide information to the public
available to general public or “any person who can
demonstrate a legitimate interest”
Subject to conditions in EU/MS law
Derogations
Article 49: exceptions to the ‘adequate protection’ requirement : NECESSITY
– Transfer necessary for performance of contract
between data controller and data subject (Article 49(1)(b)) – or
Between controller and another natural or legal person in the interests of the data subject (Article 49(1)(c))
When is the transfer of personal data outside EU “necessary”?
Case Study Examples:
1. A French company uses a call centre located in India for customer enquiries?
2. Chinese airline transfers the reservation details of a UK passenger to its main reservation computer in China?
3. A German travel agent confirms the booking of a German tourist to a hotel in Namibia?
Transfers of Data outside the EU
Of limited use: ‘necessity’ criteria applied strictly
– narrow interpretation given by most data protection authorities
Transfers of Data outside the EU – Case study 1
French company could alternatively base its call centre in the UK (or anywhere else in EU)
DPA position: transfer not necessary – (cheaper to process outside EU, but not
necessary)
=> Exception will not apply
Transfers of Data outside the EU – Case study 2
Chinese airline may transfer the UK passenger’s reservation data to its main reservation computer in China
DPA position: transfer necessary, but not necessary that computer receiving the data transfer be located outside the EU
=> exception will not apply
Transfers of Data outside the EU – Case study 3
German travel agent may transfer the German tourist’s reservation data to the hotel owner in Namibia
DPA position: transfer to hotel in Namibia necessary to confirm the booking
=> exception will apply
Concluding Remarks
Covered this session:
– EU rules on transfer of personal data outside of EU
Requirement of ‘Adequate Protection’
Derogations: when can transfers be made without adequate protection?
Coming next:
– EU rules on transfer of personal data outside of EU Compliance & Alternatives to ‘Adequate Protection’
– EU data protection laws and online threats
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com