The GDPR framework for international data flows

Bas van der Leij LLM PhD CIPMSenior Privacy Consultant

www.dpa.nlAmsterdam The Netherlands

1

Who we are

DPA Privacy is an independent business within the DPA Group which specialises in providing privacy and data protection services within organisations. We offer our clients a comprehensive solution designed to ensure the secure handling of personal data – a solution that covers legal, technical and process-related aspects as well as privacy awareness and conduct

https://www.dpa.nl/gdpr-the-days-after

2

UNCTAD 2016 – Data protection regulations and international data flows: Implications for trade and development

“In the global information economy, personal data have become the fuel driving much of current online activity. Every day, vast amounts of information are transmitted, stored and collected across the globe, enabled by massive improvements in computing and communication power.”

“As more and more economic and social activities move online, the importance of data protection and privacy is increasingly recognized, not least in the context of international trade.”

3

The Internet of Things – Security

Data protection is a dynamic field that is constantly challenged and influenced by advances in technology and innovation in business practices

One of these technologies is the Internet of Things

From a security perspective, Internet-connected devices are easy targets for hackers and can raise privacy concerns

4

The Internet of Things – Data flows

Companies that sell Internet-connected devices address privacy concerns through their End User License Agreements (EULAs) or their Privacy Statements. These customer contracts often have a section where they discuss the extent to which the company will gather and store personal data about their customers

Often this means transferring data to anothercountry with a different data protection system

5

Compatibility between different data protection systems would facilitate international flows of personal data, whether for commercial purposes or cooperation between public authorities

6

UNCTAD 2016 – Data protection regulations and international data flows: Implications for trade and development

But the current system for data protection is highly fragmented, with diverging global, regional and national regulatory approaches

7

Regional initiatives are perhaps more developed and mature than global initiatives in the data protection field

European Union (EU) Asia-Pacific Economic Cooperation (APEC)African Union Commonwealth Trans-Pacific Partnership Agreement Trade in Services Agreement (TiSA)

8

Digital Single Market

What is the Digital Single Market?

Free movement of personal data

9

European Economic Area (EEA)

EU member

Provisional EU member (Croatie)

EFTA member

EFTA member that has not ratified the EEA agreement (Switzerland)

European Free Trade Association (EFTA) is a regional trade organisation and free trade area consisting of four European states: Iceland, Liechtenstein, Norway and Switzerland. Iceland, Liechtenstein, Norway have jointly concluded free trade agreements with the EU. Switzerland has a set of bilateral agreements with the EU instead.

10

General Data Protection Regulation (GDPR)

According to the European Commission (EC)

“The GDPR provides for a uniform and simplified legislative framework. It will establish one single pan-European set of rules that will make it simpler and cheaper for companies to do business in the EU, and will ensure that the rights of individuals are more effectively protected across the continent.”

“Consistency of interpretation of the new rules will be guaranteed. In particular, in cross-border cases where several national data protection authorities are involved, a single supervisory decision will be adopted.”

11

The EU today combines openness for international data flows with a high level of protection for individuals

12

Legal basis – Dual objective Article 1 GDPR

1. This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.2. This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.3. The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Article 16 Treaty on the Functioning of the European Union (TFEU)

1. Everyone has the right to the protection of personal data concerning them.

2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

13

Territorial scope of the GDPR

The GDPR applies to the processing of personal data

in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the Union or not

of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union ORthe monitoring of their behaviour as far as their behaviour takes place within the Union

by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law

See Article 3 GDPR

14

Flow-chart of the territorial scope of the GDPR

is the relevant entityestablished as controller

or processor in one ormore Member States?

yesit must comply with the GDPR

regardless of which Member State(s) it is established in

no

does the nationallaw of any

Member State(s) apply to the

entity by virtue of Public

International Law?

yesthe entity must comply with the

GDPR

no

does the entity (1) offer goods or servives to EU

data subject or (2) monitor EU data subjects

behaviour?

yesthe entity must comply with the

GDPR

the entity must appoint a Representative in one of

the Member States in which it either offers goods or services or

monitors the behaviourof EU data subject

nothe entitiy is not

subject to the GDPR

15

GDPR principles for international data transfers

When personal data are transferred from the EU to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the EU by the GDPR should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation

In any event, transfers to third countries and international organisations may only be carried out in full compliance with the GDPR. A transfer could take place only if, subject to the other provisions of the GDPR, the conditions laid down in the provisions of the GDPR relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor

See Article 44 GDPR

16

Primairy purpose is to ensure that when personal data of Europeans are transferred abroad, the protectiontravels with that data

17

The GDPR framework for international data flows

1 - Adequacy decision

2 - Alternative data transfer mechanisms - contractual

3 - Derogations - last resort

18

1 - Adequacydecisions Transfers of personal data to a third

country or an international organisation may take place where the EC has decided that the third country a territory or one or more specified sectors within that third country* or the international organisation in question ensures an adequate level of protection

See Article 45 GDPR

19

2 - Alternative data transfer mechanisms

Legally binding agreement between public autorities or bodiesBinding corporate rules

Standard data protection clauses in the form of template transfer clauses adopted by the ECStandard data protection clauses in the form of template transfer clauses adopted by a SAand approved by the ECApproved codes of conductApproved certification mechanism

Ad hoc contractual clauses

In the absence of an adequacy decision, international transfers can take place on the basis of

See article 46 GDPR

20

3 - Derogations for certain specific situations

made with the individual’s informed consentnecessary for the performance of a contract between the data subject and the controller (taken at the individual’s request)necessary for the performance of a contract made in the interests of the data subjectnecessary for important reasons of public interestnecessary for the establishment, exercise or defence of legal claimsnecessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consentmade from a public register

The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer, or set of transfers, may be made where the transfer is

See article 49 GDPR2 1

1 - Transfers on the basis of an adequacy decision

A precise and detailed catalogue

of elements that the EC must

take into account when assessing

the adequacy of protection of a

foreign system is available for

interested countries or

international organisations

Decisions adopted by the EC on

the basis of Article 25(6) of

Directive 95/46/EC shall remain

in force until amended, replaced

or repealed by a EC Decision**

22

What does an adequacy decision mean in practise?

An adequacy decision allows the free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions Transfers to the country in question will be assimilated to intra-EU transmissions of data, thereby providing privileged access to the EU single market, while opening up commercial channels for EU operators

* The GDPR explicitly allows for an adequacy determination to be made with respect to a particular territory of a third country or to a specific sector or industry within a third country

This is called a partial adequacy decision

23

EC has approved the following nations as adequate

Andorra Israel Argentina JerseyFaroe Islands New Zealand Guernsey SwitzerlandIsle of Man Uruguay

Adequacy talks are ongoing with Japan and South Korea

24

Partial adequacy decisions

US Adequacy is limited to the

providing adequate protection in the absence of general data protection legislation in the USit relies on commitments by participating companies to apply the data protection standards set out by this arrangement that are enforceable under US law

Canada The adequacy decision applies only to private entities falling under the scope of the Canadian Personal Information Protection and Electronic Documents Act

Privacy Commissioner of Canadahttps://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/

25

What does the Privacy Shield Framework mean in practise?

For American companiesSelf-certify annually that they meet the requirementsDisplay privacy policy on their website

Reply promptly to any complaintsIf handling human resources data Cooperate and comply with European Data Protection Authorities

For European individualsMore transparency about transfers of personal data to the US and stronger protection of personal data

Easier and cheaper redress possibilities in case of complaints —directly or with the help of their local SupervisoryAuthority

26

Adequacy decisions are living documents **that need to be closely monitored by the EC and adapted in case of developments affecting the level of protection ensured by the third country in question To that end, periodic reviews will be held, at least every four years, to address emerging issues and exchange best practices between close partners

This dynamic approach applies also to already existing adequacy decisions, adopted under the 1995 Directive, which will need to be reviewed in case they no longer meet the applicable standard

27

2 - Transfers on the basis of alternative data transfer mechanisms

Appropriatesafeguards

28

What are binding corporate rules? Binding corporate rules are internal

rules for data transfers withinmultinational companiesBinding corporate rules are like a code of conduct. They allow multinational companies to transfer personal data internationally, within the same corporate group or in a group of enterprises engaged in a joint economic activity, to countries that do not provide an adequate level of protection

Binding corporate rules ensure that all data transfers within a corporate group or a group of enterprises engaged in a joint economic activity, are safe. They must containa. privacy principles, such as

transparency, data quality, security

b. tools of effectiveness (such as audit, training, or complaint handling systems)

c. an element proving that the rules are binding

29

Approval of binding corporate rules

First step – the company designates the lead authority. This is the authority which handles the EU cooperation procedure with the other European data protection authoritiesSecond step – the company drafts the binding corporate rules. These rules have to meet the requirements set up in the working papers adopted by the WP29Third step – the lead authority starts the EU cooperation procedure by circulating the binding corporate rules to the relevant SAFourth step – the EU co-operation procedure is closed after the countries under mutual recognition have acknowledged of receipt of the binding corporate rules, and those which are not consider that the rules comply with the requirements set out in WP29 (within one month)Fifth step – once the binding corporate rules have been considered as final by all SAs, the company shall request authorisation of transfers on the basis of the adopted rules by each national SA

The Article 29 Working Party (WP29) was an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the EC.

The European Data Protection Board (EDPB) will replace the WP29 under the GDPR

30

How is the lead authority chosen? The decision as to which SA should act as the

lead authority is based upon criteria such as

the location of the group’s European headquartersthe location of the company within the group with delegated data protection responsibilitiesthe location of the company which is best placed, in terms of management function, administrative burden, etc, to deal with the application, and to enforce the binding corporate rules in the groupthe place where most decisions in terms of the purposes and means of processing are takenthe EU country from which most transfers outside the EEA will take place

Companies which intend to adopt binding corporate rules shall designate a lead authority which will be the contact point and which will handle the procedure for the review of the rules by all SAs

31

Documents to be provided to the lead authority

Any documentation that shows that the commitments in the rules are being respected, such as:

Privacy policies in relation to the procedure, in order to inform people such as customers and employees about the way the company protects their personal dataGuidelines for employeesData protection audit plan and programmeexamples and/or explanation of the training programmeDescription of the internal complaint systemSecurity policy for IT systems processing personal dataCertification process to make sure that all new IT applications processing data are compliant with binding corporate rulesJob description of data protection officers or other persons in charge of data protection in the company

Standard application for approval of binding corporate rules for the transfer of personal data (WP133)Binding corporate rulesList of entities bound by the rulesElement showing that the rules are binding

3 2

Standard data protection clauses

The possibility for the controller or processor to use standard data-protection clauses adopted by the EC or by a SA should not prevent controllers or processors from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the EC or by a SA or prejudice the fundamental rights or freedoms of the data subjects Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses

See Recital 109

33

International data transfers using standard contractual clauses

EC can decide that standard contractual clauses offer sufficient safeguards on data protection for the data to be transferred internationallyEC has so far issued two sets of standard contractual clauses for data transfers from data controllers in the EU to data controllers established outside the EU or EEAIt has also issued one set of contractual clauses for data transfers from controllers in the EU to processors established outside the EU or EEA

EU controller to non-EU or EEA controllerdecision 2001/497/EC decision 2004/915/ECEU controller to non-EU or EEA processordecision 2010/87/EU

“Standard contractual clauses should relate only to data protection. Therefore, the data exporter and the data importer are free to include any other clauses on business related issues which they consider as being pertinent for the contract as long as they do not contradict the standard contractual clauses”

3 4

Conclusions

Protecting and exchanging personal data are not mutually exclusive

A strong data protection system will facilitate data flows by building consumer confidence in those companies that care about the way they handle their customers’ personal data

Making high data protection standards an advantage in the global digital economy

The GDPR creates a level playing field between EU and foreign companies in that companies based outside the EU will have to apply the same rules as European companies if they are offering goods and services or monitoring the behaviour of individuals in the EU

35

Article 45 GDPR 1. A transfer of personal data to a third country or an international organisation may take place where the Commission has

decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

a. the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

b. the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

c. the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3. The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the thirdcountry or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

3 6

Article 45 GDPR 4. The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could

affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5. The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of thisArticle, that a third country, a territory or one or more specified sectors within a third country, or an international organisationno longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary,repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7. A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, aterritory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49. The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured. Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

3 7

DefinitionsCo ntro ller th e n atu ra l o r lega l p erso n , p u b lic au th o rity, agen cy o r o th er b o d y

w h ich , a lo n e o r jo intly w ith o th ers, d eterm in es th e p u rp o ses an d m ean s o f th e p ro cessin g o f p erso n al d ata; w h ere th e p u rp o ses an d m ean s o f su ch p ro cessin g are d eterm in ed by U n io n o r M em b er State law, th e co ntro ller o r th e sp ecific criteria fo r its n o m in atio n m ay b e p rovid ed fo r by U n io n o r M em b er State law

Cro ss-b o rd er p ro cessin g p ro cessin g o f p erso n al d ata w h ich takes p lace in th e co ntext o f th e activ ities o f estab lish m ents in m o re th an o n e M em b er State o f a co ntro ller o r p ro cesso r in th e U n io n w h ere th e co ntro ller o r p ro cesso r is estab lish ed in m o re th an o n e M em b er State; o r p ro cessin g o f p erso n al d ata w h ich takes p lace in th e co ntext o f th e activ ities o f a sin g le estab lish m ent o f a co ntro ller o r p ro cesso r in th e U n io n b u t w h ich su bstantia lly affects o r is like ly to su bstantia lly affect d ata su b jects in m o re th an o n e M em b er State

Enterp rise a n atu ra l o r lega l p erso n en gaged in an eco n o m ic activ ity, irresp ective o f its lega l fo rm , in c lu d in g p artn ersh ips o r asso ciatio n s regu larly en gaged in an eco n o m ic activ ity

G ro u p o f u n d ertakin gs a co ntro llin g u n d ertakin g an d its co ntro lled u n d ertakin gs

Intern atio n al o rgan isatio n an o rgan isatio n an d its su b o rd in ate b o d ies govern ed by p u b lic intern atio n al law, o r any o th er b o d y w h ich is set u p by, o r o n th e b asis o f, an agreem ent b etw een tw o o r m o re co u ntries

M ain estab lish m ent o f th e entity th e p lace o f th e its centra l ad m in istratio n in th e U n io n

Perso n al d ata any in fo rm atio n re latin g to an id entified o r id entifiab le n atu ra l p erso n (‘d ata su b ject ’); an id entifiab le n atu ra l p erso n is o n e w h o can b e id entified , d irectly o r in d irectly, in p articu lar by referen ce to an id entifier su ch as a n am e, an id entificatio n n u m b er, lo catio n d ata, an o n lin e id entifier o r to o n e o r m o re facto rs sp ecific to th e p hysica l, p hysio lo g ica l, gen etic , m enta l, eco n o m ic, cu ltu ra l o r so cia l id entity o f th at n atu ra l p erso n

Pro cessin g any o p eratio n o r set o f o p eratio n s w h ich is p erfo rm ed o n p erso n al d ata o r o n sets o f p erso n al d ata, w h eth er o r n o t by au to m ated m ean s, su ch as co llectio n , reco rd in g , o rgan isatio n , stru ctu rin g , sto rage, ad aptatio n o r a lteratio n , retrieva l, co n su ltatio n , u se, d isc lo su re by tran sm issio n ,

d issem in atio n o r o th erw ise m akin g ava ilab le , a lign m ent o r co m b in atio n , restrictio n , erasu re o r d estru ctio n

Pro cesso r a n atu ra l o r lega l p erso n , p u b lic au th o rity, agen cy o r o th er b o d y w h ich p ro cesses p erso n al d ata o n b eh alf o f th e co ntro ller

Recip ient a n atu ra l o r lega l p erso n , p u b lic au th o rity, agen cy o r an o th er b o d y, to

w h ich th e p erso n al d ata are d isc lo sed , w h eth er a th ird p arty o r n o t. H ow ever, p u b lic au th o rities w h ich m ay rece ive p erso n al d ata in th e fram ew o rk o f a p articu lar in q u iry in acco rd an ce w ith U n io n o r M em b er State law sh all n o t b e

regard ed as recip ients; th e p ro cessin g o f th o se d ata by th o se p u b lic au th o rities sh all b e in co m p lian ce w ith th e ap p licab le d ata p ro tectio n ru les

acco rd in g to th e p u rp o ses o f th e p ro cessin g

Rep resentative a n atu ra l o r lega l p erso n estab lish ed in th e EU w h o, d esign ated by th e co ntro ller o r p ro cesso r in w ritin g p u rsu ant to A rtic le 2 7 G D P R , rep resents th e co ntro ller o r p ro cesso r w ith regard to th e ir resp ective o b ligatio n s u n d er

th e G D P R

Su p erviso ry A u th o rity an in d ep en d ent p u b lic au th o rity w h ich is estab lish ed by a M em b er State p u rsu ant to A rtic le 5 1 G D P R

Th ird p arty a n atu ra l o r lega l p erso n , p u b lic au th o rity, agen cy o r b o d y o th er th an th e d ata su b ject, co ntro ller, p ro cesso r an d p erso n s w h o, u n d er th e d irect

au th o rity o f th e co ntro ller o r p ro cesso r, are au th o rised to p ro cess p erso n al d ata

38

www.dpa.nlAmsterdam The Netherlands

39