Skip to main content

The international dimension of data protection rules of the EU


It is a little more than one year that the General Data Protection Regulation entered into force. The 22nd May 2019, three days before the first anniversary, a press release[i] by the European Commission summarised certain statistical data[ii] on the year, including a Eurobarometer survey[iii] and the most important indicators of compliance, complaints and data breach notifications. Just two months later, the Commission has adopted the Communication on its session the 24th July[iv] entitled: “Data protection rules as a trust - enabler in the EU and beyond – taking stock”. In this Communication, significant thought is given to the international dimension. On the other hand, some new judicial developments also concern the international dimension, mainly transfer of personal data to the United States.
The new, clearer and somewhat stricter data protection rules in Europe exert an important influence on international relations, they are sometimes accused of enabling protectionism. One of the most important changes in the new regulation is namely that everybody who is doing anything (for example collecting, recording, storing, modifying, retrieving, disclosing or using – summarised as “processing”) with personal data of residents of the EU, is required to comply with the regulation. Those who hand over (“transfer”) personal data from the EU to jurisdictions outside the EU, are also responsible to take measures to ensure that those to whom they transfer the data, provide an adequate protection. This does not necessarily mean identical rules but a comparable level of protection and legal certainty, including enforceable stipulations and judicial redress. To do efficiently business with EU firms or to co-operate with EU authorities, these rules have to be complied with. This is a big incentive also to foreign lawmakers and authorities – where no equivalent level of rules are yet in force – to have their data protection regimes converge towards the EU system.
To enable these transfers, there is an elaborate framework of assessing the adequacy of protection in third countries and international organisations (this latter possibility was introduced by the GDPR, before only the adequacy of the legal situation in countries was possible) to provide a safe basis for transferring personal data to these jurisdictions. As we will see later, the United States takes up a very special place in this respect. Also, where no adequacy of protection was established, a series of tools are available for European players and their foreign partners to secure the transfer of data. One of these are the standard contractual clauses, which were adopted under the old rules (the 1995 Data Protection Directive) by the Commission. Now the national data protection supervisory authorities (for EU institutions the EDPS) also have the right to adopt such standard contractual clauses. There are a number of other tools, like binding corporate rules, codes of conduct and certification systems which enable the exchange of personal data.
Still, an adequacy decision is a safe and easy way and thus the Commission undertook to further intensify its dialogue with key partner countries on the adequacy of their data protection framework but is also considering to update the standard contractual clauses adopted under the old, 1995, directive.
Data protection rules – as any other rulebook or standard – can be used or abused in international trade. It can be an important barrier to entry but also an important competitiveness factor. The strict rules can prevent that foreign entities provide services while the high level of protection can lure customers.
The Commission has developed specific provisions on data flows and data protection in trade agreements and the current WTO e-commerce talks to tackle digital protectionism like forced data localisation requirements. A strategy for co-operation in these fields was laid out in 2017 (Communication on Exchanging and Protecting Personal Data in a Globalised World[v]).
The EU-Japan mutual adequacy arrangement which entered into force in February 2019 is the best example of synergies between trade negotiations and the data protection adequacy dialogue, that created the world’s largest area of free and safe data flows. Adequacy negotiations with South Korea are at an advanced stage and exploratory work is ongoing with a view to launching adequacy talks with several Latin American countries – such as Chile or Brazil – depending on the completion of ongoing legislative processes. Developments are also promising in some parts of Asia, such as India, Indonesia and Taiwan, as well as in the European Eastern and Southern neighbourhood, which could open the door to future adequacy decisions.
Some other countries have also put in place similar transfer instruments. Work is ongoing with other third countries, such as Canada, New Zealand, Argentina and Israel to ensure the continuity under the GDPR of adequacy decisions adopted on the basis of the old data protection regime.
The Commission also proposes to explore whether like-minded countries could establish a multinational framework in this area at a time when data flows are an increasingly crucial component of trade, communications and social interactions. Such an instrument would allow data to flow freely amongst the contracting parties, while ensuring the required level of protection on the basis of shared values and converging systems.
Appropriate safeguards and compatibility between data protection regimes can also significantly facilitate the much needed exchanges of information between EU and foreign regulatory, police and judicial authorities and, in this way, contribute to more effective and rapid law enforcement. Important examples are the transfer of Passenger Name Records (PNR) and the exchange of operational information between Europol and important international partners.
Promoting cooperation between data protection enforcers and dialogue with regional organisations and networks, such as the Association of Southeast Asian Nations (ASEAN), the African Union, the Asia Pacific Privacy Authorities forum (APPA) or the Ibero-American Data Protection Network, Organization for Economic Cooperation and Development and the Asian-Pacific Economic Cooperation Organisation promotes the exchange of best practices and co-operation between enforcers.
Given the special situation and legal system in the U.S. and the importance of this relation, the EU-US Privacy Shield is not a simple establishment of adequacy but requires that companies register to benefit from free data flow from the EU. Till now, more than 4,700 companies have registered. The working of the Privacy Shield is reviewed annually to ensure that the correct functioning of the framework is regularly checked and that new issues can be addressed in time. This structure was established following the first European Court case of Maximilian Schrems, an Austrian law student and privacy activist who attacked the previous “Safe Harbour”, a similar system under which the transfer of data was made possible for companies who registered.
To be continued by Schrems-II and another current case.



[i]http://europa.eu/rapid/press-release_IP-19-2610_en.htm
[ii]https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_1.pdf
[iii]http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222
[iv]https://ec.europa.eu/commission/sites/beta-political/files/gdpr_communication.pdf
[v]https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2017%3A7%3AFIN

Labels:

Comments

Post a Comment

Popular posts from this blog

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...
Post a Comment
Read more

The Transatlantic Data Privacy Framework - new way to transfer personal data to US organisations

 After long negotiations, the new adequacy decision for processing personal data of EU data subjects in the United States resulted in new rules and the setting up of new organisations in the US and an adequacy decision by the European Commission. This enables the transfer of personal data only by organisations in the US who register to the EU-U.S. Transatlantic Data Privacy Framework. Organisations registered to the predecessor of the new framework, the Privacy Shield, retain their registration if they maintained it and continue to fulfil the conditions. The list of organisations registered can be found here: https://www.dataprivacyframework.gov/s/participant-search .   As mentioned above, it is not only the Commission adequacy decision which is new, the United States also undertook a number of measures, in particular concerning the regulation of surveillance of electronic communications, to harmonise the American rules more with the European data protection requirements. ...
Post a Comment
Read more

The right to information and data subject access requests

The European Court of Justice dealt with some cases concerning data subject access requests and clarified the scope of certain information to be provided. 1. The right to informationThe data subjects have the right to be informed about how their personal data are processed by the controller. This information has to be provided using a privacy statement which is also called data protection notice. The privacy statement has a set content which serves not only to inform data subjects about which of their personal data are processed and how but also to assure them that their personal data are processed in compliance with EU rules. Some information in the privacy statements is nevertheless general and therefore data subjects can request further information and access to the personal data the controller processes about them. Privacy statements can be displayed on the webpages of the controller. Some controllers publish one comprehensive privacy statement which contains information about vari...
Post a Comment
Read more