Skip to main content

The international dimension of data protection rules of the EU


It is a little more than one year that the General Data Protection Regulation entered into force. The 22nd May 2019, three days before the first anniversary, a press release[i] by the European Commission summarised certain statistical data[ii] on the year, including a Eurobarometer survey[iii] and the most important indicators of compliance, complaints and data breach notifications. Just two months later, the Commission has adopted the Communication on its session the 24th July[iv] entitled: “Data protection rules as a trust - enabler in the EU and beyond – taking stock”. In this Communication, significant thought is given to the international dimension. On the other hand, some new judicial developments also concern the international dimension, mainly transfer of personal data to the United States.
The new, clearer and somewhat stricter data protection rules in Europe exert an important influence on international relations, they are sometimes accused of enabling protectionism. One of the most important changes in the new regulation is namely that everybody who is doing anything (for example collecting, recording, storing, modifying, retrieving, disclosing or using – summarised as “processing”) with personal data of residents of the EU, is required to comply with the regulation. Those who hand over (“transfer”) personal data from the EU to jurisdictions outside the EU, are also responsible to take measures to ensure that those to whom they transfer the data, provide an adequate protection. This does not necessarily mean identical rules but a comparable level of protection and legal certainty, including enforceable stipulations and judicial redress. To do efficiently business with EU firms or to co-operate with EU authorities, these rules have to be complied with. This is a big incentive also to foreign lawmakers and authorities – where no equivalent level of rules are yet in force – to have their data protection regimes converge towards the EU system.
To enable these transfers, there is an elaborate framework of assessing the adequacy of protection in third countries and international organisations (this latter possibility was introduced by the GDPR, before only the adequacy of the legal situation in countries was possible) to provide a safe basis for transferring personal data to these jurisdictions. As we will see later, the United States takes up a very special place in this respect. Also, where no adequacy of protection was established, a series of tools are available for European players and their foreign partners to secure the transfer of data. One of these are the standard contractual clauses, which were adopted under the old rules (the 1995 Data Protection Directive) by the Commission. Now the national data protection supervisory authorities (for EU institutions the EDPS) also have the right to adopt such standard contractual clauses. There are a number of other tools, like binding corporate rules, codes of conduct and certification systems which enable the exchange of personal data.
Still, an adequacy decision is a safe and easy way and thus the Commission undertook to further intensify its dialogue with key partner countries on the adequacy of their data protection framework but is also considering to update the standard contractual clauses adopted under the old, 1995, directive.
Data protection rules – as any other rulebook or standard – can be used or abused in international trade. It can be an important barrier to entry but also an important competitiveness factor. The strict rules can prevent that foreign entities provide services while the high level of protection can lure customers.
The Commission has developed specific provisions on data flows and data protection in trade agreements and the current WTO e-commerce talks to tackle digital protectionism like forced data localisation requirements. A strategy for co-operation in these fields was laid out in 2017 (Communication on Exchanging and Protecting Personal Data in a Globalised World[v]).
The EU-Japan mutual adequacy arrangement which entered into force in February 2019 is the best example of synergies between trade negotiations and the data protection adequacy dialogue, that created the world’s largest area of free and safe data flows. Adequacy negotiations with South Korea are at an advanced stage and exploratory work is ongoing with a view to launching adequacy talks with several Latin American countries – such as Chile or Brazil – depending on the completion of ongoing legislative processes. Developments are also promising in some parts of Asia, such as India, Indonesia and Taiwan, as well as in the European Eastern and Southern neighbourhood, which could open the door to future adequacy decisions.
Some other countries have also put in place similar transfer instruments. Work is ongoing with other third countries, such as Canada, New Zealand, Argentina and Israel to ensure the continuity under the GDPR of adequacy decisions adopted on the basis of the old data protection regime.
The Commission also proposes to explore whether like-minded countries could establish a multinational framework in this area at a time when data flows are an increasingly crucial component of trade, communications and social interactions. Such an instrument would allow data to flow freely amongst the contracting parties, while ensuring the required level of protection on the basis of shared values and converging systems.
Appropriate safeguards and compatibility between data protection regimes can also significantly facilitate the much needed exchanges of information between EU and foreign regulatory, police and judicial authorities and, in this way, contribute to more effective and rapid law enforcement. Important examples are the transfer of Passenger Name Records (PNR) and the exchange of operational information between Europol and important international partners.
Promoting cooperation between data protection enforcers and dialogue with regional organisations and networks, such as the Association of Southeast Asian Nations (ASEAN), the African Union, the Asia Pacific Privacy Authorities forum (APPA) or the Ibero-American Data Protection Network, Organization for Economic Cooperation and Development and the Asian-Pacific Economic Cooperation Organisation promotes the exchange of best practices and co-operation between enforcers.
Given the special situation and legal system in the U.S. and the importance of this relation, the EU-US Privacy Shield is not a simple establishment of adequacy but requires that companies register to benefit from free data flow from the EU. Till now, more than 4,700 companies have registered. The working of the Privacy Shield is reviewed annually to ensure that the correct functioning of the framework is regularly checked and that new issues can be addressed in time. This structure was established following the first European Court case of Maximilian Schrems, an Austrian law student and privacy activist who attacked the previous “Safe Harbour”, a similar system under which the transfer of data was made possible for companies who registered.
To be continued by Schrems-II and another current case.



[i]http://europa.eu/rapid/press-release_IP-19-2610_en.htm
[ii]https://ec.europa.eu/commission/sites/beta-political/files/infographic-gdpr_in_numbers_1.pdf
[iii]http://ec.europa.eu/commfrontoffice/publicopinion/index.cfm/survey/getsurveydetail/instruments/special/surveyky/2222
[iv]https://ec.europa.eu/commission/sites/beta-political/files/gdpr_communication.pdf
[v]https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2017%3A7%3AFIN

Labels:

Comments

Post a Comment

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure
Post a Comment
Read more

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n
1 comment
Read more

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam
Post a Comment
Read more