International transfers of personal data after the Schrems case and under the GDPR

International transfers of personal data after the ‘Schrems’ case and under the GDPRInfosecurity 2016

16 June 2016

Brussels

Status update on the GDPR and international transfers of personal data

GDPR timeline 25 Jan 2012: EC proposal for GDPR

14 April 2016: official adoption

24 May 2016: entry into effect of the GDPR

25 May 2018: application of the GDPR (transition period of 2 years)• With a few exceptions, no specific transitional measures

• No sunset for adequacy decisions

Brussels - Kortrijk | www.crosslaw.be 2


Safe Harbor timeline 26 July 2000: EC adequacy finding ‘Safe Harbor’ 29 April 2010: German DPAs issue decision requesting active compliance

checks 19 July 2013: criticism from EC Vice President Viviane Reding 24 July 2013: revelations US surveillance programs – German DPAs express

deep concerns 27 November 2013: EC memorandum with recommendations for

improvement of Safe Harbor 12 March 2014: EP calls for immediate suspension of Safe Harbor 19 March 2015: German DPAs pass a resolution: ‘insufficient protection’ 23 September 2015: Advocate-General CJUE findings on Schrems case 6 Oct 2015: invalidation of EC adequacy finding (Schrems case – C-362/14)



EU/US Privacy Shield timeline 31 January 2016: end of the grace period for Safe Harbor

2 February 2016: announcement of the political agreement on the EU/US Privacy Shield

29 February 2016: presentation of the text

13 April 2016: negative opinion of the Article 29 Working Party

26 May 2016: EP resolution demanding improvements to the EU/US Privacy Shield

30 May 2016: negative opinion of the EDPS

June 2016: several meetings within Article 31 Committee


Principles of international transfers of personal data

General principle: no transfer of personal data outside EEA except if destination country offers an adequate level of protection What is a transfer of personal data? Ad hoc assessment of adequacy of level of protection = not feasible in practice

Countries may be listed (adequate level of protection?) Black list (empty) White list (list is not complete)

• Switzerland• Israel• Uruguay• Argentine• New Zealand• Canada (if recipient is subject to PIPEDA)



Alternative solutions for international transfers of personal data to countries not offering an adequate level of protection Model Clauses

• Standard pre-approved contract for international data transfers

• Different flavours for C2C and C2P

• Formalities may apply in local member states, but cannot be rejected

• Easy implementation

BCR• Solution proposed by Article 29 WP for intragroup transfers (BCR-C and BCR-P)

• Streamlined implementation process (cooperation procedure between DPAs)

• Lengthy and expensive implementation process

Ad Hoc Contractual Clauses• Possible solution, but subject to approval



Exceptions to the principle of interdiction of international transfers of personal data Consent Necessary for contractual performance or precontractual measures Necessary or legally required for vital public interest Necessary for the exercise or defence of legal claims Necessary the protection of vital interest of data subject Transfer from public register

Article 29WP guidance Exception mechanism: strict interpretation as a rule Not appropriate for structured, massive and/or repetitive international

transfers of personal data


Safe Harbor and the Schrems case

Safe Harbor Mechanism for data transfers to the USA

Schrems case Complaint of Max Schrems with Irish DPA

Preliminary ruling of the CJEU

Invalidation of the adequacy finding of the EC• Adequacy finding does not prevent a supervisory authority from investigating the

• Safe Harbor does not offer adequate protection• No effective legal protection

• Insufficient enforcement at US side

• Disproportional violation of the fundamental rights of the data subject (massive and indiscriminate surveillance)


EU/US Privacy Shield

EU/US Privacy Shield = Safe Harbor 2.0? Comparable mechanism (self-certification) Principles

• Notice• Choice• Accountability for onward transfer & vendor management• Security• Data integrity and purpose limitation• Access• Recourse, enforcement and liability

• Internal complaint handling• Independent recourse mechanisms or DPA panel

• Complaint with DPA-DOC for complaints + arbitration

• Cooperation with DPA (advice on data processing)

Annual joint review


International transfers of personal data under the GDPR

International transfers of personal data Principles of Directive 95/46/EC are confirmed

• Slight changes apply

• Current adequacy findings remain in place (no ‘sunset’ provision)

Limitations in relation to ‘onward transfers’

Two new mechanisms for international transfers of personal data

BCRs and ‘standard data protection clauses’ are embedded in the GDPR

Heavy administrative fines in case of infringement• Up to 4% of global annual turnover or 20MEUR, whichever is higher



Changes to the exception mechanism Consent is restricted as a mechanism

• Explicit consent

• Additional information

Alternative exception may be used: compelling legitimate interest• Transfer could not be based on adequacy finding, BCR, standard contractual provisions or

any other exception

• Not repetitive and concerns only limited number of data subjects

• Not overridden by interests or fundamental rights of data subjects

• Data controller has adduced suitable safeguards

• Informed DPA

• Informed data subjects (detailed information)



Adequacy decisions of EC are rendered more difficult Conditions

• Take into account legal and jurisprudential provisions

• Enforceable data subject rights

• Effective rules and administrative and judicial redress

• Existence and effective functioning of supervisory authority

• Responsible for ensuring and enforcing data protection rules

• Adequate sanctioning powers

• Co-operation with supervisory authorities of member states

• International commitments

Periodic review (at least every 4 years)

Obligation for ongoing monitoring in third countries and international organisation

Obligation to enter into consultation with third countries or international organisation



Approved codes of conduct Approval mechanism by supervisory authority

Associations or bodies representing data controllers or data processors

May be used as a basis for international transfers of personal data Binding and enforceable commitment to apply safeguards

Contractual or other legal binding instruments



Certification mechanisms, data protection seals and marks Voluntary and transparent

Certification does not reduce responsibility for compliance

Certification period of max. 3 years (subject to renewal)

May be used as a basis for international transfers of personal data Binding and enforceable commitment to apply safeguards

Contractual or other legal binding instruments


Future developments

Is there a future for the current model contractual clauses? Irish DPA announces that it will submit the model contractual clauses to the

Irish High Court• 25 May 2016: announcement

• 1 June 2016: case is submitted to the High Court

• 2017-2018: preliminary ruling?

Consequences• New model contractual clauses?

• Legal uncertainty: many companies are now implementing model contractual clauses as an alternative to Safe Harbor

• BCRs?


Conclusion

GDPR Continuity of existing situation

• Principles are confirmed

• No sunset provision for existing adequacy findings

Some minor changes• If transfers based on consent exist: upgrade to new consent requirement

Safe Habor – EU/US Privacy Shield Safe Harbor should have been phased out already

• Move to model clauses

Legal uncertainty is ongoing• EU/US Privacy Shield is likely to be accepted

• Review of BCR and existing model clauses?


Johan VandendriesschePartner – Crosslaw

Visiting Professor ICT Law – UGent

[email protected] | www.crosslaw.be
