Chapter 12 (International Data Transfers)

Question 1

Transfers of personal data to any country outside of the European Economic Area (EEA) May only take place under what 3 conditions laid out in Chapter 5 of the GDPR?

Answer 1

1. The third country ensures an adequate level of protection (as determined by the Commission) for the personal data
2. In the absence of adequate levels of protection, the controller or processor wishing to transfer the data provides appropriate safeguards on the condition that enforceable data subject rights and effective legal remedies for data subjects are available.
3. In the absence on an adequate level of protection or of appropriate safeguards, a transfer or set of transfers of personal data fits within one of the derogations for specific situations covered by the GDPR.

Question 2

What element of the GDPR will continue to be a serious barrier to international commerce?

Answer 2

Meeting adequacy requirements for data transfers.

Question 3

What are 3 situations not within the scope of a data transfer for GDPR purposes?

Answer 3

1. Technical routing of packet-switching technology, such as internet email, which may involve random transfers of personal data between computer servers located anywhere in the world.
2. Electronic access to personal data by travelers who happen to be physically located for a very short time in a place that doesn’t afford an adequate level of protection.
3. Merely loading personal info onto a website that is hosted in that state or another member state so the info can be accessed by anyone who connects to the internet

Question 4

Does an intentional exchange of info about individuals with the intention of automatically processing that personal info after it has been exchanged qualify as a transfer for purposes of the GDPR

Answer 4

Yes.

Question 5

What 3 elements does the Commission take into consideration when assessing whether a third country or an international org has an adequate level of protection?

Answer 5

1. The rule of law; respect for human rights and fundamental freedoms; relevant legislation re public security, defense, national security, and criminal; implementation of such legislation, data protection rules, professional rules and security measures; and effective and enforceable data subject rights
2. The existence and effective functioning of one or more independent supervisory authorities charged with ensuring and enforcing data protection rules.
3. The international commitments the third country or international org concerned has entered into, or the other obligations arising from legally binding conventions or instruments.

Question 6

If the Commission determines an adequate level of protection exists it creates an implementing act that provides what 3 things?

Answer 6

1. Mechanism for a periodic review (at least every 4 years) considering all recent developments in the third country or international org.
2. Specificity of its territorial and sectoral application
3. Identification of the supervisory authority or authorities for ensuring and enforcing compliance with the data protection rules (where applicable)

Question 7

Under the Directive, what 11 countries did the Commission recognize as having adequate protection for personal data?

Answer 7

1. Andorra
2. Argentina
3. Canada
4. Faroe Islands
5. Guernsey
6. The Isle of Man
7. Israel
8. Jersey
9. New Zealand
10. Switzerland
11. Uruguay

Question 8

Under the GDPR what 3 countries has the Commission recognized as having adequate protection for personal data?

Answer 8

1. Japan
2. South Korea
3. United Kingdom

Question 9

Due to the large volume of data transferred between the US and the EU the Commission and the US Department of Commerce originally developed what as a self-regulatory framework allowing the Directive’s requirements for cross-border data transfers to be met?

Answer 9

The Safe Harbor mechanism

Question 10

What were 2 perceived weaknesses of the Safe Harbor framework?

Answer 10

1. The fact that participants didn’t perform required annual compliance checks
2. Lack of active enforcement by the FTC compared to other domestic cases

Question 11

What had a very visible effect on the way the EU regulated international transfers of personal data?

Answer 11

The disclosures by Edward Snowden in June 2013 about the mass surveillance operations carried out be the NSA.

Question 12

What 4 broad priorities did the Commission focus on to help address the Safe Harbor’s weaknesses and ensure a mechanism for facilitating commercial trans-Atlantic data flows?

Answer 12

1. Transparency
2. Redress
3. Enforcement
4. Access to data by US authorities

Question 13

On October 6, 2015 the CJEU issued a decision on Maximilian Schrems case against Facebook Ireland that decided what?

Answer 13

That the Safe Harbor adequacy decision was invalid so Facebook couldn’t rely on it to legitimize cross-border data transfers.

Question 14

What framework replaced the Safe Harbor framework?

Answer 14

The EU-US Privacy Shield Framework

Question 15

When did the Commission release its draft decision of the new EU-US Privacy Shield Framework?

Answer 15

February 29, 2016

Question 16

What 5 concerns did the WP29 raise regarding the 2016 Privacy Shield framework?

Answer 16

1. The commercial aspects of the Privacy Shield
2. Ability for US public authorities to access data transferred under the Privacy Shield
3. Lack of certain key data protection principles from EU law
4. Protection for onward data transfers
5. Allowing massive and indiscriminate collection of personal data originating from the EU by US intelligence agencies

Question 17

When did the Privacy Shield formally enter into effect?

Answer 17

August 1, 2016

Question 18

What were the 7 principles included in the Privacy Shield?

Answer 18

1. Notice
2. Choice
3. Accountability for onward transfer
4. Security
5. Data integrity and purpose limitation
6. Access
7. Recourse, enforcement, and liability

Question 19

The Privacy Shield required companies self-certifying compliance to take what 3 steps?

Answer 19

1. Conduct an internal compliance assessment to determine the company’s ability to comply with the principles with respect to info covered by the certification.
2. Registering with a third-party arbitration provider to handle any complaints from EU individuals about the handling of their info that the company was unable to fully resolve and paying any registration fee.
3. Adopting a Privacy Shield notice containing 13 specified details about the company’s privacy practices and publishing the notice online.

Question 20

What did the Schrems II decision issued by the CJEU in July 2020 declare?

Answer 20

It invalidated the Privacy Shield because it determined domestic US law regulating access and use by US authorities of personal data transferred from the EU to the US were not circumscribed in a way to provide protections essentially equivalent to those required by EU law.

Question 21

What is the name of the framework being worked on to replace the Privacy Shield?

Answer 21

Trans-Atlantic Data Privacy Framework

Question 22

What are 7 possible mechanisms that provide appropriate safeguards for international data transfers?

Answer 22

1. A legally binding and enforceable instrument between public authorities or bodies
2. BCRs
3. Standard data protection clauses adopted by the Commission
4. Standard data protection clauses adopted by a supervisory authority and approved by the Commission
5. An approved code of conduct pursuant to article 40, together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards
6. An approved certification mechanism pursuant to Article 42, together with binding and enforceable commitments of the controller or processor in the third country to apply appropriate safeguards
7. Contractual clause between the controller or processor

Question 23

Traditionally, the most frequently used mechanism to legitimize international data transfers to countries that are not deemed to provide an adequate level of protection are what?

Answer 23

Standard Contractual Clauses (SCCs)

Question 24

What did the Schrems II decision say about SCCs?

Answer 24

That they could continue to be used for the purpose of legitimizing data transfers, but in some circumstances it might be necessary to supplement them with additional safeguards.

Question 25

On June 4, 2021 the Commission adopted revised SCCs that cover what 4 transfer scenarios?

Answer 25

1. Controller-to controller transfers 2. Controller-to-processor transfers 3. Processor-to-processor transfers 4. Processor-to-controller transfers

Question 26

What are the 6 steps the EDPB has provided for assessing whether SCCs provide an adequate level of protections for international data transfers?

Answer 26

1. Know your transfers 2. Identify the transfer tools you’re relying on 3. Assess whether the Article 46 GDPR transfer tool relied upon is effective in light of all circumstances of the transfer 4. Adopt supplementary measures 5. Procedural steps if you have identified effective supplementary measures 6. Re-evaluate at appropriate intervals

Question 27

The Commission’s 2021 SCCs did what to address the CJEU’s decision in Schrems II?

Answer 27

Added a number of provisions that strengthen the ability of the contractual parties to control the extent to which government agencies outside of the EU May access personal data.

Question 28

What was the most significant development in the area of international data transfers under the GDPR?

Answer 28

The inclusion of BCRs as a mechanism available to both controllers and processors to legitimize international data transfers within their corporate group.

Question 29

According to the GDPR, EU DPAs must approve a set of BCRs following what?

Answer 29

The consistency mechanism (provided the BCRs are legally binding and expressly confer enforceable rights on data subjects).

Question 30

What 14 elements must a full and valid set of BCRs contain?

Answer 30

1. The structure and contact details of the corporate group and each of its members 2. The details on the data transfers or set of transfers (e.g. type of processing and its purposes, type of data affected, id of third country in question) 3. Their legally binding nature both internally and externally 4. The application of the general data protection principles and the requirements in respect of onward transfers to bodies not bound by the BCRs 5. The rights of data subjects re processing and means to exercise those rights 6. The acceptance by the controller or processor established in the territory of a member state of liability for any breaches of the BCRs by any member concerned not established in the EU 7. The way the info in the BCRs is provided to the data subjects 8. The task of any DPO or any other person or entity in charge of monitoring compliance with the BCRs 9. The compliant procedures 10. The mechanisms for ensuring the verification of compliance with the BCRs 11. The mechanisms for reporting and recording changes to the rules and reporting those changes to the supervisory authorities 12. The cooperation mechanism with the supervisory authority to ensure compliance 13. The mechanism for reporting to the competent supervisory authority any legal requirements to which a member of the corporate group is subject in a 3rd country which is likely to have substantial adverse effect on the guarantees provided by the BCRs 14. The appropriate data protection training to personnel having permanent or regular access to personal data

Question 31

The EDPB confirmed that derogations should be interpreted how and only relied upon when?

Answer 31

Derogations should be interpreted restrictively and only relied upon as a last resort, when provisions of adequate protection or appropriate safeguards for the personal data transferred isn’t possible.

Question 32

What are basis for the 7 derogations under the GDPR?

Answer 32

1. Consent (explicit) 2. Contract performance 3. Substantial public interest (e.g. crime prevention, national security, tax collection) 4. Legal claims (exercising, establishing, or defending) 5. Vital interests (relates to matters of life or death) 6. Public registers 7. Not repetitive transfers

Question 33

What 4 elements must be in place for the derogation re non-repetitive transfers to apply?

Answer 33

Transfer 1. Isn’t repetitive 2. Concerns only a limited number of data subjects 3. Is necessary for the purposes of complete legit interests pursued by the controller which aren’t overridden by the interests or rights and freedoms of the data subjects 4. The controller has assessed all circumstances surrounding the data transfer and on the basis of that assessment provided suitable safeguards with regard to the protection of the personal data

Question 34

If a company is relying on the non-repetitive transfer derogation who must be informed about the transfer?

Answer 34

1. Supervising authority 2. Data subject of the transfer