Flashcards in Cross-border Data Transfers Deck (13):
What are the options for internationally transferring personal data?
-adequacy decision - finding by the commission that certain countries, or sectors within a country, adequately protect EU data by law, obviating any need for additional safeguards
- appropriate safeguards - binding corporate rules (BCRs), standard contract clauses, codes of conduct or certification mechanisms, ad hock contractual clauses authorized by SA
- derogations - last resort only under specific conditions
What countries have adequacy sections?
Isle of Man
Canada (international agreement)
Switzerland (international agreement)
USA (Privacy Shield)
What is the criteria for adequacy?
- respect of the rule of law
- access to justice
- international human rights standards
- general and sectoral laws
- effective and enforceable rights of individuals
- data protection rules, professional rules
When and why was Safe Harbour invalidated?
October 2015 - Schrems V DPA Ireland (Facebook Ireland European subsidiary of Facebook). Safe Harbour did not prevent US government access to data
When was Safe Harbor found to be adequate by European Commission?
When was the EU-US Privacy Shield formally approved?
Who can qualify for using the EU-US Privacy Shield?
An Organisation that falls under the US Federal Trade Commission (not financial institutions)
What are the requirements of the EU-US Privacy Shield self certification programme?
- renew certification annually
- publicly commit to the Principles
- implement the Principles
What are the seven principles of EU-US Privacy Shield?
- choice (data subject rights)
- Accountability for onward transfer
- data integrity and purpose limitation
- recourse, enforcement and liability
Who approves BCRs?
The supervisory authorities must sign off on the rules through the consistency mechanism.
The rules are for handling personal data that are binding on the company.
Who can use BCRs?
- Companies engaged in joint economic activity
- Corporate groups and groups of enterprises
- Controllers and processors
What are the options for providing appropriate safeguards for cross-border data transfers?
- binding corporate rules (BCRs)
- standard contract clauses
- codes of conduct or certification mechanisms
- ad hoc contractual clauses