Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EU General Data Protection Regulation & Transborder Information Flow

669 views

Published on

These slides are based on the talk I gave to the Wisconsin International Law Journal's Annual Symposium "Stamping Privacy's Passport? The Role of International Law in Safeguarding Individual Privacy" (Wisconsin, USA; 8 April 2016). This talk argued that European data protection's formal understanding of transborder data flow regulation (TBDF) is not only potentially very broad but has not appropriately balanced data protection against other key rights such as freedom of information and association. Many of these existing structural difficulties are exacerbated under the newly agreed General Data Protection Regulation (GDPR). In order to better reconcile the values at stake, Data Protection Authorities (DPAs) should also develop models to "authorize" low-risk TBDFs via self-certification by data controllers themselves. Member States should also make broad use of the derogations the Regulation leaves available. More generally, a contextual, risk-based interpretation of the GPDR must be developed which seeks to provide robust privacy and other individual safeguards without putting in jeopardy Europe’s other core values and liberties.

Published in: Law
  • Login to see the comments

  • Be the first to like this

EU General Data Protection Regulation & Transborder Information Flow

  1. 1. Dr. David Erdos Trinity Hall University of Cambridge
  2. 2. Data Protection: The European Approach Personal Information Processing Principles & Legitimation Sensitive Data Rules Transparency & Control Rules Discipline & Supervision
  3. 3. Europe’s Other Commitments Interests  Economic growth  Digitization  Competitiveness  Globalization  Crime prevention  National security  etc. Rights  Freedom of expression  Freedom of information  Freedom of association  Freedom of movement  Academic freedom  Business Freedoms  etc.
  4. 4. EU Directive & Transborder Data Flows Derogations (Art. 26 & Art. 9) 1. EU contractual clauses giving “appropriate safeguards” 2. State authorized “appropriate safeguards” 3. Data subject waiver 4. Some weighty publicly orientated right or interest. General Principle (Art. 25): • “transfer may only take place if … the third country ensures an adequate level of protection.” • European Commission empowered to “whitelist” countries
  5. 5. Reconciliation? The Negatives  Transfer meaning seemingly very broad.  Adequacy seemingly about the legal order of country  Derogations strict – State vires requires all other States to be informed; State law can restrict all other derogations.
  6. 6. Reconciliation? The Positives  Adequacy standard to be assessed “in all the circumstances” (Art. 25 (2))  Adequacy vires could be applied by any controller – interpreted in UK as “self-assessment” model.  Court of Justice of EU (CJEU) in Lindqvist (2003) showed willingness to narrow meaning of transfer.
  7. 7. New CJEU Case Law (2010 onwards)  More severe approach from CJEU from 2010 onwards:  Data Protection now EU Fundamental Right  Growing awareness of undermining of EU data protection  C-262/14 Schrems case on “whitelisting” key e.g.:  “adequacy” here = legal order (not self-help)  “adequacy“ here = “essentially equivalent”  whitelisting can’t block regulatory protective action.
  8. 8. General DP Regulation: A Perfect Storm?  More absolutist starting point: “level of protection … shall not be undermined” (Art. 40)  Adequacy vires restricted to “whitelisting”  “Appropriate safeguards” based on authorization & other derogations remain tight  New and far-reaching transparency requirements  Fines of up to €20M (or 4% global turnover)
  9. 9. Reconciliation under General DP Regulation?  Legal Actors to develop contextual jurisprudence e.g.  No transfer if fully under control of EU-based controller?  Sometimes no transfer if public domain content already transferred? (cf. C-466/12 Svensson re: copyright)  Member States to make broad use of possible derogations  Regulators to “authorize” controllers to self-certify for low-risk transfers.
  10. 10. Conclusions  Failure of pan-EU statutory law to appropriately reconcile values here  Issues obscured by very lax enforcement to date  Problems here will become more acute under GDPR  Need a conversation on legal solutions to these problems

×