Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lecture 4 international data transfers and enforcement v.2


Published on

international data transfers and enforcement

Published in: Education
  • Be the first to comment

  • Be the first to like this

Lecture 4 international data transfers and enforcement v.2

  1. 1. A quick recap of Lecture 3… 1. Data controllers determine the purpose and means of processing personal data, and must ensure and demonstrate compliance (e.g., Data Protection by Design and by Default) 2. Data processors are contractually engaged to process data on behalf of the controller 3. Required data protection practices include: security safeguards, breach notification, and documentation of processing
  2. 2. Lecture 4 International Data Transfers and Enforcement What North American Companies Need to Know About the EU Data Protection Regulation
  3. 3. In this lecture, you will learn: 1. What does it mean to be an adequate data protection jurisdiction? 2. What is the Privacy Shield agreement and what does it cover? 3. What are the main differences between EU, US, and Canadian data protection legislation? 4. What powers do data protection authorities have, and which one will oversee your organization? 5. How does the EU Regulation define individual and collective right of action? 6. What are the penalties for infringement?
  4. 4. International Data Transfers
  5. 5. International Data Transfers • Personal data can be transferred to countries and international organizations that have an adequate level of data protection (e.g., Canada – PIPEDA*) • “adequacy designation” only addresses data transfer requirements, not the other substantive GDPR requirements • Allows data controllers to transmit personal data to PIPEDA-governed companies without needing additional safeguards • The US has been deemed not to have an adequate level of data protection, but companies can self-certify to join the Privacy Shield framework for adequacy determination *PIPEDA is applicable to private sector organizations
  6. 6. What if you don’t have Adequacy Designation? • Three options for transferring data in the absence of an adequacy designation: 1. Contractual clauses or binding corporate rules (guidelines provided by Article 29 Working Group); special authorization from an EU data protection authority required 2. Adoption of standard contractual clauses published by the European Commission 3. If neither of these options are practical or feasible, six derogations exist (e.g., informed consent to risks)
  7. 7. Derogations for data transfers- personal data can be transferred outside EU without adequate protections if: 1. Explicit Informed Consent 2. Transfer is necessary for the performance of a contract 3. Public interest or vital interest 4. Exercise or defense of legal claims 5. Public register 6. Compelling legitimate interests of the controller with suitable safeguards • Concerns only a limited number of data subjects • NOT repetitive • NOT overridden by data subject rights
  8. 8. Is PIPEDA equivalent to the GDPR? • Canada is deemed an adequate data protection jurisdiction by the EU because of PIPEDA’s protections • This does not mean that compliance with PIPEDA ensures compliance with EU regulations • Canadian organizations that offer services within the EU or monitor EU residents must comply with EU law
  9. 9. EU, Canada and US: Key Differences EU Canada US Data ownership Data subjects Organizations Organizations Data protection/ privacy law Regulation (EU) 2016/679 PIPEDA Health privacy laws Multiple federal and state laws, case law Privacy enforcement National data protection authorities Privacy commissioners FTC, FCC, state attorneys general
  10. 10. EU-US Privacy Shield Framework • Replaces Safe Harbour • Draft agreement re: protection of personal data transferred for commercial purposes from the EU to the US • E.g., transfers of financial data between banks • Does NOT apply to companies that directly collect personal data from people in the EU • Companies self-certify adherence to seven principles and demonstrate compliance • Certified companies listed on Department of Commerce website
  11. 11. Privacy Shield: What’s New? • More supervision of US companies • Tighter conditions for onward personal data transfers • Limitations on national security access • US data protection ombudsman (Dept. of State) • New redress options for EU residents • Annual joint review
  12. 12. What does Privacy Shield mean for Canadian organizations? • Relevant to Canadian organizations that receive personal data from the EU and transfer personal data to the US for commercial purposes (e.g., financial institutions) • Does NOT provide assurance of compliance for Canadian organizations that fall under the scope of EU regulation • E.g., use of US-based cloud services to manage EU clients’ personal data
  13. 13. Enforcement and Penalties
  14. 14. Who’s in charge? • Independent public authority in each EU member state • Regular monitoring activities • Investigate public complaints Data Protection Authorities
  15. 15. Data Protection Authorities • Powers: • Order organizations to provide any information necessary to demonstrate compliance • Carry out data protection audits • Review and withdraw certifications • Access data, premises and equipment • Issue warning, reprimands and compliance orders • Impose limitations and bans on personal data processing • Impose fines • Order suspension of data flows
  16. 16. Which data protection authority will oversee your organization? • When an organization is established in several EU countries, the “lead supervisory authority” will be the data protection authority in the country where the organization has its main establishment • Data protection authorities in other countries where the organization operates may investigate complaints, but the lead supervisory authority can decide to manage the case
  17. 17. Individual and Collective Rights of Action • Data subjects have the right to an effective legal remedy against data controllers and processors • Individual right of action • Data subjects can mandate not-for-profits or associations to take action on their behalf • Cases can be brought to court in the country where the organization is established, or in the data subject’s country of residence • Controllers and processors are liable and can be ordered to pay compensation for damages
  18. 18. Penalties • Fines up to 10 million Euros or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringements of the obligations of the controller and processor under the Regulation • Fines up to 20 million Euros or 4% of worldwide annual turnover for infringements of the basic principles of the Regulation, the rights of data subjects, or rules for international transfers of data, and for noncompliance with orders from the supervisory authority