Written and recorded by Robert Edwards, Law Hound
Hello and welcome to this GDP. Our session from Data Law. My name is Robert Edwards. I'm retired Counterintelligence Andi I t security specialist with H m g. Andi. After that, I moved on to delivering legal training on lecturing. Hello. In this session, I'd like to talk to you about GDP. Our data transfer outside the U. The General Data Protection Regulation GDP are is designed to update the data Protection Act 1998 d p a. To provide greater transparency, enhanced rights for citizens and increased accountability. In this session, we're going to examine the basic Judy PR position in relation to the transfer of personal data outside the EU. When I say basic, please don't think that this is not a complicated session. The transfer of data outside the EU has caused considerable discussion. Andi, debate. I shall be using the following terms. Individual meaning the data subject the individual whose data is held by an organization or a data controller. Onda organization, meaning the data controller, the organization holding the data data to mean personal data as applicable within the meaning of the Data Protection act in 1998 or D. P. A and the GDP are and I CEO to mean the information Commissioner's office definition of personal data. The protective provisions of data protection relate to personal data, including as and when that data is transferred. Data transfer is one of the most complex areas of the GDP are because of the very nature of conducting business in the digital environment. If a business operates with external data partners who supply data storage and or processing, it's worth considering the subcontracting that is endemic in clothing. Manufacturing brands use plausible deniability when accused of using child labor because their direct contract specified that the contracted company would not employ Children. Subcontractors are not held to the same standards. Of course, under the GDP are the data controller will always be responsible for the location on methods in which data is handled, processed, transferred and stored, irrespective of how many partner organizations or subcontractors there are in the chain. On that basis, it's worth reminding ourselves that under Article four of the GDP are personal data means any information relating to an identified or identifiable natural person, the data subject. This broadens the definition of personal data to take into account advances in technology and how we work and do business today, According to Recital 26 if you can identify a natural person directly or indirectly using all means reasonably likely to be used, then the information is personal data. All means reasonably likely to be used means applying objective factors such as the time required and the costs associated with identification, but also taking into account the technology available, particularly given the speed at which complex and expensive enterprise level technology becomes less expensive and falls within the reasonable reach off the individual. It also means that data may be personal data, even if the organization holding that data cannot itself identify a natural person from it. So taking into account article full, the broader definition of personal data now includes a name, an identification number, location data, which includes GPS data from mobile phones and R F I D. Information or radio frequency identification tags. Something specific to that person's physical physiological, genetic, mental, economic, cultural or social identity. The online identity hires such a Z I P addresses Internet protocol addresses, cookie identifies or other identifies, such as again radio frequency identification tags. Personal data may also include pseudonym eyes data. This is personal data which has been pseudonym ized in, in other words, key coded, depending on how easy it is to recognize a particular individual from the pseudonym under Article 26 this is worth bearing in mind with regard to the tools you may use, such as as an example, analytical tools such as Google Analytics. When can you transfer data outside the EU? Well, like the DP A GDP are restricts the transfer of personal data outside the EU so that under GDP are the transfer of personal data outside the EU can only take place if the conditions off Chapter five, which covers articles 45 to 50 of GDP, are are met transfers on the basis off on adequacy decision. Article 45 where the commission has decided that the third country a territory or one or more specified sectors within that third country or the international organization in question in shores an adequate level of protection. Article 451 under GDP are these transfers will not require any specific authorization. However, GDP are does provide that these approved third countries or territories will be subject to a periodic review. At least every four years. Article 45 3 Onda On an ongoing basis, they'll monitor developments, which could affect the functioning off decisions Article 45 4 So it remains a list of approved countries which already have what the commission deemed to be an adequate level of protection. At the moment, it seems that the existing list of countries which has previously been approved by the commission, will remain in force. The commission decisions on the adequacy of the protection of personal data in third countries I. The list of countries is available at the link that's in your notes Transfers subject to appropriate safeguards. Article 46 where Article 45 doesn't apply to the relevant country or territory, that is, they're not approved us being adequate. A data controller or process er can still make data transfers to that country or territory, provided that they have provided appropriate safeguards. Andi Enforceable data subject rights and effective legal remedies for data subjects are available. So what is an appropriate or adequate safeguard Article 46 to lays down the circumstances which may constitute inappropriate or if you prefer adequate safeguard without you having to obtain any specific authorization from a supervisory authority and these include a legally binding and enforceable instrument between public authorities or bodies. Remember that approved schemes do and will change Justus. We saw the move from the US Safe Harbor Scheme, which is now invalid. However, we have a replacement in the U. U S privacy shield where organizations self certify that they meet the shield standards. Binding corporate rules in accordance with Article 47 are binding corporate rules or VCR's apply to multinational organizations which transfer personal information outside the EU, but only within their own group of entities and subsidiaries. The's qualifying organizations need to provide I beg your pardon need to obtain approval from an EU data protection authority such as the i c e o current I seo. Guidance means that organizations which have previously had BC ers approved must ensure that the BC are on all their relevant data processing. Is Judy PR compliant by the 25th of May 2018? The I C E. O advises that the relevant organizations can inform the i c E o about BC are changes either prior to that date or during their next annual update template or standard data protection clauses adopted by the commission, or TEMPLATE, or standard data protection clauses adopted by a supervisory authority and approved by the commission Compliance with an approved code of conduct approved by a supervisory authority. ONDA certification under an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments over the controller or process ER in the third country to apply GDP are appropriate safeguards. Also in accordance with Article 46 3 Subject to authorisation from the competent supervisory authority. Contractual clauses agreed between the controller or process ER on the controller process. Er or the recipient of the personal data in the third country or international organization on provisions to be inserted into administrative arrangements between public authorities or bodies, which include enforceable and effective data subject rights. The Article 46 3 Authorization will be subject to the supervisory authority applying the consistency mechanism. Article 46 4 The consistency mechanism can be found within Section two Articles 63 to 67 on At the time that this session is written and recorded, we're waiting for some more comprehensive guidelines. All the interrogations zor exemptions to the restrictions on data transfer. There are GDP. Our delegations Article 49 recitals 1 11 and 1 12 of GDP are provide the following delegations or exemptions. Consent if you have the individuals informed and valid consent provided that it's a GDP are compliant consent contractual performance where it's necessary to carry out an existing contract with the individual or something pre contractual set necessary for the contract to be made with that individual public interest. This has, ah high threshold ONDAS, primarily relevant in relation to issues of national security, crime detection and tax or customs administration. It would also relate to public health interest as recital 112 specifically says, for example, in the case of contact tracing for contagious diseases or in order to reduce on door eliminate doping in sport vital interests, protecting the vital interests of the individual, where it involves matters of life and death, and where that individual data subject is physically or legally incapable of giving consent so as an example, could potentially be the case with medical records. Public registers, which, as the I C. E. O. Informs, is a register which under a U or U. K law, is intended to provide information to the public on which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register and legal claims necessary for legal proceedings or to establish, exercise or defend legal rights. However, delegations in relation to consent and contractual performance will not be available to public authorities when exercising their public powers. It's also interesting to note that Recycle 1 12 also specifically states that in the absence of inadequacy, decision Union or member state law may for important reasons of public interest, expressly said limits to the transfer of specific categories of data to 1/3 country or an international organization. Member states should notify such provisions to the commission. Any transfer to an international humanitarian organization of personal data of a data subject who is physically or legally incapable of giving consent with a view to accomplishing a task incumbent under the Geneva Conventions or to comply with international humanitarian law applicable in armed conflicts could be considered to be necessary for an important reason of public interest or because it is in the vital interest off the data subject. One Off Data transfers Article 49 1 This is a new and limited delegation whereby data can be transferred outside the EU where there is no commission decision authorizing transfers to the country or territory concerned. Andi. It's not possible to show that the individual's rights are protected by adequate safeguards and none of the delegations apply. However, as Recital 1 13 reinforces, it can only apply if for the purposes of the compelling legitimate interests pursued by the controller and where those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer Onda. The transfer of personal data relates to only a limited number off data subjects. Andi. It's a one off or very infrequent transfer. So under current I CEO guidance, this is possible. But only where the transfer is not being made by a public authority in the exercise of its public powers is not repetitive. Similar transfers are not made on a regular basis. Involves data related to only a limited number of individuals, is necessary for the purposes of the compelling legitimate interests of the organization, provided such interests are not overridden by the interests of the individuals. Andi. It's made subject to suitable safeguards put in place by the organization in the light of an assessment of all the circumstances surrounding the transfer to protect the personal data. However, Recital 1 13 also makes it clear that the organization who is undertaking the data transfer must inform the relevant supervisory authority of the transfer in the UK The i c e o. Andi provide additional information to the individuals concerned. International Cooperation Article 50 of GDP are specifically promotes international cooperation for the protection of personal data, stating that the Commission and supervisory authorities shall take appropriate steps to develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data. Provide international mutual assistance in the enforcement of legislation for the protection of personal data. Engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation. For the protection of personal data. ANDI promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries. So what steps do you need to take? Remember that GDP are is not only about compliance, it's also about being able to prove your compliance, so the first thing to do is to examine your data. Flu mapping The key international data flow Now is the time to ask yourself whether you need to transfer that personal data outside the EU or is there an adequate alternative available to you? If you do need to transfer, consider whether this will be GDP are compliant by asking yourself whether the country concerned is adequate. If not, are there any other appropriate safeguards? If not, does any delegation a ploy? For example, is it into our organization transfer so that a B C R may be appropriate and meet your needs? Jack, your suppliers and potentially your customers on the legal basis for data transfer? Do they are dear to an approved code of conduct or certification mechanism all day, for example, certified. Even though we know it's self certification under the U. U S privacy shield, check your contracts and the standard data protection clauses. Clarify responsibility and compliance. Consider having FAA cues frequently asked questions or similar information regarding data transfer, which you can make available to clients and customers regularly review GDP are on Data Protection Act developments, including approved codes of conduct, uncertain vacation schemes and that concludes this session for data law. Thank you for joining me, Robert Edwards, on this session.
00:20:19