International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

Transcription

1 International data transfers and Schrems White & Case Aqeel Kadri and Tim Hickman 9 March 2016

2 Overview of EU data protection law Currently, each EU Member State has its own national data protection law, implementing Directive 95/46/EC: o broadly similar compliance requirements across the EU; o but with national divergences reflecting historic legal traditions and cultures. BUT these laws are being replaced by the General Data Protection Regulation. Across the EU, privacy is a fundamental right (Art.8, ECHR). Each EU Member State has its own regulator enforcing national data protection laws ( Data Protection Authorities or DPAs ). 1

3 Key Concepts in EU data protection law EU data protection law governs the processing of personal data by data controllers, and grants rights to individuals. Processing is a broad term covering all operations performed on personal data including collecting, accessing, recording, storing, organising, altering, retrieving, using, transmitting, combining, blocking or erasing. Personal data is defined in the broadest terms as data which relate to an individual who can be identified: a) from those data; or b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. 2

4 Personal Data any information Personal data are not just limited to obvious identifiers, such as a name. Instead, they are any information relating to an identified or identifiable natural person (Directive 95/46/EC). The words any information indicate that this is a broad concept which has a wide interpretation. Format or storage medium is also irrelevant (except that some limited hard-copy filing systems may fall outside the scope). Personal data include objective information and subjective information or opinions. In order to be personal data, information: o need not be true; o may be general or specific; and o the position or capacity of the individual is irrelevant. 3

5 Personal Data relating to The words relating to indicate a focus on the relationships or links between the data and an individual. This can include information about objects (e.g., house value) which convey information about an individual. Data can relate to an individual in any one of three ways: o content data that are actually about an individual; or o purpose data that are used to evaluate the individual; or o result the data have a material impact upon the individual s life (e.g., they result in different treatment). 4

6 Personal Data an identified or identifiable Individual is identified when he or she can be distinguished from a group and identifiable when it is possible to distinguish him or her in this way. Identification may be direct or indirect. The means of identification include all the means likely reasonably to be used (Recital 26 of Directive 95/46/EC) The purpose of the processing and the technology involved may be relevant in making this determination. Attempts to anonymise or pseudonymise data are also relevant, but there are dangers here. 5

7 Personal Data natural person In the UK, a natural person essentially means a living individual (although the requirement that the individual be alive is not uniform across all EU Member States). A natural person does not include legal persons, companies or partnerships but information about legal persons may relate to natural persons and may therefore constitute personal data in some cases. 6

8 The EU General Data Protection Regulation (the GDPR ) 7

9 What is the GDPR? The GDPR is an EU Regulation that is designed to address the processing of personal data in all EU Member States. Unlike a Directive, it does not need to be implemented at the national level. Instead, it will directly replace Directive 95/46/EC and the national laws that implement that Directive. The purpose of the GDPR is to update the EU s existing data protection framework (which was written in the early 1990s) and introduce greater harmonisation across the EU Member States. 8

10 Current Status of the GDPR The first draft of the GDPR was produced by the European Commission in January Subsequent drafts were produced by the European Parliament, the Council of Ministers and various committees. A near-final text was agreed in late 2015, but the official version has yet to be published. The GDPR is likely to come into force in mid

11 Key changes introduced by the GDPR Key changes introduced by the GDPR include: o Extended territorial scope (organisations supplying goods or services into the EU, or monitoring EU data subjects will be subject to the GDPR); o Greater (though not total) harmonisation across the EU; o Stricter requirements on obtaining consent; o Direct compliance obligations for processors; o Mandatory appointment of Data Protection Officers; o Expanded rights of data subjects; o Mandatory 72-hour breach reporting; o Restrictions on international data transfers; and o Fines: the greater of 20 million or 4% worldwide turnover. 10

12 International data transfers and the CJEU decision in Schrems 11

13 What is a transfer? For the purposes of data protection law, a transfer is any movement of personal data across an international border. The method of transferring the data (e.g., sending data via or over the internet; sending a disc in the post; etc.) is irrelevant. Merely viewing personal data from a non-eea jurisdiction is a transfer of those data. It does not matter whether the data are at rest in that other jurisdiction or not. It does not matter whether the person viewing the data has the power to edit them. The use of cloud computing services will involve an international data transfer unless all of the servers that are used to provide the cloud service (including all backups) are in the EEA. 12

14 Restrictions on international data transfers As a general rule, personal data cannot be transferred to a recipient located outside the EEA (i.e., the 28 EU Member States, Iceland, Liechtenstein and Norway) unless: o An exemption or derogation applies; or o The recipient jurisdiction has received an adequacy determination from the EU s Art.29 Working Party; or o The transfer is covered by a lawful transfer mechanism (such as Model Clauses, or Binding Corporate Rules). 13

15 What are the exemptions and derogations? Directive 95/46/EC permits EU Member States to create exemptions and derogations from the general restriction on transfers, including on the following grounds: The unambiguous consent of the data subject; The transfer is necessary for the performance of a contract to which the data subject is either a party or a beneficiary; The transfer is necessary on the grounds of important public interest; The transfer is necessary for the establishment, exercise or defence of legal claims; The transfer is necessary to protect the vital interests of the data subject; or The transfer is limited to data from a public register. 14

16 What is a Commission adequacy decision? Under Directive 95/46/EC, the European Commission is empowered to determine that certain jurisdictions provide adequate protections for personal data. The current list is: Andorra; Argentina; Canada (for organisations that are subject to PIPEDA); Switzerland; the Faeroe Islands; Guernsey; Israel; Isle of Man; Jersey; New Zealand; and Uruguay. 15

17 What are Model Clauses and BCRs? Model Clauses are a set of pre-approved contractual terms governing international transfers of personal data. The content of the Model Clauses cannot be amended without endangering the pre-approval. In some jurisdictions, Model Clauses must be notified to, or approved by, the local DPA. The Model Clauses can cover controller-to-controller transfers or controller-to-processor transfers. Binding Corporate Rules ( BCRs ) are an intra-group agreement for governing international transfers of personal data. BCRs only work for intra-group transfers. Unlike Model Clauses, the terms of BCRs can be amended, and therefore provide greater flexibility. BCRs always require DPA approval, which typically takes around 18 months. 16

18 What is the U.S.-EU Safe Harbor? The U.S.-EU Safe Harbor is a scheme run by the U.S. Government s Department of Commerce. Organisations could sign up to the scheme by self-certifying that they comply with its requirements. This process did not require any official inspection, but many organisations ran audits of their data processing operations to ensure such compliance In 2000, the Commission reviewed the Safe Harbor and made an adequacy decision (i.e., it decided that the Safe Harbor was an adequate jurisdiction for the purposes of Directive 95/46/EC). As a result of the Commission s adequacy decision, personal data could be lawfully transferred from data controllers in the EU to entities that had certified to the Safe Harbor. 17

19 What happened in Schrems? Max Schrems is a privacy activist from Austria. He objected to the transfer of his personal data from the EU to the U.S. on the basis of Safe Harbor. Mr Schrems complained to the Irish Data Protection Commissioner, who rejected the complaint. However, on appeal, an Irish court referred the question of the Safe Harbor s application to the CJEU. The CJEU went further, and held that the Commission s adequacy decision concerning Safe Harbor was invalid, on the basis that the Safe Harbor no longer provides adequate protection for personal data that are transferred to the U.S. 18

20 What happens now? The U.S. government and the European Commission are in the process of negotiating the Privacy Shield, which will (if approved) effectively replace the Safe Harbor. However, final agreement on, and approval of, the Privacy Shield remains some way off. At present: The Article 29 Working Party is reviewing the European Commission s proposed Adequacy Decision. After that, the European Parliament and Council of Ministers will need to review and affirm the Privacy Shield arrangements before the Commission issues a final decision. 19

21 Where does that leave organisations? Organisations cannot rely on Safe Harbor to provide a lawful transfer mechanism, and are obliged to implement an alternative data transfer mechanism (e.g., Model Clauses; or BCRs). However, the enforcement position across the EU varies. The UK ICO has effectively stated that it is unlikely to take enforcement action on this issue. Several Continental DPAs (e.g., the CNIL in France and the AEPD in Spain) have started soft enforcement by writing letters to organisations relying on Safe Harbor. The Hamburg State DPA has reported that it is commencing enforcement proceedings against three organisations. At present, enforcement risk largely depends on where an organisation s data transfers originate. 20

22 Questions?

23 Thank you