Research

Transborder data flows according to EU proposed Data Protection Regulation

Description
Transborder data flows according to EU proposed Data Protection Regulation
Categories
Published
of 10
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  I would like to thank the European Privacy Association for theinvitation to this breakfast meeting and for giving me theopportunity to talk before such a distinguished audience.Paolo’s points are key and emphasize the importance of this topicand of the effectiveness of the adequacy remedies in order toboth legitimize and facilitate data transfers abroad. The sequence of legal concepts regarding transborder data flows isthe following:1. transfers of data should not jeopardize the system of protection ensured by European legislation;2. therefore, transfers are subject to a preliminary adequacytest , such as the verification that the processing by the recipientwill still enjoy an adequate level of protection;3. once the adequacy remedies set forth by law are met, the dataflow should encounter no obstacles for the benefit of international transactions; they remain subject, however, tothe general data protection obligations (notice, legal groundfor the processing, purpose limitation, security measures,etc.)  To start with, it seems first important to clarify the meaning of “transfer of personal data” as per European legislation. 1  Primarily, “transfer” means a transmission of data from oneplace to another and not a mere transit or a simple routing of data through a third country.In the Lindqvist case , the European Court of Justice consideredthat the Directive’s expression “transfer of data to a third country”could not be construed as to cover the loading of data onto aninternet page, where the site is hosted by a national ISP, eventhough this resulted in data being made accessible to persons inother countries . The Lindqvist case suggests that the intention of the person who uploads the data regarding their accessibility acrossthe world, can play an important consideration for the qualificationof the operation as a “transfer”. Mrs. Lindqvist, being an activemember of her local church in Sweden, created a site givinginformation about her fellow parishioners. In that case, of course, itwas easy to demonstrate that she had no intention that theinformation would be accessed overseas, because it was a localinitiative. On the contrary, we could reach opposite conclusions inthe case a company sets up an internet page with informationabout its business and products.Second, the expression “transfer to a third country” is linkedto the concept of “territorial jurisdiction”, that is, “transfer to a third 2  country” implies the change of jurisdiction competent to ruleover personal data contained in that transmission. This is based upon the assumption that law can be enforced onlywithin the territory of the State having jurisdiction. Therefore, wehave a “transfer to a third country” in the meaning of art. 25 of theDirective (and art. 40 of the proposed Regulation) whenever itcauses a change of jurisdiction.If personal data move from one jurisdiction which provides for aconsistent form of protection (i.e. an EU member State) to a thirdcountry lacking similar guarantees, then data subjects’ safeguardscould be disrupted and transfers might become a circumvention of data subjects’ rights. This is why transborder data flows are conditioned to theadequacy test : data transfers are permitted if personal data enjoyan adequate level of protection, despite their being subject to adifferent jurisdiction. Therefore, should the expression “data transfer to a third country”be interpreted in connection with the change of jurisdiction we canaffirm that it is certainly so, for the flow of data from the EEA space(EU member States plus Norway, Iceland and Liechtenstein)towards a third country. But it is still so, even in case of  transfer of data from the territory of one member State to another , 3  within the same EEA space. In this second option, i.e. data whichflow within the EU trading bloc, the adequacy test is automaticallypassed despite the change in jurisdiction, because of theapplicability of a common set of rules, established by the Directive,up to now, and by the Eu Regulation, in the future.We have noticed before that the chain of concepts regardingtransborder data flows, emphasizes the assumption that once theadequacy test is passed, the free flow of personal data should beguaranteed without restrictions. The expected outcome of a free flow of data is not an automaticoutput of the adequacy test. In fact, despite the harmonization of the data protection national legal systems realized through theDirective, the application of these rules varied significantly amongstmember States; as an enduring evidence of the territorial jurisdiction at State level. This implied that a processing of personaldata which is legally compliant, for example, as per Italian law,might not it be automatically in line with the law of another EUmember State, say Germany, and so on. This situation of conflicting data protection rules in different EUcountries has jeopardized the free flow of data within the EEA spaceas well as international exchanges, thus justifying the adoption of adifferent legal instrument at Union level: a Regulation instead of a 4  Directive, which sets forth a common data protection legal groundfor all member States. So now, with the coming into force of theRegulation, the transfer of personal data from one company toanother within the EEA space, should flow without practicalrestrictions.Reverting back to the concept of “transfer”, there is one more issueI would like to address: does the transfer imply that thetransmission must necessarily srcinate from the EEA space?1. Certainly, the most common type of data transfer is when dataare transmitted outside the EEA space 2. But we envisage a change in jurisdiction and, therefore, a “datatransfer to a third country” in the meaning of EU law, also in the case of onward transfers such as data transferred from a non-EEA country of a controller/processor, subject to the Regulation,towards another non-EEA country. This hypothesis can take place in two cases:When the transfer originates from the EEA and the recipientoutside EEA subsequently transfers the data to another non-EEAcountry (the so called “onward transfer”).In addition, according to the proposed Regulation, we could have afurther option when transfers do not have srcin from an EEAcountry, while they take place between controllers and 5
Search
Tags
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x