Please enable JavaScript.
Coggle requires JavaScript to display documents.
Privacy and Cross Border Data Flows (International Responses (Privacy…
Privacy and Cross Border Data Flows
Domestic Responses
EU, Unilateral Action. Data Direction Directive and GDPR
Adequacy
For other countries , they need to raise their rules to EU standards if want exceptions
BCR and contract, but require domestic presence for enforcement
More top down, legislative
More on GDPR
Previously privacy had been a comprehensive directive, meaning the different countries implemented differently.
Now, a regulation, more binding
In a way informed by former Nazi and police states USSR and others, so culturally responding to this history of abuse of info
Companies subject to it if they are selling something to someone in the EU, since personal data is involved
cross border transfers to third parties, need one of the following
Adequacy finding
Only a handful of countries given them, including Israel ,Canada, Argentina
Criticism is that EU concerned more with form over function...are the laws there and framework rather than what is the implementation, does it work? (for instance argentina can't really implement)
Binding Corporate Rules
model contract
a list of derogations
Unambiguous consent
legitimate interest
necessary performance of a contract
compliance with a legal obligation
protect interest of data subject
appropriate safeguards
Much larger teeth than Digital Privacy directive, which preceded it. Use to be member states deciding how to implement, and small penalties. Huge penalties now, applies across the board, and has ripple effects out across world
Historical and cultural differences, economic costs and different stages of development are challenges to be met for GDPR or those countries that want to copy it
Business Accountability is the US approach
places the expectation and burden on companies to comply with privacy principles. Companies put out privacy statements that become legally liable, expected to comply with them. Business remains accountable no matter where it goes (outside of country, 3rd party)
More bottom up
This approach pushed through APEC (asia pacific Economic Committee) for Cross Border Privacy Rules
21 member countries in APEC, but non binding, more principles and guidelines
This system presumes member countries have implemented at least the APEC CBPR and then there are also the APEC certifications
Kind of an extension of US approach, providing an overseas complement. So if you move data to an APEC economy that is also certified, then we can be confident that the data is protected to a certain level.
Includes Japan, US, NZ, Canada, Korea, Australia
Slow uptake by businesses so far
US approach has higher transaction costs that fall on businesses. Also costly for SME's, should be considered if countries want to copy
This might make more sense for developing countries, since it is more opt in, so only countries that wanted to trade with EU and have data flow could opt in to a privacy shield thing...so these countries could go to EU and say they want to negotiate a privacy shield
Many countries (Canada and Japan, for instance) are in both APEC and in adequacy provision of GDPR
International Responses
OECD 2013, privacy principles and work towards interoperability
AOEC Cross border Privacy Rules
Privacy Shield-limited adequacy
European court has decided that the Privacy shield provides adequate level of protection. This allows for personal data from the EU to the US
US based organizations choose to self certify that they are complying with the privacy shield's principles for protecting personal data, including international transfer. Enforced by FTC
Safeguards on US government access with redress through an ombudsman mechanism within state department. Citizen complaints to be pursed through several avenues
Very much from Snowden issue and the spying on euro's
WTO, privacy as an exception, draft eu FTA data flow language
Interesting Case related to EU US Privacy Shield
Facebook v Irish Data Protection Commission and Schrems
Use of BCR (binding corporate rules) to transfer personal data from the EU to US is at issue
Schrems is a law student, pursued it as US government access to personal data not consistent with EU data privacy standards
Irish DPA agreed with Schrems, and question to the Court of Justice of EU is the impact of a finding on BCR's on privacy shield harbor
will this challenge BCR's broadly? and threaten the Privacy shield?
This case has implications for SCC and Privacy Shield