Expert Advice Community

Guest

Privacy Framework

  Quote
Guest
Guest user Created:   Nov 22, 2017 Last commented:   Nov 22, 2017

Privacy Framework

As we prepare for GDPR compliance, being a business that has operations in and transfers EU data subject data to the UK, US, Canada and Australia, would it be a good idea to follow the EU-US Privacy framework or should we consider something else since there’s uncertainty about its ratification?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Andrei Hanganu Nov 22, 2017

Answer:

Based on the information you provided it looks like your question relates to cross border personal data transfers, more precisely to the safeguards needed in order to ensure that a cross border transfer is lawful.

Before jumping into the matter at hand we should first clarify what does a cross border data transfer means: a cross border data transfer means a transfer to non EU/EEA countries as well as countries that have not been deemed by the European Comission as providing an adequate level of protection as regards to personal data (adequacy decisions countries). In a nutshell any transfer out of EEA or to countries without adequacy decisions is a cross border data transfer.

As a general rule the EU GDPR states that cross border data transfers are forbidden unless proper safeguards are used.

Coming back to the question:
1. transfers to UK are not considered cross border data transfers since UK is still in the EU thus no need to have any safeguards. Once UK will leave EU this issue would have to be reconsidered based also on the results of the Brexit negotiations.

2. transfers to Canada are not considered cross border because Canada has been issued an adequacy decision by the EU Comission.

3. Australia is not in the EU/EEA and no adequacy decision has been issued thus adequate safeguards must be set in place. One of the most commonly used safeguards are the use of the "Model Contracts for the transfers of personal data to third countries" (Model clauses) . The EU GDPR implementation Toolkit provides guidance on how to use these contracts - see details here : https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/

4. US and EU have agreed (July 2016) on the new framework for transatlantic data flows: EU-US Privacy Shield. This new framework replaced Safe Harbour which was declared invalid by the European Court of Justice (EUCJ) in October 2015. Currently transfers between EU and US can be grounded on Privacy Shield although this is currently challenged in front of EUCJ as well and, there is no telling what would be the outcome. As an alternative "Model clauses" can be used as safeguards instead of Privacy Shield and this approach would cover the risk of Privacy Shield being invalidated.
Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Nov 22, 2017

Nov 22, 2017

Suggested Topics