Cross-border data exchange

Page 9

Cross-border data exchange

certain conditions (Articles 44 to 50 DSGVO). In particular, appropriate guarantees under Article 46 DSGVO, such as EU standard contractual clauses, the consent of the data subject (Article 49(1) a DSGVO), Binding Corporate Rules (Article 46(2) b, Article 47 DSGVO), Code of Conducts (Article 40 DSGVO), recognised certification mechanisms (Article 42 DSGVO) or the existence of a public interest (Article 49 DSGVO) should be mentioned. As Japan is now not subject to additional restrictions on data flow, other third countries have an incentive to improve their data protection standards in order to benefit from the advantages of an EU adequacy decision in the future. Canada, Israel, Japan, New Zealand, Switzerland and Uruguay are some of the twelve countries that have been certified by the European Commission to have a comparable level of data protection. The EU's basic data protection regulation has already inspired some countries in key third markets to adopt comparable laws. Argentina already has a similar approach to international data transfers, and the new Data Protection Act that the government presented to Congress in October 2018 would bring the country even closer to the EU's basic data protection regulation in Europe. 12 This is also the case in Brazil, where the new General Data Protection Law was adopted in August 2018 and came into force in February 2020. International data transfers are only allowed in certain situations, such as when an adequate level of data protection is ensured in the recipient countries, when approved legal mechanisms (e.g. model contract clauses) are used, or when the data subjects have given their consent. BDI’s position

BDI expressly welcomes the EU adequacy decision on Japan. The EU data protection basic regulation thus sets international standards. In dialogue with other key markets, the EU should also work towards harmonising data protection standards there. Ideally, this could lead to an extension of the EU's Adequacy Decisions. This could de facto transfer the high EU standards to key markets ("protection travels with the data").

EU-US Privacy Shield The EU-US Privacy Shield Agreement had been in force since 2016 and was overturned by the European Court of Justice (ECJ) in its judgment of 16 July 2020 (C-3111/18 - "Schrems II"). The ruling was triggered by a complaint lodged by a citizen with the Irish data protection authority, in which he repeatedly objected to the transfer of his data by Facebook to the US. This is the second time that the ECJ has overturned the essential legal basis for the transfer of personal data of European citizens to the US after the decision on the Safe Harbour Agreement in 2015 (C 362/14 - "Schrems I"). Until the ruling, the Privacy Shield Agreement negotiated on 12 July 2016 was, in addition to the standard data protection clauses, the essential basis for the transfer of personal data from the EU to the USA on the possibilities of transfer to third countries under Art. 44 et seq. DSGVO. The agreement facilitated the EU-US data flow for companies. At the same time, the Privacy Shield required stricter obligations on US companies to protect personal data when they receive data from the EU, compared to US data protection. In order to fall within the scope of the agreement and the facilitated data flow, US companies had to self-certify against certain data protection standards. By means of annual

12

https://iapp.org/news/a/argentinas-new-bill-on-personal-data-protection/

9


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.
Cross-border data exchange by Bundesverband der Deutschen Industrie e.V. - Issuu