international transfer of personal data. regulations

Agencia de Protección de Datos - Comunidad de Madrid

Málaga, 19th October 2006

International Transfer of Personal Data

International transfer of personal data. Regulations

Advanced EuroCAMPMoving towards Confederations

(18 - 19 October 2006, Málaga, Spain)




Personal data: definitions and their

consequences




Background

- Privacy, the right “to be let alone”

- Protection facing risks from automated processing of information (French CNIL 1.978, Spanish Constitution 1.978, etc…)

- Fundamental right different from privacy, European-wide and other countries.




Legal framework (1)

- European Convention for the Protection of Human Rights and Fundamental Freedoms – Council of Europe – 1.950 (article 8)*

1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

* http://conventions.coe.int/Treaty/en/Treaties/Html/005.htm




Legal framework (2)

- European Union Charter of Fundamental Rights (Dec 2000); protection of personal data (article 8)*:

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.* http://www.europarl.europa.eu/charter/pdf/text_en.pdf




Legal framework (3)

- Convention of 28 January 1981 of the Council of Europe for the protection of individuals as regards automated processing of personal data.

- Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data *

* http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:NOT




Legal framework (4)

- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)

- Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector




Extent of Directive 95/46/EC

- ‘Personal data‘: ANY INFORMATION relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

- Exceptions: public security, defence, State security, Criminal Law, purely personal or household activity.




International Transfer of Personal Data (EU-Centric

view) *

* See CHAPTER IV “TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES” of Directive 95/46/EC at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML




EU-EEA countries

- 25 EU Member States + 3 EEA member countries (Norway, Liechtenstein and Iceland): no further safeward necessary

- That means national regulations apply, as if “national” data transfer (data subject consent or legal provision)

- Coming from “single market” (1st EU pillar), going to Justice and Home Affairs (3rd EU pillar).




“Third” countries (non EU-EEA)

- “Adecuate level of protection” to personal data by third countries

- On the basis of National Law or International Commitments

- Decision by European Commission, with participation of Member States, European DPAs (art. 29WP), EU Parliament




List of “Third” countries with ALP

- Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record to the United States' Bureau of Customs and Border Protection

- Detailed information at:

http://ec.europa.eu/justice_home/fsj/privacy/thirdcountries/index_en.htm




Some ongoing issues

- Ruling by the European Court of Justice of 30 May 2006 in Joined Cases C-317/04 and C-318/04 on the transmission of Passenger Name Records to the United States (May 2006)

- SWIFT transfer to the US




Countries without ALP (1):

- International PD transfer may still (legally) happen if:

1.There is consent of the data subject

2. Required by a contract between the data subject and the controller or third party, or to protect her vital interests

3. Legally required for public interest

4. Public register following access conditions (public or interested parties)

5. Adequate safeguards aduced by the controller (i.e. Binding Corporate Rules)




Countries without ALP (2):

- Check national Law and regulations and national DPA

- List of European DPA’s at:

http://ec.europa.eu/justice_home/fsj/privacy/nationalcomm/index_en.htm

- Why not a consent management infraestructure?




Francisco José López Carmona

Deputy Director for the Register of Data Files and Consulting Services

[email protected]

international transfer of personal data. regulations

Documents