The role of Convention 108+ with regard to international data flows from EU member states and EU institutions? 23/10/2018, Brussels Wojciech R. Wiewiórowski European Data Protection Assistant Supervisor (EU) Convention 108+: the global data protection Convention Side event of the 40th ICDPPC

European Data Protection Supervisor (EDPS) The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. A number of specific duties of the EDPS are laid down in Regulation 45/2001. The three main fields of work are Supervisory tasks Consultative tasks: to advise EU legislator on proposals for new legislation as well as on implementing measures. Technical advances, notably in the IT sector, with an impact on data protection are monitored. Cooperative tasks: involving work in close collaboration with national data protection authorities (Article 29 Working Party)

The role of European Data Protection Supervisor The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the processing of personal data by the EU administration; Privacy and data protection are fundamental rights – see Articles 7 and 8 of the Charter of Fundamental Rights; Independent supervision is an integral part of the right to data protection – see Article 16(2) TFEU and 8(3) Charter; What we do: – monitoring and verifying compliance with Regulation (EC) 45/2001, – giving advice to controllers, – advising the co-legislators on new legislation, – cooperating with Member States’ DPAs, – handling complaints, conducting inspections – monitoring technological developments – Promoting data protection aware design and development

Resources Handbook on European data protection law, Fundamental Rights Agency, 3rd ed., Brussels 2018 http://fra.europa.eu/en/publication/2018/handbook-european-data-protection-law

Konwencja 108 – Rada Europy

Convention 108 – Council of Europe The 128th Ministerial Session of the Council of Europe’s Committee of Ministers held in Elsinore, Denmark, adopted on 18 May 2018 the Protocol (CETS No. 223) amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and endorsed its Explanatory Report. It was opened for signature on 10 October 2018. The official ceremony, with signature by 21 Parties to the Convention (including 17 EU Member States), took place with the participation of the Secretary General, Thorbjørn Jagland and the Chairperson of the Committee of Ministers, Marija Pejčinović Burić. The list of countries having signed is the following: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Monaco, the Netherlands, Norway, Portugal, Russia, Spain, Sweden, the United Kingdom and by Uruguay. Complementary information can be found on the Council of Europe website: https://www.coe.int/en/web/data-protection/-/opening-for-signature-of-the-protocol-amending-the-convention-108-here-is-convention-108-

Inter-institutional procedure within the EU to sign and ratify the Convention 108+ The Union cannot sign or ratify the Convention 108+, as under the current Convention 108 only States are Parties. Therefore, on 5 June 2018, the European Commission submitted to the Council of the EU two proposals authorising Member States: to sign the Convention 108+ in the interest of the Union, to ratify it in the interest of the Union. On 26 June 2018, the Council of the EU adopted the Decision authorising the Member States to sign, in the interest of the Union, the Convention 108+ insofar as its provisions fall within the exclusive competence of the Union. . The consent of the European Parliament is a precondition for the adoption of the Decision authorising the Member States to ratify the Convention 108+. Consequently, on 11 October 2018, the Council of the EU decided to request the consent of the European Parliament on the draft Decision authorising the Member States to ratify, in the interest of the Union, the Convention 108+ insofar as its provisions fall within the exclusive competence of the Union. [Legal basis: Article 218 (6) a)v) TFUE]

Data protection laws all over the world D. Banisar, National Comprehensive Data Protection/Privacy Laws and Bills 2018 (as it stands for 25.01.2018), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416

Data Protection laws in the World as for september 2018 r. 128 states Based on presentation by G.Greenleaf: Overview: Global developments in data privacy laws, September 2018 Colours Comprehensive Public only Private only Mainly private Lower level regulation

with lower level regulation (+ 30) Data Protection laws in the World with lower level regulation (+ 30) 158 states Based on presentation by G.Greenleaf: Overview: Global developments in data privacy laws, September 2018 Colours Comprehensive Public only Private only Mainly private Lower level regulation

Data protection laws all over the world Assessing the strenght of the regulations all over the world Daria Spieler, Data Protection Laws Interactive Map, DataPrivacySite, 30.01.2017 http://dataprivacysite.com/2017/01/30/data-protection-laws-interactive-map/ . The updated map (diffrent than this one is accessible at: Compare data protection laws around the world, DLA Piper, https://www.dlapiperdataprotection.com/index.html?_lrsc=fffb07eb-8d06-4cef-8c90-584160de530b

Adequacy Convention 108+ Article 14 – Transborder flows of personal data 1. A Party shall not, for the sole purpose of the protection of personal data, prohibit or subject to special authorisation the transfer of such data to a recipient who is subject to the jurisdiction of another Party to the Convention. Such a Party may, however, do so if there is a real and serious risk that the transfer to another Party, or from that other Party to a non-Party, would lead to circumventing the provisions of the Convention. A Party may also do so, if bound by harmonised rules of protection shared by States belonging to a regional international organisation. 2. When the recipient is subject to the jurisdiction of a State or international organisation which is not Party to this Convention, the transfer of personal data may only take place where an appropriate level of protection based on the provisions of this Convention is secured.

Adequacy Convention 108+ Article 14 – Transborder flows of personal data 3. An appropriate level of protection can be secured by: the law of that State or international organisation, including the applicable international treaties or agreements; or b. ad hoc or approved standardised safeguards provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing. 4. Notwithstanding the provisions of the previous paragraphs, each Party may provide that the transfer of personal data may take place if: a. the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; or b. the specific interests of the data subject require it in the particular case; or c. prevailing legitimate interests, in particular important public interests, are provided for by law and such transfer constitutes a necessary and proportionate measure in a democratic society; or d. it constitutes a necessary and proportionate measure in a democratic society for freedom of expression.

Essentially equivalent story of Maximillian Schrems 73) The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. If there were no such requirement, the objective referred to in the previous paragraph of the present judgment would be disregarded. Furthermore, the high level of protection guaranteed by Directive 95/46 read in the light of the Charter could easily be circumvented by transfers of personal data from the European Union to third countries for the purpose of being processed in those countries. 74) It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection. Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.

Transfers in – GDPR (2016/679) Article 45 Transfers on the basis of an adequacy decision 1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

Transfers in – GDPR (2016/679) Article 45 Transfers on the basis of an adequacy decision 1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred; the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

Adequacy decissions Andorra - 2010/625/EU United States – ”Privacy Shield” Argentina - 2003/490/EC Canada - 2002/2/EC Switzerland - 2000/518/EC Faroe Islands - 2010/146/EU Guernsey - 2003/821/EC Japan ??? Israel - 2011/61/EU Isle Man - 2004/411/EC Jersey - 2008/393/EC New Zaeland - 2013/65/EU

Transfer subject to contractual clauses Both CoE law and EU law recognise contractual clauses between the data-exporting controller and the recipient in the third country as being a possible means of safeguarding a sufficient level of data protection for the recipient. At the EU level, the European Commission with the assistance of the Article 29 Working Party developed standard data protection clauses which were officially certified by a Commission Decision as proof of adequate data protection. As Commission decisions are binding in their entirety in the Member States, the national authorities that supervise data transfers must acknowledge these standard contractual clauses in their procedures. Thus, if the data-exporting controller and the third-country recipient agree and sign these clauses, this ought to provide the supervisory authority with sufficient proof that adequate safeguards are in place. Yet in the Schrems case, the CJEU held that the European Commission does not have the competence to restrict the powers of the national supervisory authorities to oversee the transfer of personal data to a third country which has been the subject of a Commission adequacy decision. Thus, national supervisory authorities are not prevented from exercising their powers, including the power to suspend or ban a transfer of personal data when the transfer is carried out in violation of EU or national data protection law, such as, for instance, when the data importer does not respect the standard contractual clauses.

Transfer subject to contractual clauses The existence of standard data protection clauses in the EU legal framework does not prevent controllers from formulating other ad hoc, individual contractual clauses, as long as these clauses have been approved by the supervisory authority. They would, however, have to ensure the same level of protection as provided by the standard data protection clauses. When approving ad-hoc clauses, supervisory authorities are required to apply the Consistency Mechanism, so as to ensure a consistent regulatory approach across the EU. This means that the competent supervisory authority has to communicate its draft decision on the clauses to the EDPB. The EDPB will issue an opinion on the matter, and the supervisory authority must take utmost account of this opinion in proceeding with its decision. If it does not intend to follow the EDPB opinion, the dispute resolution mechanism within the EDPB will be triggered and the Board will adopt a binding decision. The most important features of a standard contractual clause are: a third-party beneficiary clause which enables data subjects to exercise contractual rights even though they are not a party to the contract; the data recipient or importer agreeing to be subject to the authority of the data-exporting controller’s national supervisory authority and/or courts in the case of a dispute. There are now two sets of standard clauses available for controller-to-controller transfers available, from which the data-exporting controller can choose. For controller-to-processor transfers, there is only one set of standard contractual clauses.

International Conference of Data Protection and Privacy Commissioners 2018 Brussels, 21-26 October organised jointly by EDPS and Bulgarian DPA

Thank you for your attention! www.edps.europa.eu edps@edps.europa.eu @EU_EDPS