Presentation is loading. Please wait.

Presentation is loading. Please wait.

The role of Convention 108+ with regard to international data flows from EU member states and EU institutions? 23/10/2018, Brussels Wojciech R. Wiewiórowski.

Published by Modified over 6 years ago

Similar presentations

Presentation on theme: "The role of Convention 108+ with regard to international data flows from EU member states and EU institutions? 23/10/2018, Brussels Wojciech R. Wiewiórowski."— Presentation transcript:

1 The role of Convention 108+ with regard to international data flows from EU member states and EU institutions? 23/10/2018, Brussels Wojciech R. Wiewiórowski European Data Protection Assistant Supervisor (EU) Convention 108+: the global data protection Convention Side event of the 40th ICDPPC

2 European Data Protection Supervisor (EDPS)
The EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. A number of specific duties of the EDPS are laid down in Regulation 45/2001. The three main fields of work are Supervisory tasks Consultative tasks: to advise EU legislator on proposals for new legislation as well as on implementing measures. Technical advances, notably in the IT sector, with an impact on data protection are monitored. Cooperative tasks: involving work in close collaboration with national data protection authorities (Article 29 Working Party)

3 The role of European Data Protection Supervisor
The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the processing of personal data by the EU administration; Privacy and data protection are fundamental rights – see Articles 7 and 8 of the Charter of Fundamental Rights; Independent supervision is an integral part of the right to data protection – see Article 16(2) TFEU and 8(3) Charter; What we do: – monitoring and verifying compliance with Regulation (EC) 45/2001, – giving advice to controllers, – advising the co-legislators on new legislation, – cooperating with Member States’ DPAs, – handling complaints, conducting inspections – monitoring technological developments – Promoting data protection aware design and development

4 Resources Handbook on European data protection law, Fundamental Rights Agency, 3rd ed., Brussels

5 Konwencja 108 – Rada Europy

6 Convention 108 – Council of Europe
The 128th Ministerial Session of the Council of Europe’s Committee of Ministers held in Elsinore, Denmark, adopted on 18 May 2018 the Protocol (CETS No. 223) amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) and endorsed its Explanatory Report. It was opened for signature on 10 October The official ceremony, with signature by 21 Parties to the Convention (including 17 EU Member States), took place with the participation of the Secretary General, Thorbjørn Jagland and the Chairperson of the Committee of Ministers, Marija Pejčinović Burić. The list of countries having signed is the following: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Ireland, Latvia, Lithuania, Luxembourg, Monaco, the Netherlands, Norway, Portugal, Russia, Spain, Sweden, the United Kingdom and by Uruguay. Complementary information can be found on the Council of Europe website:

7 Inter-institutional procedure within the EU to sign and ratify the Convention 108+
The Union cannot sign or ratify the Convention 108+, as under the current Convention 108 only States are Parties. Therefore, on 5 June 2018, the European Commission submitted to the Council of the EU two proposals authorising Member States: to sign the Convention 108+ in the interest of the Union, to ratify it in the interest of the Union. On 26 June 2018, the Council of the EU adopted the Decision authorising the Member States to sign, in the interest of the Union, the Convention insofar as its provisions fall within the exclusive competence of the Union. . The consent of the European Parliament is a precondition for the adoption of the Decision authorising the Member States to ratify the Convention Consequently, on 11 October 2018, the Council of the EU decided to request the consent of the European Parliament on the draft Decision authorising the Member States to ratify, in the interest of the Union, the Convention 108+ insofar as its provisions fall within the exclusive competence of the Union. [Legal basis: Article 218 (6) a)v) TFUE]

8 Data protection laws all over the world
D. Banisar, National Comprehensive Data Protection/Privacy Laws and Bills (as it stands for ),

9 Data Protection laws in the World
as for september 2018 r. 128 states Based on presentation by G.Greenleaf: Overview: Global developments in data privacy laws, September 2018 Colours Comprehensive Public only Private only Mainly private Lower level regulation

10 with lower level regulation (+ 30)
Data Protection laws in the World with lower level regulation (+ 30) 158 states Based on presentation by G.Greenleaf: Overview: Global developments in data privacy laws, September 2018 Colours Comprehensive Public only Private only Mainly private Lower level regulation

11 Data protection laws all over the world Assessing the strenght of the regulations all over the world
Daria Spieler, Data Protection Laws Interactive Map, DataPrivacySite, The updated map (diffrent than this one is accessible at: Compare data protection laws around the world, DLA Piper,

12 Adequacy Convention 108+ Article 14 – Transborder flows of personal data 1. A Party shall not, for the sole purpose of the protection of personal data, prohibit or subject to special authorisation the transfer of such data to a recipient who is subject to the jurisdiction of another Party to the Convention. Such a Party may, however, do so if there is a real and serious risk that the transfer to another Party, or from that other Party to a non-Party, would lead to circumventing the provisions of the Convention. A Party may also do so, if bound by harmonised rules of protection shared by States belonging to a regional international organisation. 2. When the recipient is subject to the jurisdiction of a State or international organisation which is not Party to this Convention, the transfer of personal data may only take place where an appropriate level of protection based on the provisions of this Convention is secured.

13 Adequacy Convention 108+ Article 14 – Transborder flows of personal data 3. An appropriate level of protection can be secured by: the law of that State or international organisation, including the applicable international treaties or agreements; or b. ad hoc or approved standardised safeguards provided by legally-binding and enforceable instruments adopted and implemented by the persons involved in the transfer and further processing. 4. Notwithstanding the provisions of the previous paragraphs, each Party may provide that the transfer of personal data may take place if: a. the data subject has given explicit, specific and free consent, after being informed of risks arising in the absence of appropriate safeguards; or b. the specific interests of the data subject require it in the particular case; or c. prevailing legitimate interests, in particular important public interests, are provided for by law and such transfer constitutes a necessary and proportionate measure in a democratic society; or d. it constitutes a necessary and proportionate measure in a democratic society for freedom of expression.

14 Essentially equivalent story of Maximillian Schrems
73) The word ‘adequate’ in Article 25(6) of Directive 95/46 admittedly signifies that a third country cannot be required to ensure a level of protection identical to that guaranteed in the EU legal order. However, as the Advocate General has observed in point 141 of his Opinion, the term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of Directive 95/46 read in the light of the Charter. If there were no such requirement, the objective referred to in the previous paragraph of the present judgment would be disregarded. Furthermore, the high level of protection guaranteed by Directive 95/46 read in the light of the Charter could easily be circumvented by transfers of personal data from the European Union to third countries for the purpose of being processed in those countries. 74) It is clear from the express wording of Article 25(6) of Directive 95/46 that it is the legal order of the third country covered by the Commission decision that must ensure an adequate level of protection. Even though the means to which that third country has recourse, in this connection, for the purpose of ensuring such a level of protection may differ from those employed within the European Union in order to ensure that the requirements stemming from Directive 95/46 read in the light of the Charter are complied with, those means must nevertheless prove, in practice, effective in order to ensure protection essentially equivalent to that guaranteed within the European Union.

15 Transfers in – GDPR (2016/679) Article 45
Transfers on the basis of an adequacy decision 1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: (a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

16 Transfers in – GDPR (2016/679) Article 45
Transfers on the basis of an adequacy decision 1. A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. 2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred; the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

17 Adequacy decissions Andorra /625/EU United States – ”Privacy Shield” Argentina /490/EC Canada /2/EC Switzerland /518/EC Faroe Islands /146/EU Guernsey /821/EC Japan ??? Israel /61/EU Isle Man /411/EC Jersey /393/EC New Zaeland /65/EU

18 Transfer subject to contractual clauses
Both CoE law and EU law recognise contractual clauses between the data-exporting controller and the recipient in the third country as being a possible means of safeguarding a sufficient level of data protection for the recipient. At the EU level, the European Commission with the assistance of the Article 29 Working Party developed standard data protection clauses which were officially certified by a Commission Decision as proof of adequate data protection. As Commission decisions are binding in their entirety in the Member States, the national authorities that supervise data transfers must acknowledge these standard contractual clauses in their procedures. Thus, if the data-exporting controller and the third-country recipient agree and sign these clauses, this ought to provide the supervisory authority with sufficient proof that adequate safeguards are in place. Yet in the Schrems case, the CJEU held that the European Commission does not have the competence to restrict the powers of the national supervisory authorities to oversee the transfer of personal data to a third country which has been the subject of a Commission adequacy decision. Thus, national supervisory authorities are not prevented from exercising their powers, including the power to suspend or ban a transfer of personal data when the transfer is carried out in violation of EU or national data protection law, such as, for instance, when the data importer does not respect the standard contractual clauses.

19 Transfer subject to contractual clauses
The existence of standard data protection clauses in the EU legal framework does not prevent controllers from formulating other ad hoc, individual contractual clauses, as long as these clauses have been approved by the supervisory authority. They would, however, have to ensure the same level of protection as provided by the standard data protection clauses. When approving ad-hoc clauses, supervisory authorities are required to apply the Consistency Mechanism, so as to ensure a consistent regulatory approach across the EU. This means that the competent supervisory authority has to communicate its draft decision on the clauses to the EDPB. The EDPB will issue an opinion on the matter, and the supervisory authority must take utmost account of this opinion in proceeding with its decision. If it does not intend to follow the EDPB opinion, the dispute resolution mechanism within the EDPB will be triggered and the Board will adopt a binding decision. The most important features of a standard contractual clause are: a third-party beneficiary clause which enables data subjects to exercise contractual rights even though they are not a party to the contract; the data recipient or importer agreeing to be subject to the authority of the data-exporting controller’s national supervisory authority and/or courts in the case of a dispute. There are now two sets of standard clauses available for controller-to-controller transfers available, from which the data-exporting controller can choose. For controller-to-processor transfers, there is only one set of standard contractual clauses.

20

21 International Conference of Data Protection and Privacy Commissioners 2018
Brussels, October organised jointly by EDPS and Bulgarian DPA

22 Thank you for your attention!
@EU_EDPS

Download ppt "The role of Convention 108+ with regard to international data flows from EU member states and EU institutions? 23/10/2018, Brussels Wojciech R. Wiewiórowski."

Similar presentations

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.

1 The Data Protection Officer at work Experience, good practices and lessons learnt Pierre Vernhes – former DPO at the Council of the EU Workshop on Data.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Slide 1/15 © copyright Standard training programme in judicial cooperation in criminal matters within the European Union Version: 3.0 Last updated: 31.10.2012.

Slide 1/15 © copyright Standard training programme in judicial cooperation in criminal matters within the European Union Version: 3.0 Last updated:
International Treaty in EU PIL

International Treaty in EU PIL
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
The National Academy of Sciences of Ukraine Kyiv University of Law Anna Vasilchenko Department of International Law Group IL-41.

The National Academy of Sciences of Ukraine Kyiv University of Law Anna Vasilchenko Department of International Law Group IL-41.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
THE EUROPEAN UNION Lesson 5

THE EUROPEAN UNION Lesson 5
THE EUROPEAN UNION Lesson 5

THE EUROPEAN UNION Lesson 5
Enforcement in the field of data protection

Enforcement in the field of data protection
Non-governmental Actors in the Compliance with and Monitoring of Multilateral Environmental Decisions.

Non-governmental Actors in the Compliance with and Monitoring of Multilateral Environmental Decisions.
EU joining the ECHR New opportunities under two legal systems EQUINET HIGH-LEVEL LEGAL SEMINAR Brussels, 1 – 2 July 2010 Dr. Mario OETHEIMER EU Agency.

EU joining the ECHR New opportunities under two legal systems EQUINET HIGH-LEVEL LEGAL SEMINAR Brussels, 1 – 2 July 2010 Dr. Mario OETHEIMER EU Agency.
COMMISSION FOR PERSONAL DATA PROTECTION 14 TH Meeting, CEEDPA 20-21 may, Kyiv LEGAL FRAMEWORK FOR DATA PROTECTION, COMPETENCES AND PRIORITIES OF THE COMMISSION.

COMMISSION FOR PERSONAL DATA PROTECTION 14 TH Meeting, CEEDPA may, Kyiv LEGAL FRAMEWORK FOR DATA PROTECTION, COMPETENCES AND PRIORITIES OF THE COMMISSION.
International Human Rights 24.3.2011. Article 1 ECHR - Obligation to respect human rights The High Contracting Parties shall secure to everyone within.

International Human Rights Article 1 ECHR - Obligation to respect human rights The High Contracting Parties shall secure to everyone within.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
SIS- Schengen Information System The Office for personal data protection.

SIS- Schengen Information System The Office for personal data protection.
Data Protection Privacy in the Digital Age: the UN General Assembly Resolution Sophie Kwasny, 16 October 2014 36 th International Conference, Mauritius.

Data Protection Privacy in the Digital Age: the UN General Assembly Resolution Sophie Kwasny, 16 October th International Conference, Mauritius.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

Similar presentations

Ads by Google