The position of Art.261 in the Directive - PowerPoint PPT Presentation

1 / 17

About This Presentation

Title:

The position of Art.261 in the Directive

Description:

Number of Views:47

Avg rating:3.0/5.0

Slides: 18

Provided by: tj681

Category:

Tags: art | directive | nationale | position

Transcript and Presenter's Notes

Title: The position of Art.261 in the Directive

1
Article 26(1) derogations under Directive 95/46/
EC

Workshop on international data transfers
Brussels 24 October 2006
2
Background provisions of Dir.95/46 relating to
international transfers

2
3
Use of Art.26(1) derogations in practice

Tempting for data controllers no contract, no
BCRs, no Safe Harbor, no authorization or prior
opinions from DPAs cheap and easy
Tempting for DPAs too no procedure, no
assessment cheap and easy for us too!
But derogations tend to be too widely applied in
practice

3
4
But EC report on the implementation of Directive
95/46 (2003)

Significant divergences observed in
implementation of Articles 25 and 26 of the
Directive in the MS
Risk that this could ultimately lead to forum
shopping among the Member States, depending how
loosely these provisions are interpreted

4
5
Quote from EC report

5
6
Guidance of the Art.29 WP document WP114

Working document on a common interpretation of
Art. 26(1) of Directive 95/46/EC of 24 October
1995
Reasons for issuing the working document
Need to follow up on ECs conclusions
Experience from DPAs showed that derogations
often misapplied
But also need to ensure consistency with the work
done on other legal bases for international
transfers (adequacy findings, Safe Harbor,
contracts, BCRs)

6
7
General philosophy of working document

Two-fold acknowledgement
The expansion of international trade requires
flexibility of international data transfers,
including transfers of personal data, in certain
occasions
But Article 26(1) was designed to deal with a
limited number of situations
Where risks to the data subject are relatively
small, or
Where other interests (public interests or those
of the data subject himself) override the data
subjects right to privacy

7
8
1. The position of Art.26(1) in the system of the
Directive

Art.26(1) derogations must be interpreted
strictly
Cf. principle inherent in European law that
exception clauses must be interpreted
restrictively so that the exception does not
become the rule (additional Protocol to
Convention 108)
Cf. ECJ case law
In any case, all the other rules of DP Directive
must be applied (ex sensitive data fair and
lawful use compatible use, etc.)

8
9
2. Art.29WP recommendations on using Art.26(1)
derogations

Data controllers should favor Safe Harbor or
Art.26(2) tools over Art.26(1) derogations (best
practice approach)
Art.26(1) derogations should be applied when it
would be genuinely inappropriate, maybe even
impossible for the transfer to take place on the
basis of Art.26(2)
Transfers which might be qualified as repeated,
mass or structural should be carried out within a
specific legal framework (SH, SCCs, BCRs)

9
10
3. Interpretation of consent recommendations
(Art.26(1)(a))

Consent must be a clear and unambiguous
indication of wishes
Ex if consent requested online, using
pre-ticked boxes fails to fulfil the condition
that consent must be a clear and unambiguous
indication of wishes

10
11
Consent (contd)

Consent must be given freely
Specific difficulties might occur to qualify a
data subjects consent as freely given in an
employment context, due to the relationship of
subordination between employer and employee
Consent is unlikely to provide an adequate
long-term framework for data controllers in cases
of repeated or even structural transfers for the
processing in question

11
12
Consent (contd)

Consent must be specific
Consent must be specifically given for the
particular transfer or a particular category of
transfers in question
Consent must be informed
Data subject must be properly informed in
advance of the specific circumstances of the
transfer (its purpose, the identity and details
of the recipient(s), etc.) in accordance with the
general fairness principle

12
13
4. Transfer necessary to the realization of
certain conditions (Art.26(1) (b) to (e))

Transfer necessary for performance of a contract
between the data subject and the controller or
for the implementation of precontractual measures
taken in response to the data subjects request
Transfer necessary for the conclusion or
performance of a contract concluded in the
interest of the data subject between the
controller and a third party
Transfer necessary or legally required on
important public interest grounds, or for the
establishment, exercise or defence of legal
claims
Transfer necessary in order to protect the vital
interests of the data subject

13
14
Application of a new necessity test

This necessity test requires a close and
substantial connection between
The data subject and the purposes of the contract
(Art.26(1)(b))
The data subjects interest and the purposes of
the contract (Art.26(1)(c))
The transfer and the establishment, exercise or
defence of a legal claim (Art.26(1)(d))
The transfer and the protection of the vital
interests of the data subject (Art.06(1)(e))

14
15

15
16
Conclusions

Need to interpret Art.26(1) derogations strictly
it is possible to rely on them, but in limited
cases
Art.29WP careful to maintain consistency between
the different legal grounds for international
data transfers and not to undermine the principle
of adequate protection
This document must be read in conjunction with
other Art.29WP documents (BCRs, Safe Harbor,
etc.)
What next? promote Art.26(2) tools, promote
Safe Harbor, together with companies concerned

16
17
Commission nationale de linformatique et des
libertés