Galexia

  Research

Workshop - Legal Challenges to the International Transfer of Data (January 2017)


[ Galexia Dots ]

Related Galexia services and solutions

Related Galexia projects

Related Galexia news and articles

Slide Presentation at CPDP2017 (The Age of Intelligent Machines) Computers, Privacy & Data Protection 10th International Conference, Brussels - 25 January 2017

Galexia Director Chris Connolly presented at CDPD2017 - The Age of the Intelligent Machine at the 10th International Computers, Privacy & Data Protection (CPDP) International Conference in Brussels on 25 January 2017. 

Read more »


[Download presentation slides (PDF) »]

UN advice on data protection and international data flows

  • UN report:
    • Data protection regulations and international data flows: Implications for trade and development (April 2016)
  • Data protection is directly related to trade
    • Too little protection can create negative market effects through affecting consumer confidence
    • Too much protection can overly restrict business activities and trade
  • Ensuring that laws consider the global nature and scope of their application, and foster compatibility with other frameworks, is critical

UN concerns on cross border data transfers / surveillance

  • Gaps in coverage
    • No laws, partial laws or laws that contain broad exemptions
  • Negative impact of data localization on trade and development
  • Balancing surveillance and data protection
    • Support for ‘Necessary and Proportionate’ test
    • Support for ‘Narrowly Tailored’ test
      • (in the US the term is ‘as tailored as feasible’)
    • Support for the provision of judicial redress for data subjects, regardless of nationality
    • Promotion of ‘transparency reports’ by business

Privacy Shield and SCCs: Three potential vulnerabilities to legal challenge

  • 1. Bulk Surveillance
    • Presidential Policy Directive 28 (PPD-28) 2014 allows bulk surveillance in six circumstances. Five are narrow in scope and tackle serious / significant risks. However, the sixth category is just the word: ‘cybersecurity’. There is no additional test (e.g. serious risk) and no details are provided about the scope of this term.
  • 2. Independence of dispute resolution
    • European and US approaches to the independence of dispute resolution providers are contrasting, with stricter rules applying in Europe.
  • 3. Fine print exclusions
    • History of businesses relying on fine print exclusions (Safe Harbor, APEC CBPRs) to limit scope of their certification and / or to limit dispute resolution. This practice has reduced in recent years, but is open to challenge in the Privacy Shield and SCCs.

Next steps

  • 1. United Nations
    • Promoting the development of consistent privacy laws, especially in developing nations
    • Discouraging data localization
    • Promoting a balanced approach to cross border data transfers and surveillance
  • 2. Privacy Shield
    • The annual review is an opportunity to strengthen some protections
      • (e.g. promoting independent dispute resolution and removing fine print exclusions)
    • Clarify some of the framework text
      • (e.g. the scope of the ‘cybersecurity’ bulk surveillance exception)
  • 3. SCCs
    • EC tasked with ensuring that the recent protections introduced in the Privacy Shield are extended to SCCs, and that a proper governance framework is established for SCCs (e.g. monitoring and regular reviews)

Further information


[Download presentation slides (PDF) »]

Galexia Director Chris Connolly presented at CDPD2017 - The Age of the Intelligent Machine at the 10th International Computers, Privacy & Data Protection (CPDP) International Conference in Brussels on 25 January 2017. 
Read more »



[ Galexia Dots ]