white_paper_on_data_protection_in_india_171127_final_v2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
To facilitate the cross-border transfers of <strong>data</strong>, the EU has created three mechanisms. These<br />
<strong>in</strong>clude the ‗adequacy test‘ as set out under Article 45 of the EU GDPR, 322 Model C<strong>on</strong>tractual<br />
Clauses 323 and B<strong>in</strong>d<strong>in</strong>g Corporate Rules (BCR). 324 Additi<strong>on</strong>ally, cross-border transfers of <strong>data</strong><br />
between the EU and the US is d<strong>on</strong>e by way of the Privacy Shield Framework. Each of these<br />
will be discussed <strong>in</strong> greater detail below.<br />
In the follow<strong>in</strong>g secti<strong>on</strong> we provide an analysis of the various sets of <strong>data</strong> protecti<strong>on</strong> and<br />
transfer laws that are applicable across the globe.<br />
(i)<br />
Adequacy Test<br />
Article 45 of the EU GDPR 325 provides for an adequacy test for transfer of pers<strong>on</strong>al <strong>data</strong> to a<br />
third country. This test stipulates that pers<strong>on</strong>al <strong>data</strong> of EU subjects to n<strong>on</strong>-European<br />
Ec<strong>on</strong>omic Area or EEA countries is not permitted unless those countries are deemed to have<br />
an ―adequate‖ level of <strong>data</strong> protecti<strong>on</strong>. While mak<strong>in</strong>g this decisi<strong>on</strong>, the European<br />
Commissi<strong>on</strong> will exam<strong>in</strong>e whether the country to which <strong>data</strong> is <strong>in</strong>tended to be transferred has<br />
<strong>data</strong> protecti<strong>on</strong> rules <strong>in</strong> place; whether they have effective and enforceable <strong>data</strong> protecti<strong>on</strong><br />
rights and their effective adm<strong>in</strong>istrati<strong>on</strong>; whether <strong>in</strong>dependent <strong>data</strong> protecti<strong>on</strong> supervisory<br />
authorities exist, who are vested with the power to ensure compliance; and f<strong>in</strong>ally, whether<br />
the country <strong>in</strong> questi<strong>on</strong> has entered <strong>in</strong>to any <strong>in</strong>ternati<strong>on</strong>al commitments with regard to <strong>data</strong><br />
protecti<strong>on</strong>. Moreover, a periodic review of the adequacy standard must take place every four<br />
years. 326<br />
Under this provisi<strong>on</strong>, when assess<strong>in</strong>g ―the adequacy of the level of protecti<strong>on</strong>‖, the European<br />
Commissi<strong>on</strong> will take account of ―rules for the <strong>on</strong>ward transfer of pers<strong>on</strong>al <strong>data</strong> to another<br />
third country or <strong>in</strong>ternati<strong>on</strong>al organizati<strong>on</strong>.‖ 327 Further, this article allows transfers of pers<strong>on</strong>al<br />
<strong>data</strong> to third countries which do not have adequate <strong>data</strong> protecti<strong>on</strong> without the appropriate<br />
safeguards for the transfers as listed <strong>in</strong> Article 49, 328 if such transfer is necessary for<br />
important reas<strong>on</strong>s of public <strong>in</strong>terest.<br />
Article 46 of the EU GDPR provides that if the European Commissi<strong>on</strong> has not made a<br />
decisi<strong>on</strong> with regard to the adequacy level of another country, a c<strong>on</strong>troller may transfer<br />
pers<strong>on</strong>al <strong>data</strong> <strong>on</strong>ly if appropriate safeguards are provided, and <strong>on</strong> c<strong>on</strong>diti<strong>on</strong> that enforceable<br />
<strong>data</strong> subject rights and effective legal remedies for <strong>data</strong> subjects are available. 329 Appropriate<br />
safeguards can <strong>in</strong>clude (a) a legally b<strong>in</strong>d<strong>in</strong>g and enforceable <strong>in</strong>strument between public<br />
authorities or bodies; (b) b<strong>in</strong>d<strong>in</strong>g corporate rules <strong>in</strong> accordance with Article 47; (c) standard<br />
322 Article 45, EU GDPR.<br />
323 European Commissi<strong>on</strong>, ‗Model C<strong>on</strong>tracts for the Transfer of Pers<strong>on</strong>al Data to Third Countries‘, available at:<br />
http://ec.europa.eu/justice/<strong>data</strong>-protecti<strong>on</strong>/<strong>in</strong>ternati<strong>on</strong>al-transfers/transfer/<strong>in</strong>dex_en.htm (last accessed 30<br />
October 2017).<br />
324 European Commissi<strong>on</strong>, ‗Overview <strong>on</strong> B<strong>in</strong>d<strong>in</strong>g Corporate Rules‘, available at: http://ec.europa.eu/justice/<strong>data</strong>protecti<strong>on</strong>/<strong>in</strong>ternati<strong>on</strong>al-transfers/b<strong>in</strong>d<strong>in</strong>g-corporate-rules/<strong>in</strong>dex_en.htm<br />
(last accessed 30 October 2017).<br />
325 Article 45, EU GDPR.<br />
326 Article 45(3), EU GDPR.<br />
327 Article 45(2)(a), EU GDPR.<br />
328 Article 49, EU GDPR.<br />
329 Article 46, EU GDPR.<br />
63