Chapter 5 – Transfers of Personal Data to Third Countries or International Organisations
So this will be a totally short blog this week. Articles 44 through 50 really delving into the ins and outs of moving data across country lines. Now I’m guilty of looking at regulations and only thinking of my situation or maybe the handful of situations I know, but this really seems like someone who has mis-understood data. Everything reads as if data was a physical thing. In a world where I can spin a server up on any of six continents within a minute and load balance across the world this is extremely pedantic.
Taking a breath and another look the closest I can get to what they might be after is a situation where governing bodies have the right to seize data. Much like countries were famous for doing about 5 to 10 years ago. Remember Kim Dotcom, Megaupload and the American authorities?
Article 44 – General Principle for Transfers
1 paragraph. You need to be careful when sending data outside of your home country. You also need to follow the rules.
Article 45 – Transfers on the Basis of an Adequacy Decision
9 paragraphs. Ok now. I’m willing to go out on a limb here. The basics of this say that the ‘Commission’ is able to say if another country is cool to transfer data to without worrying about doing anything extra in terms of security. My first reaction was who is this mysterious Commission? I don’t remember them.
Now I’ve been through the document, and it’s a long document, but I can’t find a definition of who or what the commission is. Perhaps this is a standard contractual thing that I don’t know about? Reading through the various articles and recitals that define this regulation this appears to be a body at European level that perhaps is made up of supervisory body members like the ICO.
I figured perhaps they mean the European Commission, but there is no connection between the GDPR commission and the European Commission. If this was code this would be an undefined global variable. And the rest of us coders would scoff at the dork who used it. I say that in full knowledge that the first comment I get back will be like “Psst, you’ve overlooked this very simple thing here.”
Article 46 – Transfers Subject to Appropriate Safeguards
5 paragraphs. If no Commission decision exists then you can transfer away as long as you put in place appropriate safeguards. Which is then followed by a list of 6 ‘appropriate’ safeguards which vaguely translate to document what’s going on and have a way to sue the pants off of someone else if it all goes apple shaped.
Article 47 – Binding Corporate Rules
3 paragraphs. One of those ‘appropriate’ measures mentioned in article 46 is Binding Corporate Rules which are so cool they get their own article.
Essentially a company that exists in a country outside the EU can itself set these rules so that it can accept and process data from within the EU. The first prosecution on this one is going to be interesting to watch. My prediction is they will hang the EU body out to dry while the non-EU company who said they have rules in place (but didn’t actually bother – think most American companies) will be aww shucks and move right along.
Article 48 – Transfers or Disclosures Not Authorised by Union Law
1 paragraph. This is neat. It simply states that if an authority from outside the EU tells you to give them personal data it has to comply with international law. Why that needs to be said, don’t know?
Article 49 – Derogations for Specific Situations
6 paragraphs. I like the word derogations. Other than that if no rules are in place then you need to get the users permission.
Article 50 – International Cooperation for the Protection of Personal Data
1 paragraph. Yeah. This sounds very ‘Hands Across the World’ but with most major governments collecting everything for ‘security’ then major tech corporations already collecting most everything to serve us better adverts I’m not feeling like this is going to go far enough. In a nutshell countries should help each other get along.
I’m not sure of the effectiveness of this week’s chapter. It still reads like they think data is a thing that can be locked up. Not a digital object that can exist in 8 million different places at the same time. The nature of data is such that I think they started with the right idea of pursuing the action of processing data, and then perhaps tripped when they said that absolutely everything is processing data.
Till next week folks.