This article has been written by Krishnapal Verma pursuing a Diploma in International Data Protection and Privacy Laws from Skill Arbitrage.

This article has been edited and published by Shashwat Kaushik.

Introduction

Ever since the dawn of mankind & during all the ages of its existence, we human beings have been plagued by the strong instinctive desire to acquire knowledge. In fact, it is this thirst for knowledge and curiosity to delve deeper into the labyrinth of understanding the ‘cause, effect and consequences’ of things around us, which can be majorly, if not entirely, considered as one of the most dominant reasons responsible for our evolution. Right from the Neolithic age where men invented ‘fire’, learning and using it for their survival and sustenance, or the Age of Civilisation of Mesopotamia or the Babylonian period, where men built structures of unparalleled feats and grandeur, or the Indus Valley era, whose remarkable advancements in construction, agriculture, technology, science, etc., astound and rival even the achievements of present times, till the current 21st century of artificial intelligence (AI) and machine learning (ML), we have enhanced our existence and capabilities and continue to progress from ordinary human beings to superhuman beings. This innate nature of gathering facts, processing and interpreting the information derived from the analysis of the facts and then applying the derived information for achieving our objectives and interests—all of this could not have been feasible but for the presence of the all-pervading most vital factor—data.

Download Now

What is data

In the modern times of space travel and AI robotic engineering, for some, data is the most powerful asset and for others, more lethal and disastrous than any other Weapons of Mass Destruction (WMD). Data is a potential tool for bettering human lives, surpassing scientific barriers, nurturing and encouraging holistic growth, improving emergency and health care or it can be a covetous arsenal for world supremacy and dominance. Data is not and never has been either good or bad. It always changes and adapts based on the hands that possess it. What data can be just useful for one may be quite useless for another or it could be an invaluable accessory of wielding power and leverage for a third person. The real value and role of data lie in its application. It is merely a tool in the hands of its possessor to be utilised for achieving the purpose of the one who possesses it at that point in time. Whatever the arguments be about the pros and cons of data, which are of course debatable issues, yet it is a unanimous fact that data is supreme and perhaps much more valuable than gold. Data in its generic sense refers and means to include raw information of any kind consisting of facts and/or figures providing information of the state of things to which it refers or the information of which can be gauged, implied or assessed in conjunction with other variables. For e.g., an information supplied that ‘Air is comprised of oxygen and hydrogen’ is data. Further scientific analysis or processing can be done on this raw data along with other components to prove the composition ratio of both oxygen and hydrogen. Thus, that which is called data may be standalone information or information which is colluded and/or processed in conjunction with some other information. It is also explained as a ‘collection of discrete or continuous values that convey information, describing the quantity, quality, fact, statistics, other basic units of meaning, or simply sequences of symbols that may be further interpreted formally’. From the above reading, it can be understood that data in itself is a very potent and vast source of power that needs to be efficiently tapped and regulated with proper legal framework and safeguards so as to ensure that the very panacea of societal advancement and transformation does not become a bane of distress and exploitation.

Need for data privacy

The relevance and need for a robust legal framework for data regulation becomes much greater and indispensable when such data is concerned with and related to the personal data and information of people, especially in the present era of globalisation and the dark web, where any form of personal data can be misused and exploited to the disadvantage and detriment of the privacy of the person/s to whom it affects directly and substantially. We are living in the digital age where personal data, which is collected and processed digitally and online, is unfathomable. The commercial and trade activities of companies collecting and processing personal data for their commercial purposes have surpassed the limitations of demographic jurisdictions and are operating worldwide across borders. Every second, huge volumes of Big data are being collected and processed by various companies in pursuit of their economic activities and such data is also exchanged and transferred internationally across borders as part of their economic enterprise. With such voluminous international exchange and transfers of personal data, it becomes imminent that such transactions be regulated and approved by robust supervisory safeguards through a resilient legal framework so that the privacy and fundamental rights of the people are not violated. Data privacy & protection laws provide the much-needed solution and ground framework for regulating and monitoring the realm of personal data transfers.

In this article, we shall analyse the existing legal framework of international data transfer from the perspective of EU-GDPR specifically.

Brief background of GDPR

The General Data Protection Regulation (GDPR) 2016 (GDPR) is a legislation passed by the European Parliament for all its member states i.e member states of the European Union (EU) and member states of the European Economic Area (EEA), with the objective of protecting the privacy rights of natural persons in relation to the processing of their personal data and also to ensure and regulate the unrestricted and free movement of personal data within the Union. The Charter of Fundamental Rights of the European Union Art. (8) as well as the Treaty on the Functioning of the European Union (TFEU) Art. (16) actively recognises and protects the personal data or privacy rights of natural persons. These two legislations have regarded the personal data rights of people as their fundamental rights and thus guarantee them protection from unauthorised, illegal or arbitrary processing of their personal data. However, under this special legislation of GDPR, the right of people to their personal data is not an absolute right. It regards that though personal data privacy is an absolute right, yet the processing of such personal data is not an absolute right. The GDPR maintains that processing of personal data should serve mankind, i.e, under the rights of privacy, processing of personal data, which is otherwise essential for achieving the essential socio-economic justice objectives and progress of society in general, should not be unnecessarily restricted or stifled, which otherwise would destabilise the very functioning of trade and commerce and resultantly the society suffers. The GDPR, while it steadfastly upholds and protects the fundamental privacy rights of natural persons with respect to their personal data and its processing, it equitably balances it, on the principle of proportionality, with other societal economic freedoms like internal and international commerce, business and market requirements, which are also indispensable for the all-round wellbeing and progress of natural persons. Thus the GDPR is a dedicated legislation to secure a consistent and high level of protection for natural persons in relation to their personal data, to provide ample safeguards and remedy against the illegal and unauthorised or misuse of their personal data, to prescribe the necessary rules and conditions of the processing of personal data by economic and business undertakings, to eliminate and remove any unnecessary obstacles in the free flow transfer and processing of such personal data, laying down the obligations and duties for those processing such data, as well as laying down stringent rules for effective monitoring and ensuring compliance with such rules by all stakeholders and imposing sanctions or other penalties in case of infringement of these rules by the member states.

Concept of Personal Data as per GDPR

Article 4(1) of the GDPR defines ‘Personal Data’. From this definition, it can be understood that, Personal Data means any information relating to a natural person who is the data subject, and which information identifies or by using which information such a person is identified or identifiable, directly indirectly or in reference, by the use of certain identifiers like – name, address, id number, social security number, online location data, IP address, fingerprint, biometrics, face recognition, genetics, cookies, radio frequency identification tags etc., or with one or more such factors which are specific to the physical, mental, physiological, genetic or socio, economic or cultural identity of such person and through the use of which data the natural person is identifiable or identified and thus which relates to such a person. Thus if such personal data is processed by any natural or legal person, be it a company, public authority, non profit organisation, any agency or undertaking where the purpose of such processing is in relation to in furtherance of any commercial activity or which is processed by automated means or which forms a part of the filing system of such economic enterprise, then GDPR applies to such processing. In cases of processing for purposes of crime, taxation, law, judicial, and/or national security, defence and the like, the Union or member state law will govern and GDPR shall cease to apply.

However, if any processing of personal data is done by a natural person in the course of purely household, private, domestic or personal use and not for any economic activity, then such processing is not covered by GDPR; eg., personal correspondence, keeping of addresses, social network and online activity are such activities exempted from GDPR. A simple analysis of such an exemption would be that:

  • The processing is done by the natural person in a private capacity.
  • It is done in the context and environment of social interaction or non-business interpersonal relationships.
  • The processing is not done for any economic or business purpose.

However, prudently speaking, it appears that even such a kind of processing by a natural person is also susceptible to be breached or misused by some third party, as for example, when it is posted on the internet and hence can pose serious privacy risks. Therefore, this exemption provision of GDPR is a debatable issue and needs to be reconsidered or more clarified by the European Council.

Data privacy under GDPR

The GDPR provides for two important concepts of data: data protection & data privacy. Data protection relates to the compliance aspect of data and the safeguards that businesses should implement to protect the personal data of data subjects from any unauthorised access, to ensure that their fundamental rights and freedom are not endangered and that any data leaks in their system do not expose the data subjects to serious socio-economic loss, material non-material damage or physical vulnerabilities from third-party attacks. On the other hand, data privacy empowers them with their right to the custody and ownership of their data and to decide for themselves who can use their data and for what purposes. Data privacy grants them the authority to be in control of their data and its intended use. Ever-growing international economy, out-of-scale technological advancement and rapid globalisation, and increasing social and economic integration of the world market have led to an unprecedented increase in cross-border transfer and sharing of personal data. Both private and public agencies are transferring and processing personal data in an insatiable manner to maximise their commerce and businesses or to perform their international obligations and cooperation. More and more natural persons are freely making available large amounts of personal data publicly and globally. Much of this public data is in the open online domain and on the internet in cloud storage. Transfer and exchange of such data has become a necessity for expansion of world trade and international relations. Such rampant outflows of personal data have not only increased the risks to personal data privacy but have also maximised the challenges for its protection—both for the data subject and the controller. Such flow of cross-border transfers of big data also raises concerns for the safety and unauthorised misuse of such data if it is not regulated by a strong and internationally recognised legal framework ensuring the adequate protection and safeguards to the privacy of personal data without undermining the financial and commercial necessity of its international usage.

International data transfers under GDPR

The GDPR lays down an elaborate and efficient set of regulations for such cross-border and international transfers of personal data. In GDPR, two types of cross-border transfers are discussed. First, from one member state to another member state, i.e., within the European Union; and the other being from the EU to any other third country. With respect to the first type of transfers, the present regulation applies in its entirety; it is the second type of international transfer that special provisions are laid down to regulate them. Such second types of transfers are referred to as ‘restricted transfers,’ which shall be permitted subject to the following compliances. (recital 101)

The Legal Framework for International Transfer of Personal Data is provided in Chapter – V (Arts. 44 – 50) of GDPR, which are discussed concisely in the following paragraphs.

Broadly summarised, there are four (4) main criterias or situational conditions under which personal data can be transferred from the EU to a non-EU third country. They are:-

  • Transfers which are based on Adequacy Decisions (recital 103)
  • Transfers which are subject to Appropriate Safeguards (recital 108)
  • Transfers which are made under Binding Corporate Rules (recital 110)
  • Transfers that are allowed in derogation of the above clauses. (recitals 111-115)

Article 44

It mandates that for any type of processing of personal data by a third country, which includes any organisation, body or natural or legal entity, the earlier provisions of this regulation and the provisions of this chapter shall have to be complied with. Even if such data is transferred from such a third country to any other third country, then also the performance of all these provisions has to be complied with, though not directly but in spirit. It can be seen that inevitably, whether the transfer is effected within Union states or the non-Union countries, the application and compliance of the GDPR or some of its specific provisions is a sine qua non necessity. And for such third countries, added safeguards of compliance and precautionary measures have to be undertaken to ensure the privacy and protection of personal data, as will be seen in the following paragraphs.

Article 45

Under this specific regulation, international data transfer is permitted only if the

The European Commission (EC) has assessed and decided that such a third country has ‘adequate level of protection’ and ensures such adequate protection to the privacy of personal data. Thus only after such authorisation can an international transfer be allowed to be made. The EC shall make such an assessment after considering various factors with respect to the third country, which are laid below. 

  • The rule of law; respect for human rights; legislation of such country governing public security, defence, national security, criminal and case law; access of public authorities to personal data, implementation of data protection and privacy laws, their security measures, including provisions for extra territorial transfers, data subject’s rights, effective administrative and judicial redressal mechanisms for data subjects, etc.
  • The existence and effective functioning of independent one or more supervisory authorities to ensure the proper enforcement and compliance with data protection rules, to assist and guide the data subjects in exercise and enforcement of their rights and to cooperate with the member states of the Union.
  • The international commitments, legally binding international agreements or obligations arising under any international conventions/instruments/pacts/treaties of such third countries with the member states in any sector and more particularly in relation to personal data protection areas.

Thus, after an assessment on such varied factors, if satisfied, the EC may authorise the international transfer of personal data to such a third country and shall be ensuring the compliance of this regulation by reviewing these above factors at prescribed periodic intervals and keeping monitoring the third country for any deviations or non-compliance of the GDPR, and if it finds that such a third country is derogating or non-complying with the regulations or not providing the adequate level of protection to personal data of data subjects, then the EC may also revoke, repeal or suspend its decision, as it happened in the Schrems II judgement.

Article 46

Through this specific provision, the GDPR allows the transfer of personal data to non-EU entities only if appropriate safeguards are provided and adhered to by the controller or processor for such transfer and that enforceable data subject rights and effective legal remedies are ensured to the data subjects through these safeguards.

The safeguards referred to above are listed below.

  1. Legally binding and enforceable instruments between the public authorities or bodies ensuring data subjects rights and data protection provisions.
  2. Binding corporate rules enacted as per the provision of Article 45 of GDPR, adhering and complying with all the necessary safeguards.
  3. Standard data protection contractual clauses (SCC) adopted by the Commission or adopted by the supervisory authority and then approved by the Commission.
  4. Code of conduct mechanism made and approved as per the requirements laid down in Article 40 ensuring the commitments of the controller or processor of such a third country to apply appropriate data protection safeguards.
  5. Data protection certificate mechanism adhered to by the third country controller or processor as per Article 42 of the GDPR. 
  6. Contractual clauses between the controller or processor inter se or the controller, processor and the recipient entity of such a third country, which clauses are in alignment with the SCC of the EU.

Article 47

This article lays down comprehensive measures and standards for group of undertakings and enterprises that are engaged in a joint economic activity to formulate and enforce legally Binding Corporate Rules (BCR) which prescribe the road map of that undertaking to ensure data protection and privacy of data subjects in processing of their personal data, as well as ensuring enforceable rights and redressal options to them. Such BCR are not only binding on the undertaking concerned but also on their employees. However, such BCR has to be approved first by the competent supervisory authority of the member state concerned. The BCR referred to shall have provisions for matters like the structure and contact details of the undertaking and its members, principles of data processing, their purpose and categories of data to be processed, data subject rights, remedies, accountability and liability provisions, controller and processor liabilities and responsibilities, breach of data measures, SCC compliances, data GRC measures, etc.

A deeper reading of this provision shows that BCR is a mechanism wherein the EU ensures that while it is committed to protect and uphold the fundamental rights to privacy of its people, it is also committed to ensuring sustained economic and trade development in the international sphere. Hence the mechanism of BCR is a way to bring about a neutrality or balance in the objectives of the EU so as to protect personal data privacy rights and also not to stifle the economic market with unreasonable laws.

Article 48

The GDPR also explicitly lays down that if there is any decree, judgement or decision of any court of law or administrative body of such third country requiring the controller or processor of a EU member state to disclose or provide access to any personal data, then it shall not be recognised or considered unless there is a legally binding international agreement or treaty between the EU member state and such a third country, where under provision for such mutual transfer of data is provided for, such as a Legal Assistance treaty or any other reciprocal provision. This provision is without prejudice to any other arrangement that may be existing between the two countries that requires them to share personal data or have reciprocal rights.

Article 49

In GDPR of all the provisions in the present chapter relating to international transfer of personal data, the provision as laid down in Article 49 is the widest in scope and undoubtedly, most enabling of all the above provisions for fostering cross-border personal data transfer. These are the derogations or exemptions that a natural or legal person, i.e., the controller, engaged in an economic activity, can avail of in case it wants to make a restricted transfer to any third country and where the other provisions of this chapter are unavailable to it. It is not mandatory to show compliance with all of these derogations. It is sufficient if any one of these exemptions is shown to exist and apply for such a transfer of personal data. A proper analysis of the said article also shows that it is not necessary for the controller to be a member state of the EU. It can be a controller of the non-EU third country also.

These exemptions/derogations are:-

  1. The data subject explicitly consents to such transfer after being specifically informed of the possible risks to his data privacy in the absence of adequate safeguards or protection in such a third country.
  2. The restricted transfer is necessary for performance of any contractual obligation between the data subject and the controller or is necessitated because of any pre-contractual measure that needs to be taken and the data subject has requested it.
  3. The transfer is necessary for the conclusion or performance of any contract made between the controller and a third natural or legal person, not being the data subject, but which benefits or is in the interests of the data subject.
  4. The transfer is necessary for important reasons of public interest. Such a public interest must, however, be recognised as such under EU law or the member state law of the controller. Here it can be seen that since the GDPR has specifically mentioned that where clause (d) is being used for transfer, then the controller can only be from the EU or its member state and not from any third country. Whereas from the interpretations of clauses (a –c), it can be seen that in such case scenarios the controller can be from either of the countries.
  5. The transfer is necessary to establish, exercise or defend any legal claim by the controller.
  6. The transfer is necessary to protect the vital interests of the data subject or some other person, but only if the data subject is physically or legally incapable of giving consent to such a transfer.
  7. The data transfer is made from a public registry of the EU or member state, intended to provide information to the public. It should be open for consultation by the public in general or by anyone who can specifically show a legitimate interest in that data contained in such a public register. Such a transfer must not involve the entirety of the personal data or the entire categories of personal data contained in such public registry.
  8. Further, when such a public register is open for consultation by person/s who demonstrate legitimate interest in data contained in such a register, then the data can only be transferred if such person/s requests for a transfer or they are the recipients of such a restricted transfer.

It is also clarified in this article that the restricted transfer as provided in the above clauses (a-g) can only be made if: such transfer is occasional and not repetitive; it concerns only a limited number of data subjects; the controller has legitimate interests in making such a transfer and those interests do not override the interests, rights and freedom of the data subjects; and the controller has assessed the circumstances surrounding the transfer and provided suitable safeguards for protection of personal data. It is also specified that the conditions as enumerated in this paragraph and those laid down in clauses (a-c) shall not apply to activities carried on by public authorities or bodies in exercise of their public powers, such as law enforcement, taxation, national defence, health, etc., which are sovereign activities of the state.

Art.50

This article provides for international mutual assistance and cooperation mechanisms to be developed and fostered among different extraterritorial supervisory authorities for the purpose of effective enforcement of data protection legislations worldwide by investigative assistance and information exchange, discussion with relevant stakeholders, etc.

Conclusion

The legal framework for data protection and privacy as provided in EU-GDPR is highly robust and ensures exhaustive safeguards and protective measures, including effective supervision, compliance and complaint redressal mechanisms for the data subjects. At the same time, the EU is conscious of the need for international economic development and growth and the necessity to encourage international trade, commerce and business rather than stifle or obstruct the economic progress with unconscionable laws and regulations. Through GDPR, the EU has created a legal framework that acts as a bridge between the rising threat of personal data breaches and the vulnerability of natural persons around the world in case of misuse of their personal data, by ensuring them adequate protection of their rights and freedom and, on the other hand, by regulating the free flow and transfer of such personal data, which is a necessity for trade and business. Thus, the GDPR grants legitimacy and provides a comprehensive framework of compliances, guidelines and checklists to be adhered to by the economic undertakings for the use of such personal data of natural persons and thus advance their business interests. The legal framework of cross-border or international transfer and exchange of personal data creates the necessary balance that is required. Although, just like any other regulation or law that requires it to be constantly reviewed and amended from time to time, so as to be adaptable to evolving situations and circumstances, the GDPR is also monitored and reviewed by all stakeholders, like the European Data Protection Board (EDPB), NGOs, academicians, the business community, etc., so that it becomes more and more resilient in its objective of personal data protection and privacy of natural persons around the world and also encourages ethical and legal free flow of data.

Serato DJ Crack 2025Serato DJ PRO Crack

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here