Article 50 GDPR: Difference between revisions

From GDPRhub
 
(9 intermediate revisions by 4 users not shown)
Line 185: Line 185:


==Legal Text==
==Legal Text==
<br /><center>'''Article 50 - International cooperation for the protection of personal data'''</center><br />
<br /><center>'''Article 50 - International cooperation for the protection of personal data'''</center>


In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:
Line 198: Line 198:


==Relevant Recitals==
==Relevant Recitals==
<span id="r102">
{{Recital/102 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 102''' </div>
{{Recital/116 GDPR}}
<div class="mw-collapsible-content">
This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.
</div></div>
<span id="r116">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 116''' </div>
<div class="mw-collapsible-content">
When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.
</div></div>


==Commentary==
==Commentary==
Article 50 GDPR aims to promote cooperation between the European Commission (Commission) and data protection authorities (DPAs), either from the EU or third countries, for both law enforcement purposes as well as for the exchange of knowledge between them. This way, Article 50 GDPR expands the exhortation under [[Article 57 GDPR|Article 57(1)(g) GDPR]] that calls for cooperation between EU DPAs, across borders.


====Overview====
==== General Aspects ====
Article 50 aims to promote cooperation between the Commission and data protection authorities from the European Union and worldwide data protection authorities from third countries, both for law enforcement purposes as well as for the exchange of knowledge. This way, Article 50 expands cross borders the exhortation from Article 57(1)(g), that calls for cooperation between EU data protection supervisors.
This provision has a precedence for the practical application of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy OECD Recommendation),<ref>OECD, ‘Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy’, 2007 (available [https://www.oecd.org/digital/ieconomy/38770483.pdf here]).</ref> promoted by the Canadian DPA, that was followed by the subsequent creation of the Global Privacy Enforcement Network (a network of worldwide data protection regulators that cooperate across borders to enforce data protection and privacy laws). This OECD Recommendation establishes a series of objectives that are similar to the ones laid out by Article 50 GDPR. Article 50 GDPR is divided in two different parts: letters (a) and (b) aim for cooperation with other authorities in law enforcement and necessary related activities, while letters (c) and (d) are meant for the exchange of knowledge, information, and general cooperation. As ''Kuner'' remarks, Article 50 GDPR will be of special importance in light of Brexit, as undoubtedly new mechanisms for cooperation between the British DPA and UE DPAs will be needed.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 50 GDPR, p. 861 (Oxford University Press 2020).</ref> This has already proven necessary in cases such as the one framed in a proceeding from the Spanish DPA regarding a controller established in the UK. The Spanish DPA was unable to settle a case after the British DPA, following Brexit, left the Internal Market Information System aimed to be used by EU authorities for cooperation.<ref>AEPD, E/03276/2021, 9 April 2021 (available [https://www.aepd.es/es/documento/e-03276-2021.pdf here] and [[AEPD - E/03276/2021|here]]). </ref>


This Article has a precedence set for practical application in the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy,<ref>OECD, Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2007. Available at: <nowiki>https://www.oecd.org/digital/ieconomy/38770483.pdf</nowiki></ref> promoted by the Canadian data protection authority, and that was followed by the creation of the Global Privacy Enforcement Network, a network of worldwide data protection regulators that cooperate across borders to enforce data protection and privacy laws. This Recommendation establishes a series of objectives that are similar to the ones laid by Article 50.
====Law Enforcement====
Article 50(a) and (b) GDPR seek to bolster cooperation to facilitate data protection and privacy law enforcement. This is done via the creation of international cooperation mechanisms, and through the provision of assistance in the enforcement of such legislation, which includes notification, complaint referral, investigative assistance and information exchange. This shall be done with special attention to human rights, and therefore adequate measures to protect them must be implemented.<ref>''Zerdick'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 50 GDPR, margin number 7 (C.H, Beck 2018, 2nd Edition).</ref> Some of these mechanisms are further developed and used in practice by the Global Privacy Enforcement Network following the OECD Recommendation, and Articles 13 to 17 from Convention 108<ref>Council of Europe, ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’, 28 January 1981 (available [https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=108 here]).</ref> and its 181 Protocol regarding supervisory authorities and transborder data flows.<ref>Council of Europe, ‘Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows’, 8 November 2001 (available [https://rm.coe.int/1680080626 here]).</ref>


In such a sense, Article 50 is divided in two different parts: letters a) and b) aim for cooperation with other authorities in law enforcement and related necessary activities, while letters c) and d) are meant for the exchange of knowledge, information and general cooperation.
====Cooperation and Exchange of Knowledge====
Obligations deriving from Article 50(c) and (d) GDPR, encourage discussion and related activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data, and encourage the exchange and documentation of personal data protection legislation and practice, including jurisdictional conflicts with third countries.


As Kuner remarks, this Article will be of special importance in light of Brexit, as undoubtedly new mechanisms for cooperation between the British data protection authority and UE data protection authorities will be necessary.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 50 GDPR, p. 861 (Oxford University Press, Oxford, 2020)</ref> This has already proven necessary in cases such as the one framed in a proceeding from the Spanish DPA regarding a controller established in the UK. The DPA was unable to settle a case after the British DPA, following Brexit, left the Internal Market Information System, aimed to be used by EU authorities for cooperation.<ref>AEPD, 09.04.2021, E/03276/2021. Available at: [https://gdprhub.eu/AEPD%20-%20E/03276/2021 https://gdprhub.eu/index.php?title=AEPD_-_E/03276/2021] and <nowiki>https://www.aepd.es/es/documento/e-03276-2021.pdf</nowiki> </ref>
Both practices seek the final aim of helping enforce data protection and privacy law internationally. Although they do not address this as directly as the previous paragraphs, increased coordination between different authorities, and a better understanding of the law in different jurisdictions will undoubtedly lead to more effective cooperation on law enforcing.  


=====Law enforcement (Article 50(a)(b) GDPR)=====
This cooperation has been happening for decades. Apart from the Global Privacy Enforcement Network, actors such as the Asia-Pacific Economic Cooperation (APEC) also play a role in international cooperation.<ref>''Zerdick'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 50 GDPR, margin number 8 (C.H, Beck 2018, 2nd Edition).</ref> For instance, together with the Article 29 Working Party (WP29), they have issued a referential to facilitate the use of binding corporate rules between the two organizations.<ref>WP29, ‘Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents’, 538/14/EN WP 212, 27 February 2014 (available [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp212_en.pdf here]).</ref>  
Article 50, letters a) and b), seek to bolster cooperation to facilitate data protection and privacy law enforcement. This is done via the creation of international cooperation mechanisms and through the provision of assistance in the enforcement of such legislation, which includes notification, complaint referral, investigative assistance and information exchange. This shall be done with special attention to human rights; adequate measures to protect them shall be implemented.
 
Some of these mechanisms are further developed and used in practice by the Global Privacy Enforcement Network following the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy and Articles 13 to 17 from the 108 Convention<ref>Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 1981. Available at: <nowiki>https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680078b37</nowiki></ref> and its 181 Protocol regarding supervisory authorities and transborder data flows.<ref>Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows, 2001. Available at: <nowiki>https://www.coe.int/en/web/conventions/full-list/-/conventions/rms/0900001680080626</nowiki></ref><ref>''Zerdick'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 50 GDPR, margin number 7 (Beck 2018, 2nd ed.) (accessed 22.04.2021)</ref>
 
=====Cooperation and exchange of knowledge  (Article 50(c)(d) GDPR)=====
Obligations deriving from Article 50, letters c) and d), encourage discussion and related activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data, and encourage the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.
 
Both practices seek the final aim of helping enforce data protection and privacy law internationally. However, they do not address it directly, as previous paragraphs, but through a better understanding between different authorities and a better understanding of the law from different jurisdictions, what will lead to more effective cooperation on law enforcing.
 
This cooperation has been happening for decades. Apart from the Global Privacy Enforcement Network, actors such as the Asia-Pacific Economic Cooperation (APEC) also play a role in international cooperation.<ref>''Zerdick'', in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 50 GDPR, margin number 8 (Beck 2018, 2nd ed.) (accessed 22.04.2021)</ref> For instance, together with the Article 29 Working Party, they have issued a referential to facilitate the use of binding corporate rules between the two organizations.<ref>Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents. Accessible at: <nowiki>https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp212_en.pdf</nowiki></ref>  
----


==Decisions==
==Decisions==

Latest revision as of 15:41, 28 April 2022

Article 50 - International cooperation for the protection of personal data
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 50 - International cooperation for the protection of personal data

In relation to third countries and international organisations, the Commission and supervisory authorities shall take appropriate steps to:

(a) develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data;

(b) provide international mutual assistance in the enforcement of legislation for the protection of personal data, including through notification, complaint referral, investigative assistance and information exchange, subject to appropriate safeguards for the protection of personal data and other fundamental rights and freedoms;

(c) engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data;

(d) promote the exchange and documentation of personal data protection legislation and practice, including on jurisdictional conflicts with third countries.

Relevant Recitals

Recital 102: International Agreements
This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.

Recital 116: International Cooperation Mechanisms and International Mutual Assistance
When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.

Commentary

Article 50 GDPR aims to promote cooperation between the European Commission (Commission) and data protection authorities (DPAs), either from the EU or third countries, for both law enforcement purposes as well as for the exchange of knowledge between them. This way, Article 50 GDPR expands the exhortation under Article 57(1)(g) GDPR that calls for cooperation between EU DPAs, across borders.

General Aspects

This provision has a precedence for the practical application of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy OECD Recommendation),[1] promoted by the Canadian DPA, that was followed by the subsequent creation of the Global Privacy Enforcement Network (a network of worldwide data protection regulators that cooperate across borders to enforce data protection and privacy laws). This OECD Recommendation establishes a series of objectives that are similar to the ones laid out by Article 50 GDPR. Article 50 GDPR is divided in two different parts: letters (a) and (b) aim for cooperation with other authorities in law enforcement and necessary related activities, while letters (c) and (d) are meant for the exchange of knowledge, information, and general cooperation. As Kuner remarks, Article 50 GDPR will be of special importance in light of Brexit, as undoubtedly new mechanisms for cooperation between the British DPA and UE DPAs will be needed.[2] This has already proven necessary in cases such as the one framed in a proceeding from the Spanish DPA regarding a controller established in the UK. The Spanish DPA was unable to settle a case after the British DPA, following Brexit, left the Internal Market Information System aimed to be used by EU authorities for cooperation.[3]

Law Enforcement

Article 50(a) and (b) GDPR seek to bolster cooperation to facilitate data protection and privacy law enforcement. This is done via the creation of international cooperation mechanisms, and through the provision of assistance in the enforcement of such legislation, which includes notification, complaint referral, investigative assistance and information exchange. This shall be done with special attention to human rights, and therefore adequate measures to protect them must be implemented.[4] Some of these mechanisms are further developed and used in practice by the Global Privacy Enforcement Network following the OECD Recommendation, and Articles 13 to 17 from Convention 108[5] and its 181 Protocol regarding supervisory authorities and transborder data flows.[6]

Cooperation and Exchange of Knowledge

Obligations deriving from Article 50(c) and (d) GDPR, encourage discussion and related activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data, and encourage the exchange and documentation of personal data protection legislation and practice, including jurisdictional conflicts with third countries.

Both practices seek the final aim of helping enforce data protection and privacy law internationally. Although they do not address this as directly as the previous paragraphs, increased coordination between different authorities, and a better understanding of the law in different jurisdictions will undoubtedly lead to more effective cooperation on law enforcing.

This cooperation has been happening for decades. Apart from the Global Privacy Enforcement Network, actors such as the Asia-Pacific Economic Cooperation (APEC) also play a role in international cooperation.[7] For instance, together with the Article 29 Working Party (WP29), they have issued a referential to facilitate the use of binding corporate rules between the two organizations.[8]

Decisions

→ You can find all related decisions in Category:Article 50 GDPR

References

  1. OECD, ‘Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy’, 2007 (available here).
  2. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 50 GDPR, p. 861 (Oxford University Press 2020).
  3. AEPD, E/03276/2021, 9 April 2021 (available here and here).
  4. Zerdick, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 50 GDPR, margin number 7 (C.H, Beck 2018, 2nd Edition).
  5. Council of Europe, ‘Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data’, 28 January 1981 (available here).
  6. Council of Europe, ‘Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data regarding supervisory authorities and transborder data flows’, 8 November 2001 (available here).
  7. Zerdick, in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 50 GDPR, margin number 8 (C.H, Beck 2018, 2nd Edition).
  8. WP29, ‘Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents’, 538/14/EN WP 212, 27 February 2014 (available here).