Contents
Follow-up VC on the non-EU/EEA Data protection Code of Conduct
Date | 13th Aug 20013 at 15-16.20 CEST |
Participants | Patrick van Eecke, DLA Piper |
Steven Carmody, Incommon | |
Mikael Linden, eduGAIN, notes |
Went through the questions that the DLA Piper memo by DLA Piper 29 Jul 2013 had risen:
1. Legal bases other than the standard Contractual Clauses
- in principle, other legal bases could be used. In practice it is cumbersome
- consent legal grounds
- Home Organisation needs to be able to demonstrate that consent has been given by the user
- consent, if used, isn’t necessarily freely given
- “Performance of contract with End User” and “Performance of contract concluded in the interest of the End User”
- in some cases it could be used (e.g. contract of employment), but universities likely to have also affiliated users without a contract, and then you needed something else for them
- therefore, standard contractual clauses is a catch-all that covers all scenarios
- standard contractual clauses is also a well-know and widely used approach
- DLA Piper is seeing also double approaches where, to be in the safe side, both contractual clauses and consent are used simultaneously
- there could be also an alternative plan, where consent is used as a fall-back for those SPs who don’t want to sign the Contractual Clauses.
2. Applicable law
- Contractual Clauses document, IV – applicable law: “…the law of the country in which the data exporter is established”.
- in our case there will be parallel data exporters in several countries. A question arises, if this causes problems or confusion about the applicable law
- we cannot change this section because it follows from the standard contractual clauses
- If there is a problem you need to find which is the home organization in question
- if it is a Spanish home organization then the Spanish laws are applied
- In the worst case there are several parallel lawsuits in several EU countries where even the laws are a bit different.
- in the long run, the general data protection regulation may fix the problem of fragmented laws
3. Is the approach global?
- legally speaking the approach is global. No matter in which country/jurisdiction the SP is established, the contractual clauses obligates it to the EU laws
- strategically it makes sense that the home organization decides if the non-EU CoC is sufficient for SPs in some countries where it is difficult to make business
- it depends on the culture and legal regime of the country
- it may be difficult to draw up a list of those countries. Luckily, each home organization may have a separate list
- for the technical implementation, we may need to consider a SAML metadata tag indicating the SP’s jurisdiction
- to enable automated filtering of the SAML metadata
- conflicts with SP’s local laws
- Patrick doesn’t think it is likely that the CoC conflicts with the SP’s local data protection laws
- instead, it is possible that the CoC conflicts with other local laws, such as the US terrorist laws that obligate the SP to release personal data to authorities
4. Legal practicalities
- Charter Adherence Form – are ink-signatures needed or can we use electronic ones (like we did in the EU/EEA-CoC)?
- Patrick thinks ink-signatures are not necessary. There is no statutory requirement of a signature
- you need to be able to convince a judge that the SP has indeed approved the CoC. Secure logfiles, timestamps issued by TTP etc
- you need to be able to prove that on day X the Home organization or SP was committed to the CoC, and the transaction has taken place after that
- Patrick thinks that for simplicity we could use similar approach as we did in the EU/EEA-CoC
- electronic signature in non-EU CoC
- it doesn’t matter that non-EU countries don’t have an e-signature directive.
- this kind of agreement can be only disputed in EU, because it is relevant for EU data protection.
- e.g. if an African SP commits to the CoC and then disputes the commitment, it will be a European judge who decides if the dispute is credible
- this proposes we could use the same mechanisms relying on SAML2 metadata exchange that we used in the EU-CoC
5. Role of GÉANT
- The current memo proposes some roles to GÉANT: gather adherence documents; publish a list of parties committed to the charter.
- If we use the same approach we use in the EU-CoC we don’t need to give any extra responsibilities to GÉANT
- in addition to the reliable SAML2 metadata exchange
- It would also enable the CoC being used outside the GÉANT community
- federations or institutions bilaterally, REEP etc