Contents

Follow-up VC on the non-EU/EEA Data protection Code of Conduct

Date13th Aug 20013 at 15-16.20 CEST
ParticipantsPatrick van Eecke, DLA Piper
 Steven Carmody, Incommon
 Mikael Linden, eduGAIN, notes


Went through the questions that the DLA Piper memo by DLA Piper 29 Jul 2013 had risen:

1. Legal bases other than the standard Contractual Clauses

  • in principle, other legal bases could be used. In practice it is cumbersome
  • consent legal grounds
    • Home Organisation needs to be able to demonstrate that consent has been given by the user
    • consent, if used, isn’t necessarily freely given
  • “Performance of contract with End User” and “Performance of contract concluded in the interest of the End User”
    • in some cases it could be used (e.g. contract of employment), but universities likely to have also affiliated users without a contract, and then you needed something else for them
  • therefore, standard contractual clauses is a catch-all that covers all scenarios
    • standard contractual clauses is also a well-know and widely used approach
    • DLA Piper is seeing also double approaches where, to be in the safe side, both contractual clauses and consent are used simultaneously
  • there could be also an alternative plan, where consent is used as a fall-back for those SPs who don’t want to sign the Contractual Clauses.

2. Applicable law

  • Contractual Clauses document, IV – applicable law: “…the law of the country in which the data exporter is established”.
  • in our case there will be parallel data exporters in several countries. A question arises, if this causes problems or confusion about the applicable law
  • we cannot change this section because it follows from the standard contractual clauses
  • If there is a problem you need to find which is the home organization in question
    • if it is a Spanish home organization then the Spanish laws are applied
    • In the worst case there are several parallel lawsuits in several EU countries where even the laws are a bit different.
  • in the long run, the general data protection regulation may fix the problem of fragmented laws

3. Is the approach global?

  • legally speaking the approach is global. No matter in which country/jurisdiction the SP is established, the contractual clauses obligates it to the EU laws
  • strategically it makes sense that the home organization decides if the non-EU CoC is sufficient for SPs in some countries where it is difficult to make business
    • it depends on the culture and legal regime of the country
    • it may be difficult to draw up a list of those countries. Luckily, each home organization may have a separate list
  • for the technical implementation, we may need to consider a SAML metadata tag indicating the SP’s jurisdiction
    • to enable automated filtering of the SAML metadata
  • conflicts with SP’s local laws
    • Patrick doesn’t think it is likely that the CoC conflicts with the SP’s local data protection laws
    • instead, it is possible that the CoC conflicts with other local laws, such as the US terrorist laws that obligate the SP to release personal data to authorities

4. Legal practicalities

  • Charter Adherence Form – are ink-signatures needed or can we use electronic ones (like we did in the EU/EEA-CoC)?
    • Patrick thinks ink-signatures are not necessary. There is no statutory requirement of a signature
    • you need to be able to convince a judge that the SP has indeed approved the CoC. Secure logfiles, timestamps issued by TTP etc
    • you need to be able to prove that on day X the Home organization or SP was committed to the CoC, and the transaction has taken place after that
    • Patrick thinks that for simplicity we could use similar approach as we did in the EU/EEA-CoC
  • electronic signature in non-EU CoC
    • it doesn’t matter that non-EU countries don’t have an e-signature directive.
    • this kind of agreement can be only disputed in EU, because it is relevant for EU data protection.
    • e.g. if an African SP commits to the CoC and then disputes the commitment, it will be a European judge who decides if the dispute is credible
  • this proposes we could use the same mechanisms relying on SAML2 metadata exchange that we used in the EU-CoC

5. Role of GÉANT

  • The current memo proposes some roles to GÉANT: gather adherence documents; publish a list of parties committed to the charter.
  • If we use the same approach we use in the EU-CoC we don’t need to give any extra responsibilities to GÉANT
    • in addition to the reliable SAML2 metadata exchange
  • It would also enable the CoC being used outside the GÉANT community
    • federations or institutions bilaterally, REEP etc
  • No labels