Table 1 Advantages and disadvantages of six transborder data sharing models
From: Building a data sharing model for global genomic research
Transborder data sharing models | Prototype | Description | Advantages | Disadvantages |
|---|---|---|---|---|
1. Adequacy | Personal data can be transferred to a foreign jurisdiction if its laws ensure an adequate level of protection in comparison with those of the exporting jurisdiction | • Ensures that the privacy laws of a foreign jurisdiction provide an adequate level of protection before personal data are sent to that foreign jurisdiction | • Long, slow process of adequacy designation - very few designations made to date | |
• Imposes the privacy law regime of one jurisdiction on those of others | ||||
• Only allows personal data to flow from a jurisdictional hub to the end of one spoke at a time | ||||
• Provides upfront assurance and confidence on a country-wide basis | ||||
• Does not allow data-flows ‘around the wheel’ | ||||
2. Safe harbor | The EU-US Safe Harbor | Personal data can be transferred to a non-adequate foreign jurisdiction (designated a ‘safe harbor’) if organizations in the safe harbor voluntarily self-certify that they will comply with mutually agreed-upon data protection principles (for example, access, security, data integrity, enforcement) | • Allows personal data transfers to a foreign jurisdiction without adequate legislation | • Lacks transparency and strong enforcement mechanisms |
Framework | ||||
• Administratively quite simple and well suited for small or medium-sized business entities | • No upfront assurance or third-party certification provided | |||
• Can only allow data to flow unidirectionally from one jurisdiction to another, not multidirectionally or between other countries | ||||
• Organizations join based on a self-certification process - therefore, few resources needed to administer | ||||
3. Binding corporate rules (BCRs) | Binding Corporate Rules of the EU | A multinational company can transfer personal data to affiliates and subsidiaries in foreign jurisdictions without adequacy status if it submits its global privacy policies and practices to a ‘lead’ data protection authority (DPA) for review and prior approval | • Allows data transfers to affiliated organizations in foreign countries without adequacy status | • Only applies to organizations within a single corporate entity |
• Process of review and approval is lengthy and bureaucratic | ||||
• Allows data transfers to multiple countries at once | • Not well suited for small- or medium-sized organizations | |||
• Not easily scalable if many applications are submitted for approval to the same DPAs at once | ||||
• Provides upfront assurance that BCRs will provide sufficient privacy protection | ||||
4. Model contracts | EU-approved model contracts | Personal data can be transferred from one organization to another organization situated in a non-adequate foreign jurisdiction if the organizations agree to enter into a model contract pre-approved by the relevant DPA(s) as providing sufficient privacy protection | • Allows data transfers to organizations in countries that do not have adequacy status | • Of limited flexibility as model contracts must be used as they are, and any amendments must be resubmitted to the relevant DPAs for approval |
• Multiple contracts are required for data to flow to several organizations or countries | ||||
• Provides upfront assurance that agreements are ‘up to snuff’ and will provide sufficient protection | ||||
• Not currently suitable for multidirectional/multiparty flows | ||||
• Establishes grounds for contractual liability in the event of noncompliance | ||||
5. Accountability | Canada’s PIPEDA, Principle 4.1.3 | Organizations remain accountable for personal data in their possession and transferred to third-parties for processing. The transferring organization must use contractual or other means to ensure that the personal data continue to receive a comparable level of protection along the ‘chain’ of third-party transfers | • Ensures comparable-level protection along the entire chain of third-party data transfers | • No front-end assurance or certification provided |
• Requires transferring organization to carry out due diligence of third-parties and assume the risks related to data transfer | ||||
• Transferring organization remains ultimately accountable | ||||
• Light, flexible, not front-loaded | • Weak enforcement mechanisms available if things go wrong | |||
• Focused on the ends of privacy protection, not the means | • Monitoring capabilities can be limited | |||
6. Third-party certification | The APEC Cross-Border Privacy Rules Framework | Jurisdictions agree upon a series of privacy program requirements and third-party ‘accountability agents’ review and certify voluntarily participating organizations against those requirements. Once certified, an organization can partake in foreign data transfers, although still subject to the applicable privacy laws. Participating jurisdictions must have a domestic privacy regulator for enforcement purposes | • Provides upfront assurance, although less rigorous than DPA-approved BCRs | • Variation of laws remains a challenge |
• Could be flexible and expedient, depending on the efficiency of the accountability agent | • Little experience to date of how it works in practice | |||
• Scalable mechanism capable of handling large numbers of applications | • Currently, does not include EU countries, which remain subject to the foreign transfer limitations of the EU Directive | |||
• Does not displace domestic laws, but provides additional assurance that facilitates acceptance of foreign transfers | • There are some questions with respect to the rigor of the upfront assurance and the independence of the designated accountability agents |