Data protection when crossing borders

In the case of a cross-border disaster, different national responder agencies might exchange personal information. For example, in EPISECC, establishing interoperability between the information tools of different national agencies is one of the explicit goals of the project. The question might arise whether a national agency is allowed to communicate the information it gathers to the agency of a different Member State. While the GDPR will bring some uniformity to cross-border data sharing within the EU as there will no longer be a reliance on Member State implementation, there is still a level of complexity in sharing data across borders. Recital 10 of the GDPR allows for a "margin of manoeuvre" for Member States to specify their rules and develop sector-specific agreements. One example of a sector-specific agreement is the Passenger Name Sharing Directive relating to air travel, included in the resources below. There is, therefore, a need to look to sharing agreements developed either on a geographical or sector-specific basis to determine how cross-border sharing works in relation to your CIS.


Guiding Questions

What kind of cross-border sharing do you envisage will be facilitated by the CIS; in which geographical locations and sectors would this sharing operate?
Are there any geographical and/or sector-specific agreements operating in this area?
Does the CIS comply with the responsibilities outlined by the GDPR as this will enable uniformity of data processing across organisations located in different Member States?
In particular, does the CIS create a system that upholds the GDPR’s requirements for interoperability, as this will enable easier data sharing.

Further Information

The overarching aim of the GDPR (General Data Protection Regulation) is to foster a free flow of information within the European Union. From this point of view, the transnational information exchange is not problematic at all since the GDPR’s primary purpose is to harmonise the regulatory framework for data processing throughout the EU. Nevertheless, within the specific context of disaster management Member States do have a certain leeway to restrict and deviate from the European framework for reasons of public security. Consequently, some Member States might be more restrictive when it comes down to exchanging information. These kinds of issues are often addressed in bi- or multilateral agreements that provide for a specific mutually recognised legal basis for the transnational exchange of information necessary to cope with a cross-border disaster situation.

Examples

The EPISECC proof of concept is based on an earthquake that hits the border region between Italy, Slovenia and Austria. First responder agencies of all three Member States involved will have to exchange personal information in order to cooperate effectively. This trans-border flow of personal information would be founded on a double legal basis. On the one hand, a EU legal basis that stems from the GDPR: This would be article 6 (e) that legitimises data processing necessary for the performance of a task carried out in the public interest. This EU legal basis is further reinforced and specified by a Cooperation Agreement concluded between the countries involved. In this case, the three collaborating countries would be able to rely on the Cooperation Agreement on The Forecast, Prevention and Mitigation of Natural and Technological Disasters concluded in 1992 within the framework of the Central European Initiative. This agreement aims to ensure that the signatories cooperate in the field of forecast and prevention of natural and technological disasters and if needed coordinate their efforts to assist Contracting Parties struck by a disaster. Secondly, it ensures that there is a regular information sharing and exchanging in the field of forecast and prevention of major risks, entailing serious consequences for the safety of people, assets and environment. The information includes exchange of scientific and technical information and relevant data.

Resources

Cooperation Agreement on The Forecast, Prevention and Mitigation of Natural and Technological Disasters concluded in 1992 within the framework of the Central European Initiative [Link]
UK ICO Data Sharing Code of Practice, May 2011 [Link]
EU Passenger Name Record Directive [Link]
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [Link]
GDPR Overview of the General Data Protection Regulation (2017). Information Commissioner's Office [Link]

Related Key Terms

Data protection

Responsibility