Summary: | The introduction of algorithms has for companies led to new ways of marketing themselves. However, access to personal data is needed for a company to successfully use an algorithm, which means companies can trade with our personal data. Personal data is therefore no longer used solely for nonprofit purposes but has rather acquired a financial value. This has led to new challenges in terms of third country transfer of personal data, which requires legislation that can effectively protect personal data. Within the EU, the General Data Protection Legislation (GDPR) regulates how personal data can be transferred to a third country. Article 45 GDPR, which contains the first requirement for third country transfers, states that transfers are only permitted based on an adequacy decision issued by the Commission. On the basis, inter alia, of the annulment of the Safe Harbor decision, by the European Court of Justice, and the criticism that has been addressed towards the Privacy Shield decision, questions are raised if there are reason for companies to make third country transfers based on the alternative provisions in article 46 and article 49 GDPR. The aim of this thesis is to examine the possibilities of making third country transfers according to articles 45, 46 and 49 GDPR by making a comparison that has been made from an individual- and company perspective. The research questions have been focused on the content of the adequacy decisions concerning USA, Switzerland, Canada, Israel and Japan, a review of the legal basis for third country transfers stated in articles 46 and 49 GDPR, as well as benefits and drawbacks with applying the grounds set forth in articles 46 and 49 GDPR rather than applying an adequacy decision pursuant to article 45 GDPR. In conclusion, it may be noted that the adequacy decisions that have been discussed leave room for doubt in relation to the level of protection that is guaranteed in the GDPR. This gives reason for companies to consider application of article 46 and article 49 GDPR. There are several benefits and drawbacks with such considerations including the size of the company and its financial recourses affecting which appropriate safeguard in article 46 GDPR is the most suitable safeguard to use. Furthermore, the derogations in article 49 GDPR may, in theory and in practice, be very difficult to apply instead of article 45 and article 46 GDPR since the derogations focuses on specific situations and must be used restrictively. The findings in this thesis however leads to the conclusion that there are several reasons for companies to consider application of article 46 GDPR instead of article 45 GDPR.
|