The European Securities and Markets Authority (ESMA) has stressed the importance of international cooperation to enforce the General Data Protection Regulation (GDPR). ESMA also highlighted that more needs to be done.
The insights on ESMA’s views on Public Interest Derogation under GDPR stem from its response to the Article 29 Working Party (WP29) public consultation on its Draft Guidelines on Article 49 of Regulation 2016/679. Public Interest Derogation refers to international transfers of personal data necessary for important reasons of public interest under Article 49 (1) (d) of the GDPR.
The European regulator stated that “achieving efficient international cooperation between EU and non-EU financial supervisory authorities is essential to achieve effective financial supervision in the context of global financial markets and is thus part of financial supervisors’ legal statutes, missions or objectives. Moreover the duty to cooperate with other financial supervisors is enshrined in Union law applicable to EU financial supervisors and is framed by the IOSCO Memorandum of Understanding(MMOU) at global level. The MMOU is a key cooperation tool, subject to pre-screening and ongoing monitoring processes, currently signed by 117 securities markets authorities. For example, such a framework for cooperation was used by several authorities around the globe for the exchanges of information in the context of the LIBOR investigation. To the extent that such cooperation gives rise to transfers of personal data, these international transfers are important for public interest purposes as explicitly recognized in Recital (112) of the GDPR.”
ESMA also emphasized that since only 10 securities markets authorities were currently covered by an adequacy decision in accordance with the GDPR, “clarity on the scope of derogations is essential in order to enable EU financial supervisory authorities to fulfil their missions whilst ensuring compliance with the applicable EU data protection rules, in particular in the absence of comparable legal requirements in the relevant third-country.”
The Article 29 Working Party (Art. 29 WP) is an advisory body made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. The composition and purpose of Art. 29 WP was set out in Article 29 of the Data Protection Directive, and it was launched in 1996.