Download
1 / 48
480 likes | 743 Views
2. AGENDA. The Privacy EcosystemUS v InternationalKey EU PrinciplesInternational Data TransfersPractical PointsConclusions. . 3. . THE PRIVACY ECOSYSTEM. . 4. The Privacy Ecosystem. . 5. Customers. Privacy PolicyTerms and ConditionsRepresentations made regarding:Use of customer informationSecurity measures in place.
E N D
1. 1 EU DATA PRIVACY – A PRACTICAL GUIDETO INTERNATIONAL DATA TRANSFERS
Nick Holland: Partner & Head of Technology & Commerce
Beachcroft LLP
2. 2
3. 3
THE PRIVACY ECOSYSTEM
4. 4 The Privacy Ecosystem
5. 5 Customers Privacy Policy
Terms and Conditions
Representations made regarding:
Use of customer information
Security measures in place
6. 6 Employees Employees have to assist the company in meeting privacy promises
Employees have data privacy rights, too, under International, US and Californian laws
7. 7 Service Providers(Data Processors) B-2-B agreements to use information only on behalf of and under the instructions of Company
Must agree to follow privacy policies and procedures
Service providers looked at from a privacy perspective more as the Company than as a third party
8. 8 Business “Partners” Third parties who will use the information for their own purposes, not just on behalf of the company
Greater scrutiny by regulators because of need to disclose to consumers/employees, and potentially obtain consent (consent necessary for EU)
9. 9
U.S vs. INTERNATIONAL
10. 10 U.S. vs. International In the US, although it is changing, employee has limited data privacy rights - certainly less than consumers
Employees entitled to notice of unauthorized access/use of electronic data under Californian law
FTC and State Attorneys general have authority to act if employers did something inappropriate (i.e., extremely commercial without notice)
11. 11 U.S. vs. International In EEA, all data subjects have the same rights (employees have data privacy rights equal to consumers)
U.S. law is inadequate in EU’s eyes (except Safe Harbor)
Only Switzerland, Canada, Argentina, Guernsey and the Isle of Man deemed to provide adequate level of protection
Law is developing fast in CALA and A/P. India and China still lag behind
12. 12 U.S. vs. International Multinationals tend to use EU as the global standard for compliance, as due to SOX and global emphasis on compliance multinationals want a stricter regime
However, 80/20 rule and flexibility needed to ensure any compliance program is practical and relevant across the globe
13. 13
KEY EU PRINCIPLES
14. 14 Key EU Principles Law in EU governed by the EU Data Protection Directive 1995/46/EC
Data must be:
fairly and lawfully processed;
processed for limited purposes;
adequate, relevant and not excessive;
accurate
not kept longer than necessary;
processed in accordance with the data subject’s rights;
secure; and
not transferred to countries without adequate protection
15. 15 Key EU Principles Notify Local Data Protection Authorities (DPAs)
Before Processing (if required by local law)
Contracts With Anyone Receiving Data (Third Party or Service Provider)
Protecting Against Onward Transfer Out of the EEA to Countries With Inadequate Protection
Engender relationship with key DPAs
16. 16 Notification with local EEA DPAs
Notification is normally required with exceptions
So far no standard co-ordination process for EU-wide approval, but this is under consideration – see Article 29 Working Party Report of 18 January 2005 (advocating a simplified procedure for DP notifications)
The report encourages greater use of exceptions to notification
The report encourages more on-line notification and greater use of DPOs
Most importantly the report envisages one notification being completed in one DPA commencing a simplified procedure for all other DPAs
Nothing has been decided
17. 17 Differences Between A Data Controller And A Data Processor “data controller”
company, organization or person who alone (or jointly/in common with others) determines the reasons why and the manner in which data are processed
“data processor”
anyone who processes data on behalf of a data controller – the word ‘processes’ is very broadly defined
18. 18 Obligations Of Data Controller/Processor Data controller
must ensure consent has been obtained from data subjects, that the data is processed in accordance with applicable law and register with local DPA (if required)
data subjects can exercise their rights against a data controller if the data controller has failed to treat the personal data correctly
Data processor
usually has contractual obligations to data controller
19. 19 Importance Of Data Controller/Processor Distinction Liability - data controller is accountable to Data Protection Authorities and data subjects regarding the processing of data
Responsibility - data controller is ultimately responsible in ensuring that applicable law is complied with
The basis on which the Data Transfer Agreement is drafted will vary if data is transferred to a controller or a processor
20. 20
INTERNATIONAL DATA TRANSFERS
21. 21 Why Do We Care About Data Transfers From The EEA To Third Countries? Need for managing international operations from the US
Balance against need to ensure a sufficient level of protection of EEA citizens’ rights
22. 22 Why Do We Care About Data Transfers From The EEA To Third Countries? Restrictions to transfer personal data outside the EEA to countries not deemed to be adequate under EU Data Protection Directive except where, inter alia:
Data Subject’s unambiguous consent;
Processing necessary for performance of contract;
Processing necessary for compliance with legal obligations of Data Controller
Public interest
23. 23 Compliance Choices For Data Transfers From The EEA To Third Countries
Transfer to countries deemed to offer “adequate protection”
EU/US Safe Harbor rules
EU Standard Clauses including Alternative Business Clauses
Ad-hoc data transfer agreements
Binding Corporate Rules (“BCRs”)
24. 24 EU/US Safe Harbor Rules Based on idea of voluntary self-regulation and self-certification of companies with US Department of Commerce
Company must comply with a number of data protection principles and have a privacy policy which is made public
Generally criticized in the EU as being too weak and DPAs do not like it
25. 25 EU/US Safe Harbor Rules Key Benefit: Prior approval of data transfers from each DPA normally unnecessary
Key Negatives:
Only covers the transfer of data between the EEA and the US
Trades international enforcement of potential violations of transfers to the U.S. (typically private) for FTC enforcement (typically very public)
26. 26 3 model form contracts for data transfers to non-EU countries:
Controller to Controller (2001/497/EC - Commission decision of 15 June 2001)
Controller to Processor (2002/16/EC - Commission decision of 27 December 2001)
Controller to Controller (2004/915/EC - Commission decision of 27 December 2004 regarding alternative set of clauses)
27. 27 EU Standard Clauses
To be concluded between EEA-based data exporters (controllers) and non-EEA based data importers (controllers/processors)
Must be recognised by EEA Member States as compliance modules
Primary objective: enforcement of EEA citizens’ rights against both EEA-based data exporters and non-EEA based data importers
28. 28 EU Standard Clauses Comments
Have been criticised for their lack of flexibility in granting of third party rights and allocation of liability
These contracts are anachronistic and portray a flow of data that in no way mirrors most multinational web-based applications (mainly point-to-point transfers)
29. 29 Controller to Controller Alternative Business Clauses (2004/915/EC)
Suggested by ICC and international business organisations
Incorporated into EU law as a third set of Standard Clauses as of 1st April 2005
Key points
Clauses only apply to Controller to Controller transfers
Clauses generally viewed as more business friendly but differences from 2001 set of Controller Clauses largely technical
30. 30 Controller to Controller Alternative Business Clauses (2004/915/EC)
More substantial changes as regards liability: joint and several liability arrangement, but increased emphasis on the role of data exporter in enforcement of data subject claims
Auditing requirements and rights against data importer have been further clarified
Comment: This new set of Standard Clauses may play a more prominent role in the future (no data so far on usage although)
31. 31 Ad-hoc Data Transfer Agreements
May deviate from EU Standard Clauses
Must adhere to EU Standard Clauses’ core principles
Comments:
more flexible, but require approval from each DPA
so far no standard co-ordination process for EU-wide approval, but
see case study for a developed co-ordination process (Circa Website)
32. 32 Binding Corporate Rules DaimlerChrysler test case
Article 29 Working Party WP74 of 3 June 2003, suggesting these may work in the future
Article 29 Working Party WP108 and WP107 of 14 April 2005 respectively outlining a model checklist of the required contents of an application for approval of a proposed set of BCRs, and setting forth a corporation procedure amongst DPAs
33. 33 Binding Corporate Rules
Rules to apply to corporate groups transferring data outside the EEA but within their group of companies
Rules to apply irrespective of jurisdiction and nationality of Data Subject
Rules to be notified to employees
Rules to incorporate general data protection principles
Must be approved by all relevant DPAs, but submission only to one DPA (e.g. DPA of country where company has main place of business) also possible – this DPA will coordinate the authorisation process
34. 34 Binding Corporate Rules Article 29 Working Party WP 108 of 14 April 2005 – a checklist for approval of BCRs (key points):
contact details of the applicant and of the responsible party for queries
determination of the lead DPA
description of the safeguards and procedures for protection of data within the group as required by EU law
description of the flow of data within the group
details on how to ensure rules are binding within the corporate group, and externally for benefit of individuals
details of audit plan, corporate governance
description of a mechanism for reporting and recording changes
35. 35 Binding Corporate Rules
Standard Application for Approval of BCRs for the Transfer of Personal Data Outside the EEA – published by the ICC DP Task Force on 5 July 2006
Based on Article 29 Working Party WP108
Includes Standard Application Form and guidance on the information to be submitted with the application for approval
36. 36 Binding Corporate Rules BCRs not widely approved yet (in December 2005, the ICO approved the first set of BCRs in the UK for the company GE Capital – it is understood that other sets of BCRs are waiting for approval)
Actual Trend: today more DPAs seem to promote the use of BCRs for intra-group multi-transfers of personal data (e.g. Garante, AEPD, CBP, ICO)
However, not all DPAs approve this process and in the absence right now of an established well defined process, query whether a global multinational should proceed down this path?
37. 37
PRACTICAL POINTS
38. 38 Other Compliance “To Dos” For Global Data Transfers Analyze data flows
Intra-Group data transfer agreements (DTAs)
Data Protection policies
Web Privacy statements
Data Subject Access Requests (DSAR) Procedures - clarification of what constitutes Personal Data
Data Retention Policy – note new EU Data Retention Directive (2006/24/EC)
Appointment of a DPO
39. 39 Other Compliance “To Dos” For Global Data Transfers
Audit
Training
Notification of systems/data bases to DPAs
Underlying corporate governance structure-Put team in place
40. 40 Case Study Getting lead DPAs to agree to co-ordinate dialogue with other DPAs via Circa Website
Use feedback from other DPAs to create an EU addendum to global DTAs
In EU addendum an understanding of flow of data and the issue of controller vs processor crucial
Practical approach on which compliance tool is more appropriate for the specific client’s needs/data flows and effective implementation of the same
41. 41 Case Study Use process as blueprint for negotiating further DTAs
Arrange face-to-face and on-line training modules for senior and operational staff
Creation of web-based privacy statements
Notification of DPA plus creation of global archive for such notifications to be administered by outside third party
42. 42 Case Study Putting in place DSAR and data retention procedures in accordance with DTA provisions
Negotiations with works councils on DP issues
Creation of global DP governance structures that create a DP culture within the global organization
43. 43
CONCLUSIONS
44. 44 Conclusions Project must be supported by top management
Data protection compliance is no longer a dirty word as part of the corporate governance tag
80/20 rule-100% compliance is not truly attainable
Have a data protection internal structure otherwise work will be lost and undertaken again by new people in 5 years time!
45. 45 Conclusions Understand the types and flow of data and the role of each player (data controller vs. data processor)
Proactiveness and relationship with DPAs are key - if they know you are a “good guy” enforcement is less likely
46. 46 Conclusions Choose team leader and country/sector designees
Develop implementation plan
Develop and circulate questionnaires to wrap arms around data flows
Map data flows
Revise implementation plan
47. 47 Conclusions
Have physical kick-off meeting to present revised implementation plan
Initial contacts with DPAs to confirm plan is satisfactory
Implement plan
48. 48
