Does EU Data Transfer Affect Me & What to Do About It

D4e0e61ea324265a1dbca99fdec6614d?s=47 Ben Holt
November 16, 2015

Does EU Data Transfer Affect Me & What to Do About It

Continuing Legal Education program given on November 16, 2015.

D4e0e61ea324265a1dbca99fdec6614d?s=128

Ben Holt

November 16, 2015
Tweet

Transcript

  1. 1.

    Does EU Data Transfer Affect Me & What Should I

    do About It? Tsutomu Johnson (Teleperformance) Jeff Adams (Digicert) Ben Holt (Stoel Rives)
  2. 3.

    EU Law - Where Does it Come From? European Convention

    on Human Rights • ECHR - Article 8 - Right to Respect for Private and Family Life, Home and Correspondence • Under Article 8 - A right to protection against the collection and use of personal data
  3. 4.

    Personal Data (Living People Only) • If it relates to

    an identified or at least identifiable person, the data subject • Person is identifiable if additional information can be obtained without unreasonable effort, allowing the identification of the data subject (direct or indirect - just possible) • Sensitive Data (in convention 108 and data protection directive) requires enhanced proetction and have a special legal regime ◦ race, ethnic, political opinions, beliefs, health, sexual life, trade union membership, criminal convictions • Data is anonymized if it no longer contains any identifiers • Data is pseudonymized if identifiers are encrypted • Pseudonymized Data is personal data • Anonymized Data is not personal data
  4. 5.

    EU Data Protection Principles (Summary) Personal Data Shall: 1. Be

    processed fairly and lawfully 2. Obtained only for one or more specified and lawful purposes, 3. Be adequate, relevant and not excessive in relation to the purpose. 4. Be accurate and, where necessary, kept up to date. 5. Shall not be kept for longer than is necessary for that purpose 6. Be processed in accordance with the rights of data subjects under this Act. 7. Have appropriate technical and organisational measures for unauthorized / unlawful processing or accidental loss/destruction/damage of personal data 8. Not be transferred to a country or territory outside the European Economic Area unless ensured an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  5. 6.

    8 EU Data Protection Principles (For Handouts) 1. Personal data

    shall be processed fairly and lawfully and, in particular, shall not be processed unless a. at least one of the conditions in Schedule 2 is met, and b. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
  6. 7.

    The 8th Principle • No Transfer unless ◦ Adequate Protection

    • Which Means ◦ 8 Principles and ◦ Judical Redress • See Directive 95/46/EC of 24 October 1995
  7. 8.

    EU Data Transfer to US Without More is Not Permitted

    • US Does Not Follow the 8 Principles ◦ Largely Industry Self-Regulation ◦ Privacy Policies (Inadequate) • Which Leaves: ◦ Consent ◦ Binding Corporate Rules ◦ Model Contract Clauses • Department of Commerce Negotiated With EU Commission ◦ Alternative - Safe Harbor Framework
  8. 9.

    Some Definitions • Data Controller ◦ Entity Responsible for the

    Use and Purpose of the data, including which to keep ▪ The controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Article 2(d) of the Data Protection Directive. • Data Processor ◦ Entity That Processes Data Under the Direction of the Data Controller ◦ Processes Data is Far Reaching - Includes Storage ▪ The processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive.
  9. 10.

    Consent • Free, Informed and Specific • Given unambiguously (Explicit

    OR Implied by Acting a Way Which Leaves No Doubt) • Sensitive Data Requires Explicit Consent • Consent Can Be Withdrawn at Any Time • Problems: ◦ Hard to Do Right ◦ Easily Withdrawn
  10. 11.

    Binding Corporate Rules • Adopting Approved Corporate Rules that Bind

    Related Companies to Data Protection ◦ Submit BCR to Selected Lead Authority DPA ◦ Each National DPA Reviews BCR Under EU Cooperation Procedure • Problems: ◦ Time Consuming ◦ Expensive ($Millions) ◦ Not Viable for Anything Less than Multinational Corporations
  11. 12.

    Model Contract Clauses • Standard Forms ◦ Do not modify

    them! ◦ Equivalent Level of Protection ◦ Clauses Found at the European Commission Website ▪ http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm • Types ◦ EU Controller to Non-EU Controller ◦ EU Controller to Non-EU Processor • Problems ◦ Need to have same clauses from your providers (sub-processors, unless they are in the EU) ◦ Contract liability - How Does it Pass?
  12. 13.

    Safe Harbor (aka Safe Harbor 1.0) • Must be subject

    to FTC or DOT jurisdiction ◦ No banks, investment houses, etc., telecom common carriers, labor assoc., non-profits, etc. • Self-Certify ◦ Privacy Policy ◦ Independent Recourse Mechanism ◦ Verification Mechanism ◦ Designated Contact • Problems: ◦ Invalid Now ◦ Self-Certify ◦ NSA PRISM program
  13. 14.

    Shrems and Sinking Safe Harbor • Shrems Hated Facebook •

    Complained to Data Regulator • Was Ignored • Complained to Member State Court • Questions to European Court of Justice ◦ Was about Facebook ◦ Decided to Go Big and Invalidate Safe Harbor ▪ Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. • Rare Case in Which Court Went Further Than Most Narrow Decision
  14. 15.

    But Why? • PRISM • Kicking the US is a

    Treasured EU Pastime • Did I Mention PRISM? • Self-Certification • Judicial Redress
  15. 16.

    Where We Are Now - Opinions That Matter • Article

    29 Working Party (Not Force of Law - But Good Indicator) ◦ Safe Harbor is No Good - STOP IT ◦ Model Clauses are Good for Now ◦ Binding Corporate Rules are Good for Now • European Commission ◦ Model Clauses are Good for Now ◦ Cannot Stop National Regulators if They Choose to Act
  16. 17.

    Where We are Now - Authorities • All ◦ Safe

    Harbor is Dead • Germans ◦ Court Struck Down EU Implementations Similar to PRISM ◦ Same Line of Reasoning Strikes Down Model Clauses ◦ Militant Regulator • Rest of EU ◦ Germans Jumped the Gun ◦ Not Leaping to Enforcement ◦ Wait and See for January • UK ◦ Don’t Panic ◦ Use Model Clauses
  17. 19.

    Immediate Steps • For outside counsel, determine which clients may

    transfer information from the EU to the US • Determine how many contracts manage the transfer of information between the EU and the US • Evaluate whether the transferred information includes personal information • Create a plan for handling personal information transfers
  18. 21.

    Risk Analysis • Weigh the following: Harm from stopping operations

    vs. doing business as usual • Points for consideration: ◦ We are in an informal waiting period wherein the EU won’t fine organizations until February 1, 2016 (Statement from the Article 29 Working Party) ◦ Technically, the Schrems decision is ex ante, invalidating all transfers prior to the Schrems decision ◦ BCRs and Model Clauses may not suffice according to the German DPA. Organizations may implement BCRs and Model Clauses now, only for the EU to invalidate those solution later ◦ The solution must evade detection from government spying programs ◦ The need for transferring information from the EU to the US
  19. 22.

    Liability • Currently on Data Controller ◦ Operations in EU

    ◦ Hosted in EU ◦ Customers in EU ◦ Monitoring Behavior in EU • Data Processor - Carries Out Instructions from Data Controller ◦ Generally the Data Processor is on the hook via indemnification clauses in contract
  20. 23.

    Think About • Anonymizing Data • Aggregating Data • Encrypting

    in Transit • Encrypting at Rest • Zero Knowledge Encryption (IaaS, PaaS, SaaS) • The Microsoft Solution • TOR • BCRs and Model Clauses (be aware, these may be invalid by February 1, 2016)
  21. 24.

    Departments to Watch • HR ◦ Diversity Information is Sensitive

    Data ▪ Anonymize or Aggregate ▪ Make it Stay in Local Office ▪ Often Diversity is a Target for Improvement • Sharing w/o thinking ◦ Consent for Personal Information is difficult ▪ Asking for Permission After Hiring May be Coercive, in fact several European countries (like France) have held that permission at the time of employment is coercive • IT/Security ◦ Organizations may talk to people in Europe who never consented to personal information being shared with the US ◦ Cross-border data transfers may occur without anyone outside of IT/Security knowing about it
  22. 26.

    On the Horizon • Safe Harbor 2.0 Expected ◦ Addresses

    State Surveillance ◦ Judical Redress • Regulator Fines Going to Go Up ◦ Now a Few $100k to Much Higher • Other Countries With Data Protection Laws Similar to EU ◦ Israel - Followed Suit Already? ◦ Dubai • Judicial Redress Act
  23. 27.

    Safe Harbor 2.0 - Best Guesses • Not that Different

    • Demonstration + Self Certification ◦ Self-Cert May Not Be Enough • Judicial and/or Administrative Remedies ◦ H.R.1428 - Judicial Redress Act of 2015 • Concession from U.S. Government on Spying ◦ Have We Mentioned Prism?
  24. 28.

    Future of Model Contracts & Binding Corporate Rules • Dangling

    on a Thin Wire ◦ Shrems Logic Applies to Model Contracts & Binding Corporate Rules ▪ US Surveillance Actions ◦ Currently Hesitant Authorities ▪ Don’t Want to Stop Business ▪ Except Germany - Maybe • Next Year ◦ Safe Harbor 2.0 In January ◦ Model Contracts? ◦ Binding Corporate Rules?
  25. 29.

    Notes From Daniel Hedley, Associate, Thomas Eggar LLP • Start

    Excluding Damages to Reputation ◦ Reasoning for Fines, etc. is Public ◦ Reputation Clean-Up is Likely More Costly than Such Things as Breach • Start Preparing for General Data Protection Regulations ◦ Text Coming Out This Year (or Beginning of Next) ◦ In Force in 2017 ◦ Extra-Territorial Effect ◦ Direct Liabilities to Authorities & Regulators ◦ Can Be Sued in Europe +44 (0)1293 742717 daniel.hedley@thomaseggar.com
  26. 30.

    Notes From Simon Portman, Managing Associate, Marks & Clerk •

    Express Consent in Contracts ◦ Watch Out for this Provision - Some Companies Adding This In • Watch Out for Patient Data ◦ Russia & France Require This to be Stored In Country • Keep Clear Audit Trails in Place ◦ This will likely help you sail through Safe Harbor 2.0 • Diversity Targets Use Sensitive Data ◦ Be Really Careful - Anonymize Office Info., Aggregate Info. • Draft The Contracts So That They Remain in Force ◦ Even if a Provision is Struck - Model Contract Provisions Important +44 1223 345520 sportman@marks-clerk.com