an identified or at least identifiable person, the data subject • Person is identifiable if additional information can be obtained without unreasonable effort, allowing the identification of the data subject (direct or indirect - just possible) • Sensitive Data (in convention 108 and data protection directive) requires enhanced proetction and have a special legal regime ◦ race, ethnic, political opinions, beliefs, health, sexual life, trade union membership, criminal convictions • Data is anonymized if it no longer contains any identifiers • Data is pseudonymized if identifiers are encrypted • Pseudonymized Data is personal data • Anonymized Data is not personal data
processed fairly and lawfully 2. Obtained only for one or more specified and lawful purposes, 3. Be adequate, relevant and not excessive in relation to the purpose. 4. Be accurate and, where necessary, kept up to date. 5. Shall not be kept for longer than is necessary for that purpose 6. Be processed in accordance with the rights of data subjects under this Act. 7. Have appropriate technical and organisational measures for unauthorized / unlawful processing or accidental loss/destruction/damage of personal data 8. Not be transferred to a country or territory outside the European Economic Area unless ensured an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
shall be processed fairly and lawfully and, in particular, shall not be processed unless a. at least one of the conditions in Schedule 2 is met, and b. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. 2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. 4. Personal data shall be accurate and, where necessary, kept up to date. 5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. 6. Personal data shall be processed in accordance with the rights of data subjects under this Act. 7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. 8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
• US Does Not Follow the 8 Principles ◦ Largely Industry Self-Regulation ◦ Privacy Policies (Inadequate) • Which Leaves: ◦ Consent ◦ Binding Corporate Rules ◦ Model Contract Clauses • Department of Commerce Negotiated With EU Commission ◦ Alternative - Safe Harbor Framework
Use and Purpose of the data, including which to keep ▪ The controller is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law. Article 2(d) of the Data Protection Directive. • Data Processor ◦ Entity That Processes Data Under the Direction of the Data Controller ◦ Processes Data is Far Reaching - Includes Storage ▪ The processor is the natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. Article 2(e) of the Data Protection Directive.
Related Companies to Data Protection ◦ Submit BCR to Selected Lead Authority DPA ◦ Each National DPA Reviews BCR Under EU Cooperation Procedure • Problems: ◦ Time Consuming ◦ Expensive ($Millions) ◦ Not Viable for Anything Less than Multinational Corporations
them! ◦ Equivalent Level of Protection ◦ Clauses Found at the European Commission Website ▪ http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm • Types ◦ EU Controller to Non-EU Controller ◦ EU Controller to Non-EU Processor • Problems ◦ Need to have same clauses from your providers (sub-processors, unless they are in the EU) ◦ Contract liability - How Does it Pass?
Complained to Data Regulator • Was Ignored • Complained to Member State Court • Questions to European Court of Justice ◦ Was about Facebook ◦ Decided to Go Big and Invalidate Safe Harbor ▪ Furthermore, national security, public interest and law enforcement requirements of the United States prevail over the safe harbour scheme, so that United States undertakings are bound to disregard, without limitation, the protective rules laid down by that scheme where they conflict with such requirements. • Rare Case in Which Court Went Further Than Most Narrow Decision
29 Working Party (Not Force of Law - But Good Indicator) ◦ Safe Harbor is No Good - STOP IT ◦ Model Clauses are Good for Now ◦ Binding Corporate Rules are Good for Now • European Commission ◦ Model Clauses are Good for Now ◦ Cannot Stop National Regulators if They Choose to Act
Harbor is Dead • Germans ◦ Court Struck Down EU Implementations Similar to PRISM ◦ Same Line of Reasoning Strikes Down Model Clauses ◦ Militant Regulator • Rest of EU ◦ Germans Jumped the Gun ◦ Not Leaping to Enforcement ◦ Wait and See for January • UK ◦ Don’t Panic ◦ Use Model Clauses
transfer information from the EU to the US • Determine how many contracts manage the transfer of information between the EU and the US • Evaluate whether the transferred information includes personal information • Create a plan for handling personal information transfers
vs. doing business as usual • Points for consideration: ◦ We are in an informal waiting period wherein the EU won’t fine organizations until February 1, 2016 (Statement from the Article 29 Working Party) ◦ Technically, the Schrems decision is ex ante, invalidating all transfers prior to the Schrems decision ◦ BCRs and Model Clauses may not suffice according to the German DPA. Organizations may implement BCRs and Model Clauses now, only for the EU to invalidate those solution later ◦ The solution must evade detection from government spying programs ◦ The need for transferring information from the EU to the US
◦ Hosted in EU ◦ Customers in EU ◦ Monitoring Behavior in EU • Data Processor - Carries Out Instructions from Data Controller ◦ Generally the Data Processor is on the hook via indemnification clauses in contract
Data ▪ Anonymize or Aggregate ▪ Make it Stay in Local Office ▪ Often Diversity is a Target for Improvement • Sharing w/o thinking ◦ Consent for Personal Information is difficult ▪ Asking for Permission After Hiring May be Coercive, in fact several European countries (like France) have held that permission at the time of employment is coercive • IT/Security ◦ Organizations may talk to people in Europe who never consented to personal information being shared with the US ◦ Cross-border data transfers may occur without anyone outside of IT/Security knowing about it
State Surveillance ◦ Judical Redress • Regulator Fines Going to Go Up ◦ Now a Few $100k to Much Higher • Other Countries With Data Protection Laws Similar to EU ◦ Israel - Followed Suit Already? ◦ Dubai • Judicial Redress Act
• Demonstration + Self Certification ◦ Self-Cert May Not Be Enough • Judicial and/or Administrative Remedies ◦ H.R.1428 - Judicial Redress Act of 2015 • Concession from U.S. Government on Spying ◦ Have We Mentioned Prism?
on a Thin Wire ◦ Shrems Logic Applies to Model Contracts & Binding Corporate Rules ▪ US Surveillance Actions ◦ Currently Hesitant Authorities ▪ Don’t Want to Stop Business ▪ Except Germany - Maybe • Next Year ◦ Safe Harbor 2.0 In January ◦ Model Contracts? ◦ Binding Corporate Rules?
Excluding Damages to Reputation ◦ Reasoning for Fines, etc. is Public ◦ Reputation Clean-Up is Likely More Costly than Such Things as Breach • Start Preparing for General Data Protection Regulations ◦ Text Coming Out This Year (or Beginning of Next) ◦ In Force in 2017 ◦ Extra-Territorial Effect ◦ Direct Liabilities to Authorities & Regulators ◦ Can Be Sued in Europe +44 (0)1293 742717 email@example.com
Express Consent in Contracts ◦ Watch Out for this Provision - Some Companies Adding This In • Watch Out for Patient Data ◦ Russia & France Require This to be Stored In Country • Keep Clear Audit Trails in Place ◦ This will likely help you sail through Safe Harbor 2.0 • Diversity Targets Use Sensitive Data ◦ Be Really Careful - Anonymize Office Info., Aggregate Info. • Draft The Contracts So That They Remain in Force ◦ Even if a Provision is Struck - Model Contract Provisions Important +44 1223 345520 firstname.lastname@example.org