Salt Lake City 1 EU to US Data Transfer Understanding the Issues Presented by Christopher Jeffery, Dr. Axel Freiherr von dem Bussche, LL.M. (L.S.E.) Scott Young and Ben Holt Tuesday, February 2, 2016 • Salt Lake City
Salt Lake City 3 Hidden Data • Internal Data – HR Data – Excel Spreadsheets – Health Plan Data • External Data – Customer Data – Customer’s Customer Data
Salt Lake City 5 US vs. EU Privacy EU Privacy Article 8 and Data Protection Principles German Regulator UK Regulator General Data Protection Regulations French Regulator US Privacy HIPAA PCI Banking (GLB) Data Breach FCRA / FACTA COPPA DPPA
> EU-directives 2.2 > Inconsistent implementation 2.3 > Data protection in the U.S. 2.4 > Data transfers 3 > Death of Safe Harbor 4 > What is coming: GDPR
rules and principles for data protection: • Data Protection Directive • ePrivacy Directive • E-Commerce Directive • Directive for electronic communications etc. Directives have to be transferred into local law Implementations and interpretation vary significantly between Member States
in 1995 Needed to be implemented at a national level and required transformation into national law by each MS Criticism: • Outdated because of new technologies • Level of harmonization still too low
of data is prohibited if not explicitly justified (law, consent, wc-agreement) Point in time: data protection starts with data collection Practical approach: “how to create a defensible position“ Threats: fines, bad press
of data out of the EU requires specific additional justification for transport There is no “group privilege” under EU law; data transfer between two legal entities in a multinational corporation is treated just like any third party transfer ECJ Google Spain decision: EU data protection law applies to non- EU companies with local sales offices in the EU when data of EU-citizens is processed – even if data is processed outside of EU (prospective: Art. 3 GDPR)
Sector-specific regulation, no general concept of data protection Collected data on consumers/employees is considered company property However: Castle Doctrine / stand your ground law General rule: The use of personal data is possible if not explicitly prohibited Point in time: Data protection usually only starts in the event of an actual data breach Data protection measures in companies are usually of technical nature Threats: “class actions“, regulatory notification requirements
Exemption is void • No legal basis for data transfer to the US • Immediate effect as being exemption from general restriction Commission must periodically verify adequacy Supervisory authorities can examine claims • DPAs can independently investigate complaints relating to "adequacy“ even where the Commission has previously determined an adequate level of protection • May lead to different interpretations / consequences DPAs cannot invalidate a Commission decision but DPAs can request that adequacy decisions be vacated by the European Court
“Meanwhile, across the Atlantic, …. the decision clearly came as a shock to many policy makers and companies in the United States” 3.2 > Political Consequences: Recent Developments 20 Member of the U.S. House of Representatives (Discussion in Silicon Valley, October 2015, quoted according to Brill speech) ’Schremp decision measured 7.8 on the Richter scale’
Working Group: • “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.“ • Recent announcement: No extension (!) 22
• “The Commission […] has immediately resumed and stepped up ist talks with the U.S. government in order to ensure that any new arrangement for transatlantic transfers of personal data fully complies with the standard set by the court.“ EU Parliament (LIBE committee): • Skeptic regarding the schedule • Uncertain if agreement can be reached within grace period European Data Protection Supervisor: • January 31st was a “legal fiction” that “could not be fixed” (13.01.2016) 23
Corporate Rules • Model Clauses (Standard Contractual Clauses) • Other derogations… especially consent 3.3 > Practical Consequences: Do we have to silo EU data?
*never* know everything that is happening Nail what B2B contracts say: • Where our clients are supplying their customers • Where our clients are using vendors (sub- processors) 3.3 > Practical Consequences: To Dos
might be needed longer term • On Safe Harbor: Change to EU Model Clauses (depending on where you are) • On Model Clauses and BCR: Possibly use other safeguards too (encryption, access restrictions, further contractual means); Make sure you can evidence compliance • Consent: Make information 150 % clear, transparent, and traceable Jan. 31st, 2016: Deadline for Safe-Harbor replacement Feb. 2nd, 2016: Meeting of Art. 29 WP 3.3 > Practical Consequences: To Dos
member states: General Data Protection Regulation (GDPR) • Direct applicability in the Member States • No implementation – no local law specifics possible • Projected to enter into force by spring 2018
EU-Commission proposes officially June Meeting Council of Ministers October Statement LIBE Committee LIBE-Draft of EU- Parliament June Draft of EU-Council of Ministers + Trialogues 12/2015 – 03/2016 15.01.2015 Finalization of draft Spring 2018 Coming into force (2 years, 20 days from publication in the Official Journal transition) 4.2 > EU Data Protection Regulation: Timeline 29 January/February 2016 Council and Parliament are expected to vote on the agreed version
• Establishment in the EU • Extended to companies that are not in EU if processing relates to: The offer of goods or services to data subjects within the EU The monitoring of EU data subject’s behaviour within the EU 30
• Organisations will be regulated by a single regulator in the place of their “main establishment” • “Main establishment” will be the main administrative location in the EU • Exception: Main decisions about data processing are taken in a different Member State in which case that will be the main establishment • “Main establishment” gives room for distinguishing interpretation • Individuals are able to make complaints in their Member State at which point that regulator will engage in a cooperation procedure (In the event of disagreement it will be settled by the European Data Protection Board). 31
representative action: Data subjects may commission non-profit associations with the assertion of their rights to a supervisory authority or in court. Right to be forgotten: Where the controller has made the personal data public it shall take reasonable steps – including technical measures – to inform controllers which are processing the data, that the data subject has requested erasure. Right of data portability: Data subjects now have a right to receive the personal data, which he or she has provided to the controller. The personal data shall be provided in a structured and commonly used and machine-readable format.
Right to object to data processing based on the legitimate interest exception or in case data is processed for direct marketing purposes (includes profiling to the extent it is related to such direct marketing) Ban on automated decision making: Companies may not subject the individual to decisions based on automated processing alone, i.e. with no human intervention. Exception: If it is necessary for the contract (e.g. credit rating) or based on explicit consent.
processing: Requirements are similar to what the Controller-Processor Standard Contractual Clauses 2010/87/EU requires Purpose limitation: Data processing must be carried out for the original purpose(s) for which it was collected unless the new purpose is “compatible”; Indications: • Link with the original purpose • Context in which the personal data was collected • Possible consequences of the intended further processing for data subject • Existence of appropriate safeguards Notification: No requirement to notify authorities of data processing but requirement to keep records of data processing activities (subject to limited exceptions for SMEs)
be freely given, specific and informed and an "unambiguous indication" of a data subject's wishes and expressed either by a statement or a clear affirmative action Data protection impact assessments (DPIAs): Requirement to carry out DPIAs if proposed activities are likely to result in a high risk for the rights and freedoms of individuals in particular • through the use of new technologies and • in cases of people profiling. If DPIA reveals a significant risk, organisations must consult with their DPA before beginning the processing
transfer of personal data to third countries, unless • the Commission adopted an adequacy decision regarding the target country; • the parties have provided appropriate safeguards e.g. by standard contractual clauses; BCRs (for intra-group data transfers); New: an approved code of conduct (which is monitored by a special body); New: a certificate for complying with approved data protection seals and marks Exact criteria for an adequacy decision by the EU Commission, e.g.: • enforceable data subjects rights • effective administrative and judicial redress for the data subjects Inquiries by courts or authorities from third countries may only be recognized or enforceable if based on an international agreement, e.g. a legal assistance treaty (Problem in case of pre-trial discovery requests from the United States!)
a DPO is obligatory where: • company‘s core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; • sensitive data are processed on a large scale National laws may provide for mandatory appointment in other cases (e.g. in Germany, it is likely that the requirement to appoint a DPO for a business with more than 9 employees processing personal data will remain to be in force) Where the controller or processor is not established in the EU, it shall designate in writing a “representative” in the Union
Up to EUR 20 million or 4 % of the annual worldwide sales volume Breach reporting: Breaches must be reported to DPAs without undue delay and where feasible within 72 hours of becoming aware of it Exemption: the breach is unlikely to result in a risk to the rights and freedoms of individuals
London > IT, Telecoms & Competition Chris Jeffery is a partner in the Intellectual Property department who specializes in technology matters, especially for North American businesses setting up or partnering in Europe. Chris has acted for over 160 US-based tech companies in the last two years, helping them negotiate with European partners and customers (including many of the big corporates), advising on the forms of contracts that will work locally and guiding them through the labyrinth of EU regulation, especially in the data protection/privacy area. Areas of expertise: • Technology licensing & distribution • Data protection • Internet and wireless sectors • Consumer protection in the technology sector Chris has degrees in English and French Law (London School of Economics - University of London), as well as a Diplome d’études juridiques françaises (Université Robert Schuman, Strasbourg, France) and completed his Law Society Finals at the College of Law in Guildford, UK). +44 20 7300 4230 c.jeffery@taylorwessing.com Contact details
Technology, Media & Telecoms and co-ordinates Taylor Wessing's international US group for Germany. Axel has specialised expertise in the technology sector and data protection. His counselling activities focus on transactions, software licensing, outsourcing, R&D projects, industry- specific contract design, internet, games and gambling law and regulatory matters. He advises companies on internal processes in the area of group data privacy including negotiations with works councils. A particular focus of his practice is counselling in matters of international dimensions and advising expanding foreign companies in Germany. Axel studied law at the universities of Heidelberg, Lausanne (Switzerland), Munich and the London School of Economics (L.S.E.). He was a legal trainee in Hamburg and Capetown (South Africa) and received his doctorate from the University of Göttingen. Axel was admitted to the German Bar in 1997. He joined Taylor Wessing in Düsseldorf in 1999 and is now based in Hamburg. Contact details T: + 49 (0) 40 368 03 129 E: a.bussche@taylorwessing.com Dr. Axel Frhr. von dem Bussche, LL.M. (L.S.E.) Partner, Hamburg > IT / Telecoms > Data Protection Axel regularly writes articles and gives talks concerning recent legal developments in the technology sector. He is a member of the international lawyers’ association “interLEX”. Axel is recognized as an internationally leading lawyer for internet & e- commerce in "Who´s Who Legal" and as LAWYER OF THE YEAR for IT law in the "Best Lawyers 2014" ranking from Handelsblatt. Axel Freiherr von dem Bussche is a specialist solicitor for information technology law. Axel, of German and Swiss nationality, is a German native speaker, is fluent in English and speaks French. Your Taylor Wessing Contact Recent Publications: > Editor of von dem Bussche/Voigt, Konzerndatenschutz, Beck Verlag 2014 > Editor of von dem Bussche/Stamm, Data Protection in Germany, Beck Verlag 2013 LAWYER OF THE YEAR for IT Best Lawyers Germany 2014, Handelsblatt Listed as legal expert for Information Technology. Who's Who Legal: 2014 "very experienced, excellent industry knowledge“ JUVE 2012/2013
Global Data Hub is Taylor Wessing’s international thought leadership in the area of data protection. Global Data Hub draws on Taylor Wessing's international expertise to provide you with insight and guidance on data protection issues. Our in-depth analysis, news updates, events and webinars will help you navigate the minefield of global data protection law. www.taylorwessing.com/globaldatahub Monthly Topical Issues and White Papers Risk Maps answer key data protection questions across the world
Bussche, LL.M. (L.S.E.) 43 Copyright notice Icons used in this presentation were made by Freepik from www.flaticon.com and are licensed under CC BY 3.0
Partners > 28 Offices – 17 jurisdictions > Focus on the industries of tomorrow > Major international companies > Data Protection is a key area > Privacy experts in all jurisdictions About Taylor Wessing Partner law firms via international networks We have a selected network of partner law firms with whom we have worked for many years on cross-border transactions and projects in all important jurisdictions. Taylor Wessing expert teams and country groups respectively Taylor Wessing offices Austria Vienna I Klagenfurt* Belgium Brussels China* Beijing I Shanghai Czech Republic Brno* l Prague Poland Warsaw Singapore Slovakia Bratislava South Korea** Seoul France Paris Germany Berlin l Dusseldorf l Frankfurt l Hamburg l Munich Hungary Budapest Indonesia** Jakarta UK Cambridge I London Ukraine Kiev UAE Dubai USA* New York l Menlo Park 44