EU to US Data Transfer - Understanding the Issues

Transcript

1. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 1 EU to US Data Transfer Understanding the Issues Presented by Christopher Jeffery, Dr. Axel Freiherr von dem Bussche, LL.M. (L.S.E.) Scott Young and Ben Holt Tuesday, February 2, 2016 • Salt Lake City

2. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 2 Data Is Everywhere • Global Data • No Borders • Cloud Storage • Global Business

3. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 3 Hidden Data • Internal Data – HR Data – Excel Spreadsheets – Health Plan Data • External Data – Customer Data – Customer’s Customer Data

4. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 4 Data Is Regulated Through Privacy

5. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 5 US vs. EU Privacy EU Privacy Article 8 and Data Protection Principles German Regulator UK Regulator General Data Protection Regulations French Regulator US Privacy HIPAA PCI Banking (GLB) Data Breach FCRA / FACTA COPPA DPPA

6. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 6 Solutions? US Data Storage EU Data

7. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 7 EU to US Data Transfer Tuesday, February 2, 2016 • Salt Lake City 7 EU Regulations Have Bite Your Business Upcoming EU Regulations

8. EU to US Data Transfer Tuesday, February 2, 2016 •

   Salt Lake City 8 Latest News, Practical Steps & Preparing for New Regulations

9. The new EU Data Protection Regime Christopher Jeffery Dr. Axel

   Freiherr von dem Bussche, LL.M. (L.S.E.) Bild einfügen (Cover Small)

10. 2 Content 1 > Introduction 2 > Data protection today

    3 > Death of Safe Harbor (Schrems decision) 4 > What is coming: GDPR

11. 1 > Introduction Binding Corporate Rules Safe Harbor NSA /

    Snowden Europe Data Protection Regulation Fines Google / Facebook 3 Picture: Edward Snowden © Laura Poitras / Praxis Films CC-BY 3.0

12. 2015: per mouse click 4 1 > Introduction 1980s: per

    day Statutory data protection provisions mostly unchanged since 1980s: concept outdated Data volume produced

13. 5 1 > Introduction: Who are the players? Company Authorities

    Parliaments / Legislators Media / Press Work Councils Large Companies National Courts

14. 1 > Introduction: Global data transfer 6 • Need of

    global data transfer • Fragmented data protection law • For example:  US company  Employee in EU-based subsidiary

15. 7 1 > Introduction 2 > Data Protection today 2.1

    > EU-directives 2.2 > Inconsistent implementation 2.3 > Data protection in the U.S. 2.4 > Data transfers 3 > Death of Safe Harbor 4 > What is coming: GDPR

16. 2.1 > EU-directives 8  Several Directives set the outline

    rules and principles for data protection: • Data Protection Directive • ePrivacy Directive • E-Commerce Directive • Directive for electronic communications etc.  Directives have to be transferred into local law  Implementations and interpretation vary significantly between Member States

17. 2.1 > EU-directives: Data Protection Directive 9  Was introduced

    in 1995  Needed to be implemented at a national level and required transformation into national law by each MS  Criticism: • Outdated because of new technologies • Level of harmonization still too low

18. 2.1 > EU-directives: Data Protection Directive 10 General rule: Use

    of data is prohibited if not explicitly justified (law, consent, wc-agreement) Point in time: data protection starts with data collection Practical approach: “how to create a defensible position“ Threats: fines, bad press

19. 2.1 > EU-directives: Data Protection Directive 11  Any export

    of data out of the EU requires specific additional justification for transport  There is no “group privilege” under EU law; data transfer between two legal entities in a multinational corporation is treated just like any third party transfer  ECJ Google Spain decision: EU data protection law applies to non- EU companies with local sales offices in the EU when data of EU-citizens is processed – even if data is processed outside of EU (prospective: Art. 3 GDPR)

20. 12  Strong influence of non- harmonized labour laws 

    Different filing requirements  Data protection officer (DPO)  Different local court rulings 2.2 > Inconsistent implementation

21. 2.3 > Data protection in the United States 13 

    Sector-specific regulation, no general concept of data protection  Collected data on consumers/employees is considered company property  However: Castle Doctrine / stand your ground law General rule: The use of personal data is possible if not explicitly prohibited Point in time: Data protection usually only starts in the event of an actual data breach Data protection measures in companies are usually of technical nature Threats: “class actions“, regulatory notification requirements

22. 2.4 > Data Transfers: Consent Consent • Everywhere • Free

    will • Informed • Formal requirements 14

23. EU Model Clauses • Standard solution • Complex • Many

    agreements • Registration required • Includes US P C 2.4 > Data Transfers: Model Clauses 15

24. Binding Corporate Rules • Controller BCRs • 2013: Processor BCRs

    • Company solution • Very complex • Registration required • Time consuming • „One-Stop-Shopping“ 2.4 > Data Transfers: BCRs 16

25. USA (until 10/2015) • Safe Harbor (EU/US) • EU-Kom. 2000/520/EG

    • Registration required • 1/6 of 3,000 violate (Galexia-Research) 2.4 > Data Transfers: Safe Harbor 17

26. 18 1 > Introduction 2 > Data Protection today 3

    > Death of Safe Harbor 3.1 > The Ruling 3.2 > Political Consequences 3.3 > Practical Consequences 4 > What is coming: GDPR

27. 3.1 > The Ruling: Key Takeaways 19  Safe Harbor

    Exemption is void • No legal basis for data transfer to the US • Immediate effect as being exemption from general restriction  Commission must periodically verify adequacy  Supervisory authorities can examine claims • DPAs can independently investigate complaints relating to "adequacy“ even where the Commission has previously determined an adequate level of protection • May lead to different interpretations / consequences  DPAs cannot invalidate a Commission decision but DPAs can request that adequacy decisions be vacated by the European Court

28. Commissioner Julie Brill (Keynote Amsterdam Privacy Conference, October 23rd, 2015)

    “Meanwhile, across the Atlantic, …. the decision clearly came as a shock to many policy makers and companies in the United States” 3.2 > Political Consequences: Recent Developments 20 Member of the U.S. House of Representatives (Discussion in Silicon Valley, October 2015, quoted according to Brill speech) ’Schremp decision measured 7.8 on the Richter scale’

29.  Irritations between EU and the USA  Different understanding

    of privacy  Impacts business in the EU and the USA 3.2 > Political Consequences: Recent Developments 21

30. 3.2 > Political Consequences: Situation after 01/2016  Art. 29

    Working Group: • “If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.“ • Recent announcement: No extension (!) 22

31. 3.2 > Political Consequences: Safe Harbor 2.0?  EU Commission:

    • “The Commission […] has immediately resumed and stepped up ist talks with the U.S. government in order to ensure that any new arrangement for transatlantic transfers of personal data fully complies with the standard set by the court.“  EU Parliament (LIBE committee): • Skeptic regarding the schedule • Uncertain if agreement can be reached within grace period  European Data Protection Supervisor: • January 31st was a “legal fiction” that “could not be fixed” (13.01.2016) 23

32.  Safe Harbor was never the only solution! • Binding

    Corporate Rules • Model Clauses (Standard Contractual Clauses) • Other derogations… especially consent 3.3 > Practical Consequences: Do we have to silo EU data?

33.  Look busy!  Nail data flows – legal teams

    *never* know everything that is happening  Nail what B2B contracts say: • Where our clients are supplying their customers • Where our clients are using vendors (sub- processors) 3.3 > Practical Consequences: To Dos

34.  Look at other compliance mechanisms • Think about what

    might be needed longer term • On Safe Harbor: Change to EU Model Clauses (depending on where you are) • On Model Clauses and BCR: Possibly use other safeguards too (encryption, access restrictions, further contractual means); Make sure you can evidence compliance • Consent: Make information 150 % clear, transparent, and traceable  Jan. 31st, 2016: Deadline for Safe-Harbor replacement  Feb. 2nd, 2016: Meeting of Art. 29 WP 3.3 > Practical Consequences: To Dos

35. 27 1 > Introduction 2 > Data Protection under Current

    Law 3 > ECJ and the Consequences 4 > What is coming: GDPR 4.1 > Outlook 4.2 > Timeline 4.3 > Provisions

36. 28 4.1 > Outlook One single legislation for all EU

    member states: General Data Protection Regulation (GDPR) • Direct applicability in the Member States • No implementation – no local law specifics possible • Projected to enter into force by spring 2018

37. 2011 2012 2013 2014 2015 2016 2017 2018 1st draft

    EU-Commission proposes officially June Meeting Council of Ministers October Statement LIBE Committee LIBE-Draft of EU- Parliament June Draft of EU-Council of Ministers + Trialogues 12/2015 – 03/2016 15.01.2015 Finalization of draft Spring 2018 Coming into force (2 years, 20 days from publication in the Official Journal transition) 4.2 > EU Data Protection Regulation: Timeline 29 January/February 2016 Council and Parliament are expected to vote on the agreed version

38. 4.3 > Provisions: Territorial Scope  Applicability to non-EU Entities

    • Establishment in the EU • Extended to companies that are not in EU if processing relates to:  The offer of goods or services to data subjects within the EU  The monitoring of EU data subject’s behaviour within the EU 30

39. 4.3 > Provisions: “Lead supervisory authority”  One Stop Shop:

    • Organisations will be regulated by a single regulator in the place of their “main establishment” • “Main establishment” will be the main administrative location in the EU • Exception: Main decisions about data processing are taken in a different Member State in which case that will be the main establishment • “Main establishment” gives room for distinguishing interpretation • Individuals are able to make complaints in their Member State at which point that regulator will engage in a cooperation procedure (In the event of disagreement it will be settled by the European Data Protection Board). 31

40. 4.3 > Provisions: Data subject’s Rights 32  Right of

    representative action: Data subjects may commission non-profit associations with the assertion of their rights to a supervisory authority or in court.  Right to be forgotten: Where the controller has made the personal data public it shall take reasonable steps – including technical measures – to inform controllers which are processing the data, that the data subject has requested erasure.  Right of data portability: Data subjects now have a right to receive the personal data, which he or she has provided to the controller. The personal data shall be provided in a structured and commonly used and machine-readable format.

41. 4.3 > Provisions: Consumer Rights 33  Right to object:

    Right to object to data processing based on the legitimate interest exception or in case data is processed for direct marketing purposes (includes profiling to the extent it is related to such direct marketing)  Ban on automated decision making: Companies may not subject the individual to decisions based on automated processing alone, i.e. with no human intervention. Exception: If it is necessary for the contract (e.g. credit rating) or based on explicit consent.

42. 4.3 > Provisions: Data processing 34  Contract for data

    processing: Requirements are similar to what the Controller-Processor Standard Contractual Clauses 2010/87/EU requires  Purpose limitation: Data processing must be carried out for the original purpose(s) for which it was collected unless the new purpose is “compatible”; Indications: • Link with the original purpose • Context in which the personal data was collected • Possible consequences of the intended further processing for data subject • Existence of appropriate safeguards  Notification: No requirement to notify authorities of data processing but requirement to keep records of data processing activities (subject to limited exceptions for SMEs)

43. 4.3 > Provisions: Data processing 35  Consent: Needs to

    be freely given, specific and informed and an "unambiguous indication" of a data subject's wishes and expressed either by a statement or a clear affirmative action  Data protection impact assessments (DPIAs): Requirement to carry out DPIAs if proposed activities are likely to result in a high risk for the rights and freedoms of individuals in particular • through the use of new technologies and • in cases of people profiling. If DPIA reveals a significant risk, organisations must consult with their DPA before beginning the processing

44. 4.3 > Provisions: International Data Transfers 36  Prohibition of

    transfer of personal data to third countries, unless • the Commission adopted an adequacy decision regarding the target country; • the parties have provided appropriate safeguards e.g. by  standard contractual clauses;  BCRs (for intra-group data transfers);  New: an approved code of conduct (which is monitored by a special body);  New: a certificate for complying with approved data protection seals and marks  Exact criteria for an adequacy decision by the EU Commission, e.g.: • enforceable data subjects rights • effective administrative and judicial redress for the data subjects  Inquiries by courts or authorities from third countries may only be recognized or enforceable if based on an international agreement, e.g. a legal assistance treaty (Problem in case of pre-trial discovery requests from the United States!)

45. 4.3 > Provisions: Data Protection Officers 37  Appointment of

    a DPO is obligatory where: • company‘s core activities consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; • sensitive data are processed on a large scale  National laws may provide for mandatory appointment in other cases (e.g. in Germany, it is likely that the requirement to appoint a DPO for a business with more than 9 employees processing personal data will remain to be in force)  Where the controller or processor is not established in the EU, it shall designate in writing a “representative” in the Union

46. 4.3 > Provisions: Breaches and Penalties 38  Higher penalties:

    Up to EUR 20 million or 4 % of the annual worldwide sales volume  Breach reporting: Breaches must be reported to DPAs without undue delay and where feasible within 72 hours of becoming aware of it Exemption: the breach is unlikely to result in a risk to the rights and freedoms of individuals

47. 39

48. T: E: Your Taylor Wessing Contact 40 Christopher Jeffery Partner,

    London > IT, Telecoms & Competition Chris Jeffery is a partner in the Intellectual Property department who specializes in technology matters, especially for North American businesses setting up or partnering in Europe. Chris has acted for over 160 US-based tech companies in the last two years, helping them negotiate with European partners and customers (including many of the big corporates), advising on the forms of contracts that will work locally and guiding them through the labyrinth of EU regulation, especially in the data protection/privacy area. Areas of expertise: • Technology licensing & distribution • Data protection • Internet and wireless sectors • Consumer protection in the technology sector Chris has degrees in English and French Law (London School of Economics - University of London), as well as a Diplome d’études juridiques françaises (Université Robert Schuman, Strasbourg, France) and completed his Law Society Finals at the College of Law in Guildford, UK). +44 20 7300 4230 [email protected] Contact details

49. 41 Axel Freiherr von dem Bussche heads the practice area

    Technology, Media & Telecoms and co-ordinates Taylor Wessing's international US group for Germany. Axel has specialised expertise in the technology sector and data protection. His counselling activities focus on transactions, software licensing, outsourcing, R&D projects, industry- specific contract design, internet, games and gambling law and regulatory matters. He advises companies on internal processes in the area of group data privacy including negotiations with works councils. A particular focus of his practice is counselling in matters of international dimensions and advising expanding foreign companies in Germany. Axel studied law at the universities of Heidelberg, Lausanne (Switzerland), Munich and the London School of Economics (L.S.E.). He was a legal trainee in Hamburg and Capetown (South Africa) and received his doctorate from the University of Göttingen. Axel was admitted to the German Bar in 1997. He joined Taylor Wessing in Düsseldorf in 1999 and is now based in Hamburg. Contact details T: + 49 (0) 40 368 03 129 E: [email protected] Dr. Axel Frhr. von dem Bussche, LL.M. (L.S.E.) Partner, Hamburg > IT / Telecoms > Data Protection Axel regularly writes articles and gives talks concerning recent legal developments in the technology sector. He is a member of the international lawyers’ association “interLEX”. Axel is recognized as an internationally leading lawyer for internet & e- commerce in "Who´s Who Legal" and as LAWYER OF THE YEAR for IT law in the "Best Lawyers 2014" ranking from Handelsblatt. Axel Freiherr von dem Bussche is a specialist solicitor for information technology law. Axel, of German and Swiss nationality, is a German native speaker, is fluent in English and speaks French. Your Taylor Wessing Contact Recent Publications: > Editor of von dem Bussche/Voigt, Konzerndatenschutz, Beck Verlag 2014 > Editor of von dem Bussche/Stamm, Data Protection in Germany, Beck Verlag 2013 LAWYER OF THE YEAR for IT Best Lawyers Germany 2014, Handelsblatt Listed as legal expert for Information Technology. Who's Who Legal: 2014 "very experienced, excellent industry knowledge“ JUVE 2012/2013

50. Our international Data Protection Products 42 Global Data Hub The

    Global Data Hub is Taylor Wessing’s international thought leadership in the area of data protection. Global Data Hub draws on Taylor Wessing's international expertise to provide you with insight and guidance on data protection issues. Our in-depth analysis, news updates, events and webinars will help you navigate the minefield of global data protection law. www.taylorwessing.com/globaldatahub Monthly Topical Issues and White Papers Risk Maps answer key data protection questions across the world

51. Publications on data protection by Dr. Axel Frhr. von dem

    Bussche, LL.M. (L.S.E.) 43 Copyright notice Icons used in this presentation were made by Freepik from www.flaticon.com and are licensed under CC BY 3.0

52. > Leading international law firm > 1,700 Lawyers – 370

    Partners > 28 Offices – 17 jurisdictions > Focus on the industries of tomorrow > Major international companies > Data Protection is a key area > Privacy experts in all jurisdictions About Taylor Wessing Partner law firms via international networks We have a selected network of partner law firms with whom we have worked for many years on cross-border transactions and projects in all important jurisdictions. Taylor Wessing expert teams and country groups respectively Taylor Wessing offices Austria Vienna I Klagenfurt* Belgium Brussels China* Beijing I Shanghai Czech Republic Brno* l Prague Poland Warsaw Singapore Slovakia Bratislava South Korea** Seoul France Paris Germany Berlin l Dusseldorf l Frankfurt l Hamburg l Munich Hungary Budapest Indonesia** Jakarta UK Cambridge I London Ukraine Kiev UAE Dubai USA* New York l Menlo Park 44

53. Amsterdam Parnassusweg 823 1082 LZ Amsterdam Niederlande T. +31 (0)88

    0243 000 F. +31 (0)88 0243 003 Beijing (Rep office) Unit 2307&08, West Tower, Twin Towers, B-12 Jianguomenwai Ave, Chaoyang District Beijing 100022 T. +86 10 8587 5886 F. +86 10 8587 5885 Berlin Ebertstraße 15 10117 Berlin T. +49 (0)30 88 56 36 0 F. +49 (0)30 88 56 36 100 Bratislava Taylor Wessing e|n|w|c advokáti s.r.o. Panenská 6 SK-81103 Bratislava T. + 421 (2) 5263 2804 F. + 421 (2) 5263 2677 Brno (Rep office) Taylor Wessing e|n|w|c v.o.s. – advokáti Dominikánské námĕstí 4/5 CZ-602 00 Brno T. + 420 543 420 401 F. + 420 543 420 402 Brussels Trône House 4 Rue du Trône 1000 Brussels T. +32 (0)2 289 6060 F. +32 (0)2 289 6070 Budapest Bánki és Társai Ügyvédi Iroda in cooperation with Taylor Wessing e|n|w|c Rechtsanwälte GmbH Dorottya u. 1, III. em. H-1051 Budapest T. + 36 (1) 327 04 07 F. + 36 (1) 327 04 10 Cambridge 24 Hills Road Cambridge, CB2 1JP T. +44 (0)1223 446400 F. +44 (0)1223 446401 Dubai 26th Floor, Rolex Tower, Sheikh Zayed Road, P.O. Box 33675 Dubai, United Arab Emirates T. +971 (0)4 309 1000 F. +971 (0)4 358 7732 Düsseldorf Benrather Straße 15 40213 Düsseldorf T. +49 (0)211 83 87 0 F. +49 (0)211 83 87 100 Eindhoven Kennedyplein 201 5611 ZT Eindhoven PO Box 3 5600 AA Eindhoven Niederlande T. +31 (0)88 0243 000 F. +31 (0)88 0243 001 Frankfurt Senckenberganlage 20-22 60325 Frankfurt a.M. T. +49 (0)69 971 30 0 F. +49 (0)69 971 30 100 Hamburg Hanseatic Trade Center Am Sandtorkai 41 20457 Hamburg T. +49 (0)4 0 36 80 30 F. +49 (0)4 0 36 80 3280 Jakarta (Assoc office) HPRP Wisma 46 Kota BNI, 41st floor Jl. Jend Sudirman Kav 1 Jakarta 10220 T. +6221 5746545, 5701837 F. +6221 5746464, 5701835 Kiev Taylor Wessing e|n|w|c Law Firm TOV Illinsky Business Center vul. Illinska 8 Entrance 11, 6th floor UA-04070 Kiev T. +380 (44) 369 32 44 F. +380 (44) 369 32 46 Klagenfurt (Rep office) Taylor Wessing e|n|w|c Rechtsanwälte GmbH Alter Platz 1 A-9020 Klagenfurt Austria T. +43 (0)463 51 52 27 London 5 New Street Square London EC4A 3TW T. +44 (0)20 7300 7000 F. +44 (0)20 7300 7100 London Tech City Shoreditch Business Centre 64 Great Eastern Street London EC2A 3QR T. +44 (0) 20 7300 7000 Munich Isartorplatz 8, 80331 Munich T. +49 (0)89 2 10 38 0 F. +49 (0)89 2 10 38 300 New York 41 Madison Avenue, 31st Floor New York, NY 10010 USA T. +1 650 617 3336 Palo Alto 530 Lytton Avenue, 2nd Floor, Palo Alto, California, 94301 T. +1 650 617 3336 Paris 42 avenue Montaigne 75008 Paris T. +33 (0)1 72 74 03 33 F. +33 (0)1 72 74 03 34 Prague Taylor Wessing e|n|w|c v.o.s. – advokáti U Prašné brány 1 CZ-110 00 Praha 1 T. +420 224 81 92 16 F. +420 224 81 92 17 Seoul (Assoc office) DR & AJU International Law Group 7/11/12/13/15F, Donghoon Tower 317 Teheran-ro Gangnam-gu Seoul T. + 02-563-2900 Shanghai (Rep office) Unit 1509, United Plaza No. 1468, Nanjing West Road Shanghai 200040 T. +86 21 6247 7247 F. +86 21 6247 6248 Singapore RHT Law Taylor Wessing Six Battery Road #09-01, #10-01 Singapore 049909 T. + 65 6381 6868 F. + 65 6381 6869 Vienna Taylor Wessing e|n|w|c Rechtsanwälte GmbH Schwarzenbergplatz 7 A-1030 Vienna T. + 43 (0)1 716 55 F. + 43 (0)1 716 55 99 Warsaw Taylor Wessing e|n|w|c Rechtsanwälte E. Stobiecka - Kancelaria Prawna Sp. K. ul. Mokotowska 1 PL-00640 Warszawa T. +48 (22) 584 97 40 F. +48 (22) 584 97 50 Office details © Taylor Wessing 2016 This publication is intended for general public guidance and to highlight issues. It is not intended to apply to specific circumstances or to constitute legal advice. Taylor Wessing’s international offices operate as one firm but are established as distinct legal entities. For further information about our offices and the regulatory regimes that apply to them, please refer to www.taylorwessing.com/regulatory.html