Managing data transfers between US and EU and everywhere else

Similar documents
International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

EU PRIVACY REFORM UPDATE ON CANADA S EU ADEQUACY STATUS

THE IRON MOUNTAIN GDPR JARGON BUSTER

2. TASK OF DPO IN INTERNATIONAL DATA TRANSFERS

MRS Brexit Survival Guide: EU-UK Data transfers November

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Guidance on International Transfers / Eighth Principle

Lending to overseas borrowers. July 2011

Data protection legislation back to the drawing board?

Data Protection Post-Brexit

BREXIT AND DATA PROTECTION Q & A

Amgen Binding Corporate Rules (BCRs) Public Document

US-Asian Privacy and Cyber Developments for In-house Counsel

Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

DATA PRIVACY & FAIR PROCESSING NOTICE

Data protection and transfer

EU Data Protection Directive 95/46/EC FREQUENTLY ASKED

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Global Privacy Policy: Privacy Climate Changes Ahead

Compendium of Excerpts of Ministry Bill Comments for May 16, 2016 Letter to Senator Nunes concerning Senate Bill No. 330:

Data Protection & Brexit

Understanding Privacy Regulatory Restrictions on Trans Border Data Flow

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Data Processing Addendum

DATA PROCESSING ADDENDUM FOR CUSTOMERS AND USER OF AEROHIVE PRODUCTS AND SERVICES. Version May 2018

JOINT MOTION FOR A RESOLUTION

PRIVACY NOTICE issued by DALE Accounting and Tax Services Ltd

Moving Data Around Asia-Pacific. Sam Pfeifle, IAPP Josh Harris, TRUSTe Michael Rose, US Dept. of Commerce

Data Privacy Group Client Alert: The UK Votes for Brexit Data Protection Implications

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

Navigating Cross Border Document Transfers in Investigations. Privacy Considerations and Practical Tips

Pinsent Masons in Spain

Transborder data transfers briefly explained

EU Commission Publishes New Regulations and Guidelines on the Application of EU Competition Law to Certain Categories of Commercial Contracts

Cross-border audit oversight

PARTNERSHIP DETAILS FORM

Intercontinental Trust Ltd COMMON REPORTING STANDARD

Cyber ERM Proposal Form

RBI GDPR DATA PROCESSING ADDENDUM

Effective flow of personal data post-brexit

Going Global: A Practical Survival Guide for Canadian Multinational Employers

Setting up your Business in Chile Issues to consider

Legal integration: the importance of UNCITRAL standards

BLACKS SOLICITORS LLP. REFERRAL OF BUSINESS Terms And Conditions

The outcomes of the meeting which were agreed by participants 1, as well as the next steps in the process, are set out below 2.

M&A ACADEMY. Privacy and Data Security Issues in M&A Transactions. Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019

GDPR: The Most Frequently Asked Questions: Are the Standard Contractual Clauses Enough?

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

Chart Collection for Morning Briefing

Client Relationship Agreement for Products

Smith & Williamson Daily Funds Application Form

REPORT OF 31 st APEC ELECTRONIC COMMERCE STEERING GROUP MEETING 9:00 am to 6:00pm, 3 February 2015 Mansion Garden Hotel Subic, Philippines

HSBC Global Liquidity Funds plc Prospectus. Date: 1 June 2018 PUBLIC

ROSETTA STONE LTD. PROCESSING ADDENDUM

BE PREPARED FOR THE NEW EU DATA REGULATION

COMPANY DETAILS FORM

IRIS Group of Companies Customer Data Processing Terms

Tech and Cyber Claims Services

Pension Trustees. Final Countdown to the GDPR

US Economic Indicators: Import Prices, PPI, & CPI

BINDING CORPORATE RULES

EU competition law and supply and distribution agreements

BREXIT: IMPLICATIONS FOR DATA PROTECTION

Beyond the FCPA. A Global Change in Anti-Corruption Enforcement. Presented by: Dana Choi John Irving Sonya Strnad. July 19, 2011

Brexit Essentials: an update on data protection and privacy

Electronic Communications Convention as enabling cross-border paperless trade

The Race to GDPR: A Study of Companies in the United States & Europe

Data Processing Addendum

FACT SHEET. Automatic exchange of information (AEOI)

DATA PROCESSING ADDENDUM

PRIVACY NOTICE LAST UPDATED: SEPT. 2018

A world in transition: PwC s 2017 APEC CEO Survey, November APEC CEO Survey. Australia s findings.

Session 4, Stream 6. Global regulation of lending. John Paul Zammit. 07 & 08 October 2015

GDPR Essentials. To Meet the May 25th Deadline. FIA Webinar March 1, 2018

EU GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CLOUDFLARE CUSTOMERS

CRS Form for Tax Residency Self Certification For Individuals, Joint Accounts (CRS I)

Financial law reform: purpose and key questions

CHARITIES AID FOUNDATION

Global Economic Indictors: CRB Raw Industrials & Global Economy

SILCHESTER INTERNATIONAL INVESTORS DATA PROTECTION POLICY

EXECUTIVE COMPENSATION GROUP ADVISORY DISCLOSURE DEVELOPMENTS: EXECUTIVE COMPENSATION. Ernest W. Torain, Jr. Vedder Price P.C.

Employment law and HR implications of Brexit. Olly Jones Peter Lockwood. 21 July 2016

Restrictions on Cross-Border data flows: a taxonomy

CFRED The Trans Pacific Partnership Impact and Implications. Assessing the content from a business perspective

Adopted on 12 July 2010

Market Briefing: US MSCI Stock Price Index vs Rest of the World

Market Correlations: CRB Raw Industrials Spot Price Index

Pinsent Masons in Qatar

British Bankers Association submission to the consultation on the legal framework for the fundamental right to protection of personal data

Pension Trustees Final Countdown To GDPR

Finansinspektionen s Regulatory Code

Failure to prevent the facilitation of tax evasion:

ON24 DATA PROCESSING ADDENDUM

Interoperability effort between APEC CBPR and EU BCR. Malcolm Crompton Managing Director, IIS Google Japan Tokyo, 17 April 2014

TRUST AND SETTLEMENT DETAILS FORM

Data Privacy Statement

PENSIONS GOVERNANCE WEBINAR. 14 July 2016

DRAFT MANDATE OF THE COMPLIANCE, INFORMATION AND DOCUMENTATION TAG

Why Corporate Governance is Important in APEC Economies

Transcription:

Managing data transfers between US and EU and everywhere else Mozelle W. Thompson is CEO of Thompson Strategic Consulting where he provides innovative legal, policy and business advice to innovative companies like Facebook, Samsung, Disney, Path, Loyal3 and Atigeo. Thompson s distinguished public and private sector careers, and his groundbreaking work has made him an international leader and trusted adviser to presidents, heads of state, governments and corporations. He also serves on several corporate boards and in 2008, was a Team Leader of the Obama/Biden Transition where he led the review of the US Securities and Exchange Commission, (SEC). From December 1997 until August 2004, Thompson served as a Commissioner on the US Federal Trade Commission where he developed leadership roles in such areas as international consumer protection, high technology antitrust, online privacy and intellectual property. He also served as Chairman of the OECD Committee on Consumer Policy where he established groundbreaking policies to promote competition and protect consumers around the world. This role was particularly critical during the growth of today s high technology industry and it was where he produced the first international standards for e-commerce. 2 1

Robert Bond is a Partner with Bristows LLP and has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. Clients include NBC Universal, Google, Cray, CPA Global, WestRock, Ingevity, RPM, Rocco Forte Hotels, Spotify, Epsilon, Red Flag and K2 Intelligence Bond is a recognised legal expert and author in the fields of IT, e- commerce, computer games, media and publishing, data protection, information security and cyber risks. Bond is Secretary of the Board of the Society for Corporate Compliance & Ethics, Chairman of the Data Protection Network, Trustee of the UK Safer Internet Centre, a member of the Data Privacy Advisory Group to the United Nations, a member of the Board of TAPESTRY (Trust, Authentication and Privacy over a DeCentralised Social Registry) at University of Surrey and is an Ambassador for Privacy by Design. 3 Agenda EU and US data privacy challenges Effective methods for data transfers Preparing for the General Data Protection Regulation and transfers Embedding ethics and trust into privacy practices 4 2

Why Ethics and Trust now? Compliance with data protection law is mandatory Media attention on data breaches Consumer awareness of their privacy rights Risk of damage to brand and reputation Increased enforcements and fines 5 Data protection is at the heart of any business Reporting and Discovery Commercial Contracts Big Data Outsourcing / Cloud M & A PERSONAL DATA Investigations & Claims Employment Social media Global Presence Emails Corporate Restructuring 3

Understand jurisdictional privacy frameworks Historical influences and empires English common law influences European civil law influences OECD Guidelines Convention 108 Legal Background 1. What does Article 25 of the EU Data Protection Directive say? No transfer to a third country of personal data undergoing processing or intended for processing after transfer unless third country ensures an adequate level of protection 2. Prohibition Why? No substantial change under the GDPR 3. What is a transfer' of personal data? Bodil Linqvist case- access from a third country of personal data loaded onto a website 8 4

UNDERSTANDING DATA TRANSFERS Safe Harbor/Privacy Shield Seals and trust marks Consent Model clauses Strategies for transborder dataflows Binding corporate rules not valid in all countries Contractual necessity Adequate destination Presumption of adequacy 9 So what s the action plan? 1. Appoint a team that can (a) assess company data uses and information assets and (b) cover all key questions and actions 2. Use external expertise where necessary 3. Get Board and Executive buy-in 4. What are our options? Privacy Shield, Model Clauses, consent or other exceptions or a combination? 5. If these work why choose BCR? Who else has done it? Why? 6. If BCR is still the option then what do we do before we submit and then whilst we wait? 7. Audit EU entities for compliance now 8. Understand relationship between data protection policies and other corporate codes of conduct and policies 9. Decide on participating entities in the group 10. Cost the project and develop an implementation plan 5

Is an Omnibus DTA for you? Advantages Complies with the principles of the EU Directive 95/46/EC - standardises practices re protection of personal data within a group of companies. Disadvantages Still needs to be approved by certain DPA. Internal guide for management of personal data, meeting the group's ethical concerns. Approach is more closely embedded in business practice - expected that this will result in more effective data protection. Requires detailed descriptions of data, databases, data subjects ands data recipients. Reduces the multitude of individual C2C and C2P contracts. Not all DPAs are used to this approach and may question its suitability. Already a viable solution used by multinationals and approved as a solution by DPA s. Requires participation by all legal entities and one large signature block. Data Exported Within EEA Outside EEA Which country/jurisdiction? Automatically adequate Andorra, Argentina, Channel Islands, Uruguay, New Zealand, Isle of Man, Switzerland, Faroe Islands, Israel Canada USA Other countries Adequate for transfer to proceed Mostly adequate for transfer to proceed To a signatory of the Privacy Shield? Adequate for transfer to proceed Yes No Do any of the other key legal grounds for transfer apply? 1. Transfers using the appropriate EU Commission approved Model Transfer Terms 2. Transfers subject to the use of Binding Corporate Rules 3. Transfers in accordance with an approved private contract 4. Companies that have self-assessed their adequacy (in some jurisdictions) 5. Companies that are Seal certified or participate in approved Codes of Conduct No Yes Can adequacy be presumed? Adequate for transfer to take place Yes No Transfer can proceed Legal advice required 6

GDPR Obligations on both controllers and processors BCR for both controllers and processors Standard contractual clauses Standard contractual clauses adopted by a DPA and approved by the Commission An approved code of conduct An approved certification mechanism, seal or mark 13 APEC Cross Border Privacy Rules Australia, China, Japan, Korea, Mexico, Peru, Thailand, Vietnam and the United States. The APEC initiative is not based upon strict legislation such as exists in the EU but more upon a framework of a mutual recognition by parties within APEC economies The Cross-Border Privacy Rules (CBPR) rely on businesses self assessing their compliance with the APEC privacy principles which are similar to the privacy principles of the US Safe Harbour and the seven data protection principles set out in the UK Data Protection Act 1998. EU and APEC are working towards double certification of APEC solutions and BCR HP are first company to be awarded dual certification for BCR and CBPR 7

Questions? 15 Thank you Bristows LLP 100 Victoria Embankment London EC4Y 0DH T +44(0)20 7400 8000 This document is for information purposes only and any statements or comments it contains relating to matters of law are not intended to be acted on, or relied upon, without specific legal advice on the matters concerned. To the fullest extent permitted by law, we disclaim all liability and responsibility for any reliance on the statements or comments contained in this document. Bristows LLP is a limited liability partnership registered in England under registration number OC358808 and is authorised and regulated by the Solicitors Regulation Authority (SRA Number 44205). 16 8

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback