Managing data transfers between US and EU and everywhere else Mozelle W. Thompson is CEO of Thompson Strategic Consulting where he provides innovative legal, policy and business advice to innovative companies like Facebook, Samsung, Disney, Path, Loyal3 and Atigeo. Thompson s distinguished public and private sector careers, and his groundbreaking work has made him an international leader and trusted adviser to presidents, heads of state, governments and corporations. He also serves on several corporate boards and in 2008, was a Team Leader of the Obama/Biden Transition where he led the review of the US Securities and Exchange Commission, (SEC). From December 1997 until August 2004, Thompson served as a Commissioner on the US Federal Trade Commission where he developed leadership roles in such areas as international consumer protection, high technology antitrust, online privacy and intellectual property. He also served as Chairman of the OECD Committee on Consumer Policy where he established groundbreaking policies to promote competition and protect consumers around the world. This role was particularly critical during the growth of today s high technology industry and it was where he produced the first international standards for e-commerce. 2 1
Robert Bond is a Partner with Bristows LLP and has nearly 40 years' experience in advising national and international clients on all of their technology, data protection and information security law requirements. Clients include NBC Universal, Google, Cray, CPA Global, WestRock, Ingevity, RPM, Rocco Forte Hotels, Spotify, Epsilon, Red Flag and K2 Intelligence Bond is a recognised legal expert and author in the fields of IT, e- commerce, computer games, media and publishing, data protection, information security and cyber risks. Bond is Secretary of the Board of the Society for Corporate Compliance & Ethics, Chairman of the Data Protection Network, Trustee of the UK Safer Internet Centre, a member of the Data Privacy Advisory Group to the United Nations, a member of the Board of TAPESTRY (Trust, Authentication and Privacy over a DeCentralised Social Registry) at University of Surrey and is an Ambassador for Privacy by Design. 3 Agenda EU and US data privacy challenges Effective methods for data transfers Preparing for the General Data Protection Regulation and transfers Embedding ethics and trust into privacy practices 4 2
Why Ethics and Trust now? Compliance with data protection law is mandatory Media attention on data breaches Consumer awareness of their privacy rights Risk of damage to brand and reputation Increased enforcements and fines 5 Data protection is at the heart of any business Reporting and Discovery Commercial Contracts Big Data Outsourcing / Cloud M & A PERSONAL DATA Investigations & Claims Employment Social media Global Presence Emails Corporate Restructuring 3
Understand jurisdictional privacy frameworks Historical influences and empires English common law influences European civil law influences OECD Guidelines Convention 108 Legal Background 1. What does Article 25 of the EU Data Protection Directive say? No transfer to a third country of personal data undergoing processing or intended for processing after transfer unless third country ensures an adequate level of protection 2. Prohibition Why? No substantial change under the GDPR 3. What is a transfer' of personal data? Bodil Linqvist case- access from a third country of personal data loaded onto a website 8 4
UNDERSTANDING DATA TRANSFERS Safe Harbor/Privacy Shield Seals and trust marks Consent Model clauses Strategies for transborder dataflows Binding corporate rules not valid in all countries Contractual necessity Adequate destination Presumption of adequacy 9 So what s the action plan? 1. Appoint a team that can (a) assess company data uses and information assets and (b) cover all key questions and actions 2. Use external expertise where necessary 3. Get Board and Executive buy-in 4. What are our options? Privacy Shield, Model Clauses, consent or other exceptions or a combination? 5. If these work why choose BCR? Who else has done it? Why? 6. If BCR is still the option then what do we do before we submit and then whilst we wait? 7. Audit EU entities for compliance now 8. Understand relationship between data protection policies and other corporate codes of conduct and policies 9. Decide on participating entities in the group 10. Cost the project and develop an implementation plan 5
Is an Omnibus DTA for you? Advantages Complies with the principles of the EU Directive 95/46/EC - standardises practices re protection of personal data within a group of companies. Disadvantages Still needs to be approved by certain DPA. Internal guide for management of personal data, meeting the group's ethical concerns. Approach is more closely embedded in business practice - expected that this will result in more effective data protection. Requires detailed descriptions of data, databases, data subjects ands data recipients. Reduces the multitude of individual C2C and C2P contracts. Not all DPAs are used to this approach and may question its suitability. Already a viable solution used by multinationals and approved as a solution by DPA s. Requires participation by all legal entities and one large signature block. Data Exported Within EEA Outside EEA Which country/jurisdiction? Automatically adequate Andorra, Argentina, Channel Islands, Uruguay, New Zealand, Isle of Man, Switzerland, Faroe Islands, Israel Canada USA Other countries Adequate for transfer to proceed Mostly adequate for transfer to proceed To a signatory of the Privacy Shield? Adequate for transfer to proceed Yes No Do any of the other key legal grounds for transfer apply? 1. Transfers using the appropriate EU Commission approved Model Transfer Terms 2. Transfers subject to the use of Binding Corporate Rules 3. Transfers in accordance with an approved private contract 4. Companies that have self-assessed their adequacy (in some jurisdictions) 5. Companies that are Seal certified or participate in approved Codes of Conduct No Yes Can adequacy be presumed? Adequate for transfer to take place Yes No Transfer can proceed Legal advice required 6
GDPR Obligations on both controllers and processors BCR for both controllers and processors Standard contractual clauses Standard contractual clauses adopted by a DPA and approved by the Commission An approved code of conduct An approved certification mechanism, seal or mark 13 APEC Cross Border Privacy Rules Australia, China, Japan, Korea, Mexico, Peru, Thailand, Vietnam and the United States. The APEC initiative is not based upon strict legislation such as exists in the EU but more upon a framework of a mutual recognition by parties within APEC economies The Cross-Border Privacy Rules (CBPR) rely on businesses self assessing their compliance with the APEC privacy principles which are similar to the privacy principles of the US Safe Harbour and the seven data protection principles set out in the UK Data Protection Act 1998. EU and APEC are working towards double certification of APEC solutions and BCR HP are first company to be awarded dual certification for BCR and CBPR 7
Questions? 15 Thank you Bristows LLP 100 Victoria Embankment London EC4Y 0DH T +44(0)20 7400 8000 This document is for information purposes only and any statements or comments it contains relating to matters of law are not intended to be acted on, or relied upon, without specific legal advice on the matters concerned. To the fullest extent permitted by law, we disclaim all liability and responsibility for any reliance on the statements or comments contained in this document. Bristows LLP is a limited liability partnership registered in England under registration number OC358808 and is authorised and regulated by the Solicitors Regulation Authority (SRA Number 44205). 16 8