Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

Similar documents
The Risk Manager. Additional Resources. The Latest News on Managing Your Risk. May 2016 INCREASED LIABILITY IN THE FACE OF UNCERTAIN DATA REGULATIONS

The European Court of Justice Invalidated EU/US Safe Harbor: What Does the Future Hold?

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Privacy Shield. A New and Improved Safe Harbor. briefing

Inteum EU or Switzerland Safe Harbor Policy

Customer means any EEA entity that registers for or purchases products or services from SDL or SDL EEA Entities.

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Data protection legislation back to the drawing board?

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

Ximedica, LLC Privacy Shield Policy

Privacy Shield Notice

Privacy Source EU-U.S. Privacy Shield Passes First Annual Review

Geomni, Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

DDB. EU/Swiss-U.S. Privacy Shield: Consumer Privacy Policy

The Marketing Arm Inc. EU-U.S. Privacy Shield: Consumer Privacy Policy

Recent privacy legislation in the European Union has posed specific

GDPR: The future of marketing and commercialisation of data. Alexander Brown & Matt Dyer, Simmons & Simmons

BREXIT AND DATA PROTECTION Q & A

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

THE IRON MOUNTAIN GDPR JARGON BUSTER

TIFFANY AND COMPANY: EU-U.S. PRIVACY SHIELD PRIVACY POLICY - CONSUMER DATA

Fitbit, Inc.: EU-U.S. Privacy Shield Privacy Policy - Consumer Data

DRAFT MOTION FOR A RESOLUTION

Data protection and transfer

Data Processing Addendum

IRIS Group of Companies Customer Data Processing Terms

ROSETTA STONE LTD. PROCESSING ADDENDUM

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

The EU-US Privacy Shield: A How-To Guide

DATA PROCESSING AGREEMENT

FRAMEWORK FOR CONSUMER PRIVACY LEGISLATION

Pension Trustees. Final Countdown to the GDPR

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

Amgen Binding Corporate Rules (BCRs) Public Document

Data Protection Post-Brexit

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES

INTERNATIONAL SOS. Data Protection Policy. Version 1.8

EMPLOYEE NOTICE OF DATA PRIVACY POLICIES AND PROCEDURES

Creating a Big Data Strategy: Managing Risk and Enabling Innovation

The Allied Group Privacy Shield Policy

Overview of the EU - U.S. Privacy Shield Framework

CLOUDINARY DATA PROCESSING ADDENDUM

Practising Law Institute: Privacy Shield Boot Camp

Pension Trustees Final Countdown To GDPR

Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions

EU U.S. Privacy Shield First annual Joint Review

Data Processing Appendix

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

MRS Brexit Survival Guide: EU-UK Data transfers November

Effective flow of personal data post-brexit

DATA PROCESSING ADDENDUM

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

Data Protection & Brexit

Privacy vs Data Protection: The Impact of EU Data Protection Legislation

GENERAL PURCHASING TERMS AND CONDITIONS

BE PREPARED FOR THE NEW EU DATA REGULATION

Requirements of explicit consent

BINDING CORPORATE RULES

ON24 DATA PROCESSING ADDENDUM

PRIVACY POLICY OVERVIEW

Customer GDPR Data Processing Agreement

Guidance: The new EU General Data Protection Regulation: Implications for Australia

Cover option 2. The Interplay of HIPAA, Privacy and Data Security Principles, and Health Information Interoperability. Subtitle or Company Name

The New EU General Data Protection Regulation (GDPR)

GDPR DATA PROCESSING ADDENDUM INSTRUCTIONS FOR JOSTLE CUSTOMERS

CHARITY & NFP LAW BULLETIN NO. 419

Paul Jones, Jones & Co. Kathleen Rice, Faegre Baker Daniels, LLP

The Era of GDPR Data Privacy, Two Months In: Do you have a Data Transfer Agreement handy? July 31, 2018

Navigating Cross Border Document Transfers in Investigations. Privacy Considerations and Practical Tips

DATA PROCESSING ADDENDUM

DATA PROCESSING ADDENDUM

MOTION FOR A RESOLUTION

Transborder data transfers briefly explained

Unfair Terms in Insurance Contracts

Working Party on the Protection of Individuals with regard to the Processing of Personal Data

Privacy Policy Statement

The EU s General Data Protection Regulation enters into force on 25 May 2018

What U.S.- Based Investment Advisers Should Know

A guide for the insurance industry

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION STAFF WORKING PAPER

BREXIT: IMPLICATIONS FOR DATA PROTECTION

Capital Dynamics Privacy Policy

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

***II POSITION OF THE EUROPEAN PARLIAMENT

Pacific Gas and Electric Company Paperless Billing Sweepstakes Official Rules

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

Data Privacy Group Client Alert: The UK Votes for Brexit Data Protection Implications

THE IMPORTANCE AND STATUS OF THE GENERAL DATA PROTECTION REGULATION (GDPR)

ABI response to DCMS Call for views on GDPR. The ABI

14 March MedTech Europe: GDPR National Legislation State of Play Webinar

The General Data Protection Regulation s Impact on M&A

Privacy Policy. This privacy policy shall be valid even if you have reserved your transfers through the other sales partners of Plus Group Kft.

Lifesize, Inc. Data Processing Addendum

DATA PROTECTION LAWS OF THE WORLD. Czech Republic

Impact of the European General Data Protection Regulation on U.S. M&A

These terms of business (the Terms ) explain the entire rights and obligations of You and Us regarding the provision of our Services.

SCCCI Personal Data Protection Policy

GDPR update and its impact on accountancy practices

Moxtra, Inc. DATA PROCESSING ADDENDUM

Transcription:

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST Featured Speakers Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M. David Marchese Attorney, Member, Moore & Van Allen, PLLC, USA Rechtsanwältin (Lawyer), GÖHMANN Rechtsanwälte, Germany Rechtsanwalt (Lawyer), GÖHMANN Rechtsanwälte, Germany Partner, Gordon Dadds LLP, United Kingdom

Karin McGinnis Attorney, Member, Moore & Van Allen, PLLC, USA

TRANSFER OF DATA FROM THE EU BEFORE 10/2015 1995 EU Data Privacy Directive Transfers Permitted to Non-EU Countries if: o o o o o Express Consent Approved Standard Contractual Clauses (SCCs) Approved Binding Corporate Rules (BCRs) Country ensured adequate level of privacy protection for personal information 2000 EC approved US Safe Harbor as ensuring adequate level of protection Voluntary self-certification program with Dep t of Commerce for entities regulated by FTC or DOT

TRANSFER OF DATA FROM THE EU - POST 10/2015 6/2013 Snowden Schrems 10/2015 EU COJ Safe Harbor Invalidated 2/2016 US EU Privacy Shield o Voluntary self-certification with US Dept. of Commerce. o Certain entities not subject to FTC, DOT or another statutory body that will effectively ensure compliance with the Principles not covered. Express Consent BCRs SCCs (maybe) Schrems Pt. II (but US intervention may show Schrems fears are overstated)

US - EU PRIVACY SHIELD Will operate in a similar manner to the Safe Harbor, but will include: (1) additional limitations on surveillance by the US government, (2) additional means of redress for EU citizens for privacy violations, and (3) more robust protection obligations on US companies that sign onto the Privacy Shield. Supplemental Principles provide additional requirements for sensitive data, HR data transfer, pharmaceutical and medical products, and other data.

2/29/16 DEPARTMENT OF COMMERCE SHIELD FRAMEWORK PRINCIPLES- Special Issues Must disclose privacy policies in line with Principles. Must recertify annually. Must have internal or third party verification and verify annually that attestations made about Privacy Shield practices are true. Transfer of HR personal information requires specific disclosure of this fact to the Commerce Dep t on self-certification submission and must conform with the Supplemental Principles. Ombudsman.

2/29/16 DEPARTMENT OF COMMERCE SHIELD FRAMEWORK PRINCIPLES Notice (participation in PS, types of info collected, purposes, identities of third parties disclosed to, right to access data, choices to limit use and disclosure (and how), dispute resolution, how to complain to organization, governing agency, obligation to disclose to authorities). Choice (to opt out of disclosure of information to non-agent third party or use for purpose materially different from why it was originally collected; opt in for such disclosure or use for sensitive info (i.e., medical, race, political opinions, trade union)). Onward Transfer (if to controller (determines how/purpose of processing data), also need contract with third party for limited processing and confirm compliance with Principles; if to agent more diligence and oversight required, and disclosure of contract to Commerce Dep t on request).

VENDOR CONTRACTS UNDER PRIVACY SHIELD Commerce Dep't Privacy Principles allow organizations that self certify in first two months that Privacy Shield is effective to take up to 9 months to bring contracts with third parties into conformance under principle related to Accountability for Onward Transfer. In meantime, organization must apply Notice and Choice Principles and if transfer is to third party acting as agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.

2/29/16 DEPARTMENT OF COMMERCE SHIELD FRAMEWORK PRINCIPLES Security (must take reasonable and appropriate measures to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction). Data Integrity and Purpose Limitations (must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current). Access (right to correct, amend, or delete info if inaccurate or processed in violation of Principles, unless burden/expense disproportionate to privacy risk, or would violate others rights). Recourse, Enforcement and Liability (expeditious, no cost investigation/ resolution of disputes, follow-up verification that attestations true, and remedy of non-compliance (can meet by agreeing to cooperate with EU DPA); sufficiently rigorous sanctions for failure to comply; EU DPA inquiries through Commerce or direct in some cases (HR); arbitration by giving notice in certain circumstances; liability for processing by agents).

PRIVACY SHIELD What s next? The Privacy Shield must go through a process of review and approval Department of Commerce s Framework Principles not effective until final approval of EC s adequacy determination. Revised draft approved by Article 31 committee to have stronger rules on data retention, onward transfers and safeguards on access to data by public authorities. Ombudsman to be independent from US intelligence agencies. Unclear if Privacy Shield will survive challenge in European Court of Justice.

Susanne Klein LL.M. Dr. Benno Barnitzke LL.M. Rechtsanwältin (Lawyer), GÖHMANN Rechtsanwälte, Germany Rechtsanwalt (Lawyer), GÖHMANN Rechtsanwälte, Germany

The ECJ s Safe Harbor Ruling ( Schrems Case ) Facts of the Case: Austrian citizen Max Schrems objected to the transfer of his personal data from the Irish to the US Facebook server Claim before the National Irish Data Protection Authority (DPA) Irish High Court referred case to ECJ

The ECJ s Safe Harbor Ruling ( Schrems Case ) Judgment of the ECJ: Any decision of EU Commission (like Safe Harbor ) cannot prevent national DPAs from independently checking the fulfillment of EU data protection law requirements Safe Harbor decision of the EU Commission is invalid

The ECJ s Safe Harbor Ruling ( Schrems Case ) Reasons: Far reaching access of public authorities / secret services to contents of electronic communication No means for legal recourse for individuals

Legal Consequences for Transatlantic Data Transfers (European / German perspective) No data transfers based on Safe Harbor 3 months grace period for compliance (until January 31 st, 2016) Investigations of German DPAs

Legal Consequences for Transatlantic Data Transfers (European / German perspective) Source: fortune.com/2016/06/06/germ any-privacy-adobe-unilever/

Legal Consequences for Transatlantic Data Transfers (European / German perspective) Unilever 11,000 EUR Punica 9,000 EUR Adobe 8,000 EUR

Future Proceedings Further cases pending Higher fines to be expected for future infringements, especially after expiry of grace period Fines up to 300,000.00 EUR

Alternative Tools for Transatlantic Data Transfers Legal Permission Standard Contractual Clauses Consent Binding Corporate Rules Does not cover all business cases Pros: Easy to implement No approval by DPA unless amended May be difficult to obtain Probably more difficult under GDPR Pros: Worldwide data transfers to third countries in a corporate group High level of customization Legal certainty through approval Cons: Not customizable without approval by DPA Only bilateral, requires complex contract mgmt. Cons: Require high efforts to implement expensive

Implementation Process BCR Due diligence of corporation-wide data transfers Draft of BCR in coordination with company's legal and IT-department Approval through leading DPA Mutual recognition by national DPAs

BCR under GDPR Art. 47 GDPR: For the first time legal requirements established Detailed regulation of preconditions and requirements, esp. with respect to necessary content, implementing the former recommendations of the Art. 29 WP Approval through the competent DPA in accordance with consistency mechanism (Art. 63 GDPR) One-stop-shop (Art. 56 sec. 1 GDPR)

Remaining Risks Standard Contractual Clauses will also be subject of legal examination by ECJ (new claim of Max Schrems) German DPAs will no longer approve new BCR Both means still valid and remain valid under GDPR until new decision of ECJ

Remaining Risks However: Statement of DPA of Lower Saxony Agreements under private law not suitable to guarantee the fundamental rights of EU-citizens in the US pursuant to the ECJ s decision Companies required to process personal data only within EU / EEA

David Marchese Partner, Gordon Dadds LLP, United Kingdom

CONSENT AS A BASIS FOR INTERNATIONAL DATA TRANSFERS General rule: You can transfer personal data to a third country (i.e. a country outside the EU) if: Directive 95/46/EC, Art 26(10(a)...the data subject has given his consent unambiguously to the proposed transfer Regulation (EU) 2016/679, Art 49(1)(a)...the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards

WHAT IS MEANT BY CONSENT? Directive 95/46/EC, Art 2(h)...any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed NB Art 7(a) - general conditions making data processing legitimate: the data subject has unambiguously given his consent Contrast Art 8(2)(a) processing of special categories of data: the data subject has given his explicit consent to the processing of those data. Scope for implied consent?

Regulation (EU) 2016/679, Recital (32) Consent should be given by: a clear affirmative act a freely given, specific, informed and unambiguous indication of the data subject's agreement such as: a written statement, including by electronic means, or an oral statement

Consent could include: ticking a box when visiting an internet website choosing technical settings for information society services or any other statement or conduct which clearly indicates the data subject's acceptance of the proposed processing of his or her personal data.

Restrictions on consent Silence, pre-ticked boxes or inactivity should not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service.

Recital (42) A declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.

Recital (43) Consent is presumed not to be freely given if: it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance

Particular issues Employees Online: separate boxes? Children: 13, 16? Verification of parental consent?

Questions

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback