Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST Featured Speakers Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M. David Marchese Attorney, Member, Moore & Van Allen, PLLC, USA Rechtsanwältin (Lawyer), GÖHMANN Rechtsanwälte, Germany Rechtsanwalt (Lawyer), GÖHMANN Rechtsanwälte, Germany Partner, Gordon Dadds LLP, United Kingdom
Karin McGinnis Attorney, Member, Moore & Van Allen, PLLC, USA
TRANSFER OF DATA FROM THE EU BEFORE 10/2015 1995 EU Data Privacy Directive Transfers Permitted to Non-EU Countries if: o o o o o Express Consent Approved Standard Contractual Clauses (SCCs) Approved Binding Corporate Rules (BCRs) Country ensured adequate level of privacy protection for personal information 2000 EC approved US Safe Harbor as ensuring adequate level of protection Voluntary self-certification program with Dep t of Commerce for entities regulated by FTC or DOT
TRANSFER OF DATA FROM THE EU - POST 10/2015 6/2013 Snowden Schrems 10/2015 EU COJ Safe Harbor Invalidated 2/2016 US EU Privacy Shield o Voluntary self-certification with US Dept. of Commerce. o Certain entities not subject to FTC, DOT or another statutory body that will effectively ensure compliance with the Principles not covered. Express Consent BCRs SCCs (maybe) Schrems Pt. II (but US intervention may show Schrems fears are overstated)
US - EU PRIVACY SHIELD Will operate in a similar manner to the Safe Harbor, but will include: (1) additional limitations on surveillance by the US government, (2) additional means of redress for EU citizens for privacy violations, and (3) more robust protection obligations on US companies that sign onto the Privacy Shield. Supplemental Principles provide additional requirements for sensitive data, HR data transfer, pharmaceutical and medical products, and other data.
2/29/16 DEPARTMENT OF COMMERCE SHIELD FRAMEWORK PRINCIPLES- Special Issues Must disclose privacy policies in line with Principles. Must recertify annually. Must have internal or third party verification and verify annually that attestations made about Privacy Shield practices are true. Transfer of HR personal information requires specific disclosure of this fact to the Commerce Dep t on self-certification submission and must conform with the Supplemental Principles. Ombudsman.
2/29/16 DEPARTMENT OF COMMERCE SHIELD FRAMEWORK PRINCIPLES Notice (participation in PS, types of info collected, purposes, identities of third parties disclosed to, right to access data, choices to limit use and disclosure (and how), dispute resolution, how to complain to organization, governing agency, obligation to disclose to authorities). Choice (to opt out of disclosure of information to non-agent third party or use for purpose materially different from why it was originally collected; opt in for such disclosure or use for sensitive info (i.e., medical, race, political opinions, trade union)). Onward Transfer (if to controller (determines how/purpose of processing data), also need contract with third party for limited processing and confirm compliance with Principles; if to agent more diligence and oversight required, and disclosure of contract to Commerce Dep t on request).
VENDOR CONTRACTS UNDER PRIVACY SHIELD Commerce Dep't Privacy Principles allow organizations that self certify in first two months that Privacy Shield is effective to take up to 9 months to bring contracts with third parties into conformance under principle related to Accountability for Onward Transfer. In meantime, organization must apply Notice and Choice Principles and if transfer is to third party acting as agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.
2/29/16 DEPARTMENT OF COMMERCE SHIELD FRAMEWORK PRINCIPLES Security (must take reasonable and appropriate measures to protect information from loss, misuse, unauthorized access, disclosure, alteration and destruction). Data Integrity and Purpose Limitations (must take reasonable steps to ensure that personal data is reliable for its intended use, accurate, complete and current). Access (right to correct, amend, or delete info if inaccurate or processed in violation of Principles, unless burden/expense disproportionate to privacy risk, or would violate others rights). Recourse, Enforcement and Liability (expeditious, no cost investigation/ resolution of disputes, follow-up verification that attestations true, and remedy of non-compliance (can meet by agreeing to cooperate with EU DPA); sufficiently rigorous sanctions for failure to comply; EU DPA inquiries through Commerce or direct in some cases (HR); arbitration by giving notice in certain circumstances; liability for processing by agents).
PRIVACY SHIELD What s next? The Privacy Shield must go through a process of review and approval Department of Commerce s Framework Principles not effective until final approval of EC s adequacy determination. Revised draft approved by Article 31 committee to have stronger rules on data retention, onward transfers and safeguards on access to data by public authorities. Ombudsman to be independent from US intelligence agencies. Unclear if Privacy Shield will survive challenge in European Court of Justice.
Susanne Klein LL.M. Dr. Benno Barnitzke LL.M. Rechtsanwältin (Lawyer), GÖHMANN Rechtsanwälte, Germany Rechtsanwalt (Lawyer), GÖHMANN Rechtsanwälte, Germany
The ECJ s Safe Harbor Ruling ( Schrems Case ) Facts of the Case: Austrian citizen Max Schrems objected to the transfer of his personal data from the Irish to the US Facebook server Claim before the National Irish Data Protection Authority (DPA) Irish High Court referred case to ECJ
The ECJ s Safe Harbor Ruling ( Schrems Case ) Judgment of the ECJ: Any decision of EU Commission (like Safe Harbor ) cannot prevent national DPAs from independently checking the fulfillment of EU data protection law requirements Safe Harbor decision of the EU Commission is invalid
The ECJ s Safe Harbor Ruling ( Schrems Case ) Reasons: Far reaching access of public authorities / secret services to contents of electronic communication No means for legal recourse for individuals
Legal Consequences for Transatlantic Data Transfers (European / German perspective) No data transfers based on Safe Harbor 3 months grace period for compliance (until January 31 st, 2016) Investigations of German DPAs
Legal Consequences for Transatlantic Data Transfers (European / German perspective) Source: fortune.com/2016/06/06/germ any-privacy-adobe-unilever/
Legal Consequences for Transatlantic Data Transfers (European / German perspective) Unilever 11,000 EUR Punica 9,000 EUR Adobe 8,000 EUR
Future Proceedings Further cases pending Higher fines to be expected for future infringements, especially after expiry of grace period Fines up to 300,000.00 EUR
Alternative Tools for Transatlantic Data Transfers Legal Permission Standard Contractual Clauses Consent Binding Corporate Rules Does not cover all business cases Pros: Easy to implement No approval by DPA unless amended May be difficult to obtain Probably more difficult under GDPR Pros: Worldwide data transfers to third countries in a corporate group High level of customization Legal certainty through approval Cons: Not customizable without approval by DPA Only bilateral, requires complex contract mgmt. Cons: Require high efforts to implement expensive
Implementation Process BCR Due diligence of corporation-wide data transfers Draft of BCR in coordination with company's legal and IT-department Approval through leading DPA Mutual recognition by national DPAs
BCR under GDPR Art. 47 GDPR: For the first time legal requirements established Detailed regulation of preconditions and requirements, esp. with respect to necessary content, implementing the former recommendations of the Art. 29 WP Approval through the competent DPA in accordance with consistency mechanism (Art. 63 GDPR) One-stop-shop (Art. 56 sec. 1 GDPR)
Remaining Risks Standard Contractual Clauses will also be subject of legal examination by ECJ (new claim of Max Schrems) German DPAs will no longer approve new BCR Both means still valid and remain valid under GDPR until new decision of ECJ
Remaining Risks However: Statement of DPA of Lower Saxony Agreements under private law not suitable to guarantee the fundamental rights of EU-citizens in the US pursuant to the ECJ s decision Companies required to process personal data only within EU / EEA
David Marchese Partner, Gordon Dadds LLP, United Kingdom
CONSENT AS A BASIS FOR INTERNATIONAL DATA TRANSFERS General rule: You can transfer personal data to a third country (i.e. a country outside the EU) if: Directive 95/46/EC, Art 26(10(a)...the data subject has given his consent unambiguously to the proposed transfer Regulation (EU) 2016/679, Art 49(1)(a)...the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards
WHAT IS MEANT BY CONSENT? Directive 95/46/EC, Art 2(h)...any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed NB Art 7(a) - general conditions making data processing legitimate: the data subject has unambiguously given his consent Contrast Art 8(2)(a) processing of special categories of data: the data subject has given his explicit consent to the processing of those data. Scope for implied consent?
Regulation (EU) 2016/679, Recital (32) Consent should be given by: a clear affirmative act a freely given, specific, informed and unambiguous indication of the data subject's agreement such as: a written statement, including by electronic means, or an oral statement
Consent could include: ticking a box when visiting an internet website choosing technical settings for information society services or any other statement or conduct which clearly indicates the data subject's acceptance of the proposed processing of his or her personal data.
Restrictions on consent Silence, pre-ticked boxes or inactivity should not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service.
Recital (42) A declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.
Recital (43) Consent is presumed not to be freely given if: it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance
Particular issues Employees Online: separate boxes? Children: 13, 16? Verification of parental consent?
Questions