BE PREPARED FOR THE NEW EU DATA REGULATION

Similar documents
PRIVACY AND CYBERSECURITY ISSUES IN M&A TRANSACTIONS

TAX ISSUES IN M&A TRANSACTIONS

Biography. Mary B. Hevener Washington, D.C. T F

M&A ACADEMY: TAX ISSUES IN M&A TRANSACTIONS

M&A ACADEMY. Privacy and Data Security Issues in M&A Transactions. Ezra Church, Don Shelkey, Pulina Whitaker March 5, 2019

PLAN SPONSOR BASICS: RETIREMENT PLAN. Presenters: Lisa H. Barton and Mark J. Simons September 22, 2015

REQUIREMENTS AND HIGHLIGHTS OF THE VOLCKER RULE AND ITS REGULATIONS

IP ISSUES IN MERGERS & ACQUISITIONS

IMPLEMENTING THE BENEFICIAL OWNERSHIP RULES. April 18, 2018 Charles Horn, Melissa Hall, Ignacio Sandoval

SEC PROPOSES LIQUIDITY RISK- MANAGEMENT RULES. Christopher D. Menconi, Sean Graber, Beau Yanoshik, David W. Freese January 20, 2016

BENEFITS AND COMPENSATION: MISSION CRITICAL FOR TECH COMPANY SUCCESS

2016 PLAN SPONSOR BASICS 401(k) ISSUES. Presenters: Lisa Barton and Elizabeth Kennedy November 9, 2016

EMPLOYMENT & COMPLIANCE ISSUES & PITFALLS IN CROSS- BORDER M&A TRANSACTIONS

M&A ACADEMY CHOOSING AN ACQUISITION STRUCTURE AND STRUCTURING A DEAL

IP ISSUES IN MERGERS & ACQUISITIONS

FROM VIE TO SAFE: TECH INVESTMENTS INTO AND FROM CHINA

CONFLICTS OF INTEREST

UNDERSTANDING CLOSED- END INTERVAL FUNDS Sean Graber, Partner Thomas S. Harman, Partner David W. Freese, Associate. June 7, 2017

COMPENSATION CLAWBACKS: TAX CONSEQUENCES FOR ISSUERS AND EXECUTIVES

THE TRANSFORMATION OF INVESTMENT ADVICE: DIGITAL ADVISERS AS FIDUCIARIES

CONSUMER-DRIVEN HEALTHCARE POST-ACA. Presenters: Andy Anderson and Sage Fattahian March 30, 2016

DEBT FINANCING FOR EARLY STAGE VENTURES

PREPARING FOR A CHANGE IN CONTROL

M&A ACADEMY EXECUTIVE COMPENSATION AND EMPLOYEE BENEFIT PLAN ISSUES IN M&A TRANSACTIONS. Presenters: Colby Smith and David Zelikoff February 14, 2017

M&A ACADEMY CHOOSING AN ACQUISITION STRUCTURE AND STRUCTURING A DEAL

SECTION 4062(e) PLANT SHUTDOWN LIABILITY

M&A ACADEMY INDEMNIFICATION

SEC PROPOSED STANDARDS OF CONDUCT. FOR RETAIL ADVICE Chris Cox Jennifer Klass Steven Stone Brian Baltz May 9, Morgan, Lewis & Bockius LLP

M&A ACADEMY: THIRD PARTY REPRESENTATIONS AND WARRANTIES INSURANCE IN STRATEGIC AND PE DEALS

PLAN TERMINATION ISSUES

NAVIGATING US TAX REFORM:

NAVIGATING US TAX REFORM:

M&A ACADEMY PURCHASE PRICE ADJUSTMENTS & EARN- OUTS

M&A ACADEMY TECHNOLOGY M&A ISSUES. April 5, 2016 Steve Browne and Laurie Cerveny

International data transfers and Schrems White & Case. Aqeel Kadri and Tim Hickman

NAVIGATING US TAX REFORM:

SOUTH DAKOTA V. WAYFAIR

Affordable Care Act Tasks:

UNDERSTANDING THE NEW BEAT TAX

UPDATE ON RECENT SEC COMPLIANCE AND DISCLOSURE INTERPRETATIONS (CD&I)

NAVIGATING US TAX REFORM:

BLOCKCHAIN IN HEALTHCARE TECHNOLOGY

IMPLICATIONS OF US TAX REFORM FOR HEDGE FUNDS, INVESTORS, AND MANAGERS

DISRUPTIVE TECHNOLOGIES IN INVESTMENT MANAGEMENT: THE REGULATORY LANDSCAPE FOR ASSET MANAGERS

Navigating Cross Border Document Transfers in Investigations. Privacy Considerations and Practical Tips

OSHA to Offer Alternative Dispute Resolution for Whistleblower Complaints

February 2015

Bad Actor Disqualification in Private Placements New Rule 506(d)

Mergers, Acquisitions, and Other

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Alert Franchise & Distribution/ Cybersecurity, Privacy & Crisis Management

Preparing For and Managing g Plan Audits

NAVIGATING US TAX REFORM:

The GDPR how to prepare MiFID II where are we now? Wednesday 21 February 2018

The New EU General Data Protection Regulation (GDPR)

SEC Approves Final NYSE and NASDAQ Compensation Committee Rules

Part-Timers and Locations and Turnover Oh My! An Overview of Employee Benefits Issues for Retail Organizations

2016 PLAN SPONSOR BASICS PLAN AUDIT ISSUES. Presenters: Amy Pocino Kelly and Susan Lastowski November 16, 2016

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Anatomy of a Deferred Compensation Plan

Economic and Political Environment in Ukraine and Russia

M&A ACADEMY TECHNOLOGY M&A ISSUES

The GDPR Possible Impact on the Life Sciences and Healthcare Sectors

OIL AND GAS: REGULATORY ROUNDUP. Levi McAllister and Pamela Wu June 29, Morgan, Lewis & Bockius LLP

Pension Trustees. Final Countdown to the GDPR

Developing Effective Resolution Strategies and Plans for Systemically Important Insurers; Consultative Document 3 November 2015

Fiduciary Issues for Retirement

NAVIGATING US TAX REFORM:

BREXIT AND DATA PROTECTION Q & A

Standard contractual clauses for the transfer of personal data to third countries - Frequently asked questions

Client Alert. Recent Changes to CONSOB Rules on Cash Tender Offers and Exchange Offers for Debt Securities Extended into Italy

The European Court of Justice Invalidated EU/US Safe Harbor: What Does the Future Hold?

DATA PROCESSING ADDENDUM

GDPR CCPA LGPD. Protected information

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

Globalaw-MCI Webinar Tuesday, 12 July at 4 pm CEST. Featured Speakers. Karin McGinnis Susanne Klein LL.M. Dr. Benno Barnitzke LL.M.

International Issues 409A/457A

NAVIGATING US TAX REFORM:

GDPR update and its impact on accountancy practices

Preparation for IPOs & Eurobond offerings

OIL AND GAS: REGULATORY ROUNDUP. Levi McAllister and Pamela Tsang Wu January 11, 2017

AFFORDABLE CARE ACT: POTENTIAL CHANGES, LIKELY EFFECTS

Sapin II - France s War on Corruption

401(k) Plan Issues Presenters: April 16, 2013

Understanding Privacy Regulatory Restrictions on Trans Border Data Flow

Data protection legislation back to the drawing board?

Data Processing Appendix

States of Guernsey EU General Data Protection Regulation (GDPR) - High-level impact assessment

USING STOCK AS ACQUISITION CONSIDERATION

Exchange-Traded Managed Funds: The Future of Active Investing?

CHARITY & NFP LAW BULLETIN NO. 419

Understanding the Requirements and Impact of the Volcker Rule and the Final Regulations. February 11, 2014

UK Investment: Tech Issues for Entrepreneurs, Start-Ups and Investors. presenters Amy Comer Matthew Howse Kate Habershon Tracy Evlogidis

EU General Data Protection Regulation

DOING BUSINESS IN THE GOLDEN STATE WEBINAR SERIES

Update: EU VAT on E-Commerce

M&A ACADEMY: ISSUES IN RETAIL M&A TRANSACTIONS. David McManus and Christina Melendi May 10, 2016

France: Amending Finance Law for 2011 and Initial Finance Law for January 2012

The Controller and Processor Data Protection Binding Corporate Rules of BMC Software

Introducing the New Multi-Level Marketing Governing Act

Transcription:

BE PREPARED FOR THE NEW EU DATA REGULATION TECHNOLOGY MAY-RATHON Pulina Whitaker Dr. Axel Spies Charles Dauthier May 12, 2016 2016 Morgan, Lewis & Bockius LLP

SECTION 01 EU-US DATA TRANSFER

EU-US Data Transfers Commission announced new EU-US Privacy Shield for US organizations, replacing the Safe Harbor program Limitations imposed on US authorities accessing personal data for national security purposes and an oversight mechanism Annual review of these principles EU citizens to have the same rights of enforcement as US citizens under proposed new Judicial Redress Act EU citizens and EU DPAs can complain to FTC and DoC Article 29 Working Party announced the Privacy Shield was not yet adequate next steps? Three current alternatives 1. Derogations e.g. consent to transfer outside the EU or necessary transfers to comply with contractual obligations or litigation management 2. Standard Contractual Clauses 3. Binding Corporate Rules for intra-group transfers 3

SECTION 02 EU GENERAL DATA PROTECTION REGULATION (GDPR)

The New EU General Data Protection Regulation New Regulation will replace existing EU Data Protection Directive for commercial data privacy obligations Personal Data means any information relating to an identified or identifiable natural person ( data subject ); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person Personal data still to be processed fairly and lawfully Pseudonymisation/anonymisation distinction Consent explicit freely given fully informed 5

The New EU General Data Protection Regulation, cont d International transfers: Binding Corporate Rules, model clauses, to certified organization, consent, transfer is necessary for performance of contract, establish, exercise or defend legal claims or for legitimate interests of controller (one-off and limited data subjects involved) Data Protection Officer: for controllers/processors processing substantial sensitive personal data or who have core activity of monitoring individuals on a large scale or public body Right to request to be forgotten, have data rectified or deleted Privacy by design: privacy safeguarding technology built-in from the start Actively factor privacy considerations into the design and upgrade of all systems, policies, settings which process personal data Privacy by default: privacy-friendly default settings until user chooses otherwise 6

The New EU General Data Protection Regulation, cont d Data protection impact assessment: prior to processing if high risk for individuals Notify data breach to DPA without undue delay/within 72 hours and to individuals without undue delay if there is likely to be high risk to individuals Most EU countries currently limit data protection breaches to around 500,000 per breach average is 100,000 Penalties for breach of new Regulation up to higher of 4% global turnover or 20,000,000 Individual rights to sue controllers and processors 7

The New EU General Data Protection Regulation, cont d Expanded application of the New Regulation s provisions The New Regulation will apply to processors and controllers having an EUbased establishment where personal data are processed in the context of the activities of this establishment The New Regulation will also apply to controllers and processors based outside the EU territory where the processing of personal data regarding EU data subjects relates to: - the offering of goods or services (regardless of payment) - the monitoring of data subjects behavior within the EU To do: Companies not established in the EU but processing data of EU data subjects should contemplate adopting a compliance policy 8

SECTION 03 UK 9

UK The European Commissioner has said that UK-based organisations may find it harder than other European organisations to comply ICO agrees there are significant enhancements required under GDPR ICO s guidance 12 Steps to Take Now : 1. Awareness of key decision-makers 2. Information you hold audit? 3. Communicating privacy information 4. Individuals rights 5. Subject access requests 6. Legal basis for processing personal data 7. Consent 8. Children 9. Data breaches 10. Privacy Impact Assessments 11. Data Protection Officers 12. International which supervisory authority?

UK (cont d) New ICO from summer 2016 Elizabeth Denham ICO guidance on PIAs UK Data Science Ethical Framework for data science, Big Data or data analytics ICO guidance on direct marketing recent regulatory fines ICO Privacy Seals new proposal for organisations to become certified with approved operators 11

SECTION 04 FRANCE 12

France Unlike ICO, the CNIL has not yet provided guidance The New Regulation is not addressing some topics which are crucial to companies in France, in particular: processing of personal data at the work place legal uncertainty processing of data in case of cross-border litigation The French blocking statute prohibits, except in presence of treaties or international agreements and other statutes in place, the fact for anyone to request, research or communicate, in writing, orally or otherwise, documents or information of economic, industrial, financial or technical nature which are aimed at the constitution of evidence for current or future administrative or judicial proceedings outside France. 13

France (cont d) Record of processing activities: Revolution for French companies without a data protection officer (CIL) : towards less registration with the CNIL prior to implementing a processing of personal data Obligation for controllers / processors to maintain a record of all of their processing operations Exemption for companies employing less than 250 employees 14

SECTION 06 GERMANY

Germany Federal Data Protection Office has released a detailed (German) brochure on the GDPD. Government confident that German Data Protection Act is already in compliance, but Companies are expected to do their compliance homework asap. Coordination between the State DPAs re the GDPD will be difficult (some more proactive than others) Focus in the near future presumably on informed consent and privacy-by-design issues as most larger German companies already have DPOs. Expect privacy to become more significant in cartel proceedings. 16

SECTION 05 EU-US DATA TRANSFERS FOR E-DISCOVERY AND US INVESTIGATIONS UNDER THE NEW GDPR

E-Discovery: Current Situation (Data Flows) Pursuant to the EU s 1995 Data Protection Directive (EC/46/95) and various national data protection laws, the United States is a country of inadequate data protection. any personal data transfer out of the these countries to the US require specific legal safeguards - otherwise they are illegal. Various countries (e.g., France, Switzerland) have blocking statues - legal investigations by US lawyers cooperation with US lawyers, providing evidence for US proceedings etc. without prior permission may qualify as criminal acts ( Christopher X case ). Many US courts have ruled that these laws are not a general excuse from producing documents in Europe and apply a balancing test (cf. 1987 US Supreme Court Aerospatiale decision, 107 Sup.Ct. 2542) with uncertain outcome. US parties may be caught between a rock and a hard place because US law may require the production of evidence or discovery that may be illegal or at least restricted under the EU data protection and regulations. 18

E-Discovery (cont d) Third Countries Third Countries EU: USA is a country of inadequate data protection. Privacy Shield not yet in place. Narrow exemption in existing Art. 26 (1) (e) EU Directive (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; Blocking statutes (France, Switzerland): Legal Safeguards needed. Letter of request or a letter of rogatory from the US court to the national Central Authorities under the Hague Convention on Evidence? (expensive and time consuming). In some countries, prior permission of the local Data Protection Authorities may be required. Special rules for telecoms (traffic) data and where to store them. Data Transfers to Third Countries: EU restrictions on onward transfers or use for other purposes 19

EU-US Data Transfers for US Discovery Purposes Important New Provisions in the GDPR: Article 48: Transfers or disclosures not authorized by Union Law Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter. Article 49: Derogations for specific situations 1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: [ ] (e) the transfer is necessary for the establishment, exercise or defence of legal claims; 20

Practical Consequences of the New GDPR Provisions for E-Discovery Scope of the new Art. 48 vis-à-vis other provisions in the GDPR EU/US MLATS and Hague Convention the Taking of Evidence Abroad in Civil or Commercial Matters of 1970 EU/US Umbrella Agreement Judicial Redress Act of February 2016 Impact of US appeals case, Microsoft v. FBI EU Privacy Shield for E-Discovery? Practical considerations (filtering data, consent requirements, data access from the US) 21

SECTION 04 SPEAKERS

Biography Pulina Whitaker London T +44.20.3201.5550 E pulina.whitaker@morganlewis.com Pulina Whitaker focuses her practice on a variety of data privacy and data protection matters, including advising on international transfers of personal data, third-party transfers, data breach investigations and rights of access to personal data. She also advises on setting-up whistleblower hotlines for European-based companies and compliance with Sarbanes-Oxley Act requirements and other international investigations and compliance matters. 23

Biography Dr. Axel Spies Washington, DC T +1.202.373.6145 E axel.spies@morganlewis.com Dr. Axel Spies advises domestic and international clients on various international issues, including licensing, competition, corporate issues, and new technologies such as cloud computing in the European markets. He counsels on international data protection, international data transfers, privacy, technology licensing, e-discovery, and equity purchases. A member of the Sedona Conference on Electronic Discovery with a focus on German and international data protection, Axel is frequently quoted in the media for his telecommunications and privacy knowledge. In addition to his telecommunications and international litigation work, Axel provides assistance to companies and industry associations on matters before US federal agencies and to investors on European mergers. He serves as the Washington correspondent and co-editor of the European telecoms journal MultiMedia und Recht (MMR) and the German Journal of Data Protection (ZD). 24

Biography Charles Dauthier Paris T +33.1.53.30.44.74 E charles.dauthier@morganlewis.com Charles Dauthier advises clients on executive terminations, collective terminations and other employment matters that surface in mergers and acquisitions, restructuring and outsourcing, and other types of reorganization. He counsels clients on employment matters attendant in employee benefits and employee representation matters. Prior to joining Morgan Lewis, Charles was an associate at another international law firm. His native language is French and he is fluent in English. 25

Our Global Reach Our Locations Africa Asia Pacific Europe Latin America Middle East North America Almaty Astana Beijing Boston Brussels Chicago Dallas Dubai Frankfurt Hartford Houston London Los Angeles Miami Moscow New York Orange County Paris Philadelphia Pittsburgh Princeton San Francisco Santa Monica Silicon Valley Singapore Tokyo Washington, DC Wilmington 26

This material is provided for your convenience and does not constitute legal advice or create an attorney-client relationship. Prior results do not guarantee similar outcomes. Links provided from outside sources are subject to expiration or change. Attorney Advertising. 2016 Morgan, Lewis & Bockius LLP 27

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback