European, Middle East, and Latin American Privacy and Cyber Developments For In-House Counsel

Similar documents
SAFE HARBOR: STAYING ALIVE?

PREPARING FOR NEW PRIVACY REGIMES: PRIVACY PROFESSIONALS VIEWS ON THE GENERAL DATA PROTECTION REGULATION AND PRIVACY SHIELD

SUPPLIER DATA PROCESSING AGREEMENT

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

DUE DILIGENCE PRICES & PRODUCTS

Implementation of GDPR and control mechanisms of data protection institutions in Germany

Helping Our Clients Conduct Globally Compliant Market Research. December 14, 2016

1. Why do third-country audit entities have to register with authorities in Member States?

New technologies applied to travel facilitation airport controls and visa issuance

DATA PROTECTION LAWS OF THE WORLD. Ireland

Cybersecurity, Privacy & Data Protection Alert

Conducting Internal Investigations: Gathering Evidence and Protecting Your Company

Chapter PERSONAL INFORMATION PROTECTION ACT. Article 01. BREACH OF SECURITY INVOLVING PERSONAL INFORMATION

16 March Purpose & Introduction

INFORMATION PRIVACY STATUTES AND REGULATIONS

GATHERING EVIDENCE AND

Security Breach Notification Chart

60 th UIA CONGRESS Budapest / Hungary October 28 November 1, UIA Biotechnology Law Commission Sunday, October 30, 2016

Message by the Head of Delegation

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

GDPR: Belgium sets up new Data Protection Authority

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

A Modern European Data Protection Framework Safeguarding Privacy in a Connected World

Fragomen Privacy Notice

Data protected. A report on global data protection laws in 2016.

REGULATION (EU) 2016/679 General Data Protection Regulation

Overview Status of European Union Data Protection Law Reform (Aug. 2015) Martin Braun

DATA PROCESSING AGREEMENT. between [Customer] (the "Controller") and LINK Mobility (the "Processor")

Security Breach Notification Chart

Data Processing Agreement. <<Health Service Provider>> The National Message Broker Service known as Healthlink

DATA PROTECTION LAWS OF THE WORLD. Romania

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

The European Union General Data Protection Regulation (GDPR) Barmak Nassirian, Federal Director Thursday, February 22, 2018

Legal Perspectives on Doing Business in the Middle East: By Fulbright & Jaworski L.L.P.

Factsheet on the Right to be

Privacy law overview. Engineering & Public Policy

BASECONE DATA PROCESSING AGREEMENT (BASECONE AS PROCESSOR)

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

DATA PROTECTION LAWS OF THE WORLD. Egypt

DATA PROCESSING ADDENDUM

Presenting a live 90-minute webinar with interactive Q&A. Today s faculty features:

My testimony today makes three points.

Selected Federal Data Security Breach Legislation

Security Breach Notification Chart

Bitkom views on EDPB Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)

Contemporary theory, practice and cases By Ilan Alon, Eugene Jaffe, Christiane Prange & Donata Vianelli

GCC Economic Integration

General Business Conditions Commerzbank AG DIFC Branch

Processor Agreement SURF Model Agreement

Legal professional privilege and attorney secrecy in the EU the landscape after the Jones/ Freshfields firm raids.

New York County Lawyers Association Continuing Legal Education Institute 14 Vesey Street, New York, N.Y (212)

Country Profile: Saudi Arabia

Country Profile: United Arab Emirates

2. What are the main types of encryption mostly encountered during criminal investigations in cyberspace?

Zoe M. Argento. Focus Areas. Overview

arabyouthsurvey.com #arabyouthsurvey April 21, 2015

LEGAL BASIS OBJECTIVES ACHIEVEMENTS

International Privacy Laws: Those New EU Data Protection Regulations Do Apply to You!

DATA SHARING AND PROCESSING

SCHWARTZ & BALLEN LLP 1990 M STREET, N.W. SUITE 500 WASHINGTON, DC

Trade Facilitation Agreement

EU Information Systems

From GATS to APEC: The Impact of International Trade Agreements on Lawyer Regulation. Summary of Remarks

Your questions about: the Court of Justice of the European Union. the EFTA Court. the European Court of Human Rights

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

ARTICLE 29 DATA PROTECTION WORKING PARTY

PERSONAL DATA PROCESSING AGREEMENT

How to Maximize Communication in Multi-Lingual Discussions

Security Breach Notification Chart

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

The Lawyer s Ethical and Legal Duties to protect Private Information

MEMORANDUM. Internet Corporation for Assigned Names and Numbers. Thomas Nygren and Pontus Stenbeck, Hamilton Advokatbyrå

CMS Commercial Law Group Guide. Distribution and Agency Agreements

A common currency area for the Gulf region

REMITTANCE PRICES W O R L D W I D E

1. Processing of personal data legal basis, purpose and scope Legal basis fulfillment of statutory legal requirements

Schengen Visa Sponsor Letter Sample Vchire

Pre-Merger Notification Survey. EUROPEAN UNION Uría Menéndez (Lex Mundi member firm for Spain)

Bahrain Telecom Pricing International Benchmarking. April 2017

DATA PROCESSING AGREEMENT

Site Access Agreement. (hereinafter referred to as the

Secured Services Web Site Administrator Agreement

ARTICLE 29 Data Protection Working Party

DATA PROTECTION LAWS OF THE WORLD. Colombia vs Germany

Bulletin. Networking Skills Shortages in EMEA. Networking Labour Market Dynamics. May Analyst: Andrew Milroy

Siemens SCM STAR Portal Terms of Use for Suppliers

100+ Data Privacy Laws: Their Significance and Origins

Data Protection Act 1998 Policy

Intellectual Property Rights in the Sultanate of Oman

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

State Data Breach Laws

Appendix 1 Data Processing Agreement

c. References herein to the singular includes the plural and vice versa; and

chapter 3 donors: who gives assistance?

BREACHES OF INFORMATION SECURITY: A U.S. COMPANY S OBLIGATIONS

International cooperation on the protection of personal data: Moroccan practice

Panel 2: National Data Governance in a Global Economy

Working Group on Bribery: 2014 Data on Enforcement of the Anti-Bribery Convention

Data processing agreement

Transcription:

European, Middle East, and Latin American Privacy and Cyber Developments For In-House Counsel May 11, 2017 Presented By: Dr. Eckard von Bodenhausen Broedermann Jahn, Hamburg, Germany Khizar Sheikh Mandelbaum Salsburg, Roseland, New Jersey, USA J. Paul Zimmerman Christian & Small LLP, Birmingham, Alabama, USA Claudio Magliona Garcia Magliona y Cia. Abogados, Santiago, Chile Association of Corporate Counsel www.acc.com

Today s Program is Sponsored by The International Society of Primerus Law Firms Primerus is an interna,onal society of the world s finest small to mid-size law firms. Membership in Primerus is by invita,on only, and all Primerus law firms are pre-screened before accepted, and audited annually for their con,nued commitment to providing excellent work product and superior client service at reasonable rates. Currently, there are nearly 3,000 Primerus lawyers in over 180 Primerus firms located in 45+ countries. If you would like to learn more about Primerus, please visit the Primerus website at www.primerus.com.

Dr. Eckard von Bodenhausen Broedermann Jahn ABC-Straße 15 Hamburg, Germany 20354 Eckard.Bodenhausen@german-law.com Tel: +49 40 37 09 05 0 Fax: +49 40 37 09 05 55 Website: www.german-law.com

Post Safe Harbor: REQUIREMENTS AND SOLUTIONS FOR TRANSATLANTIC DATA TRANSFERS

What are the legal sources of EU privacy law? Currently Starting 25th of May 2018 EU-Directive General Data Protection Regulation (GDPR) E-Privacy Regulation (Draft) 5/11/17 5

Who needs to comply with the GDPR? (1) Example A Every Non-EU/ EEA country www._ Example B Every Non-EU/ EEA country 5/11/17 6

Who needs to comply with the GDPR? (2) Example C Every Non-EU/ EEA country Data Processing Agreement Every Non-EU/ EEA country 5/11/17 7

Who needs to comply with the GDPR? (3) Examples Involved Parties Companies based within the EU contracting with companies based in a Third Country (including intercompany) Company based in a Third Country running a website which can be accessed via the internet by persons within the EU Company based in a Third Country running a website which is intended for customers within the EU (e.g. German language, webshop with German hotline, etc.) Company based in a Third Country acting as a data processor for a Company based within the EU. 5/11/17 8 Yes No Yes Yes

What are the legal requirements? (1) Legal requirements for international data transfers depend on the type of data involved only personal data according to Article 4 (1) GDPR the destination of the data to be transferred EU (European Union) EU Member States EEA (European Economic Area) Iceland Liechtenstein Norway Third Countries All other countries 5/11/17 9

What are the legal requirements? (2) Legal requirements for international data transfers depend on 1st step Is data transfer permitted (according to national law)? Data subject s consent, or Legal permission, Data Processing Agreement, if applicable 2nd step Can an adequate level of data protection be ensured in the third country, a territory or specified sector, or the international organization? 5/11/17 10

What are the legal requirements? (3) Adequate Level of data protection, esp. ( 2nd Step ) Adequacy decision by EU-Commission (cp. EU/US Privacy Shield) (Art. 45 (1) GDPR) EU Standard Data Protection Clauses (no further DPA necessary) (Art. 46 (2) c) GDPR) Binding corporate rules (Art. 47 GDPR) Specific consent of data subject (Art. 49 (1) a) GDPR) Etc. 5/11/17 11

What are the legal requirements? (4) Additional legal requirements for controllers or processors not established in the Union National representative established in one of the EU Member States where the data subjects are. Art. 27 GDPR, Except: occasional processing of non-special categories of data unlikely to result in a risk to data subject s rights) Art. 3 (2) (5) eprivacy Regulation (DRAFT), referring to all providers of an electronic communications service 5/11/17 12

What are the consequences for violations of the legal requirements for international data transfer? Administrative fines up to 20,000,000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Art. 83 GDPR) Compensation of material or non-material damage (Art. 82 GDPR) 5/11/17 13

Khizar Sheikh Mandelbaum Salsburg P.C. 3 Becker Farm Road, Suite 105 Roseland, NJ 07068 United States ksheikh@lawfirm.ms Tel: 973.821.4172 Fax: 973.325.7467 Website: www.lawfirm.ms

Privacy, Cyber & Technology MIDDLE EASTERN DEVELOPMENTS

Countries Rapidly Pursuing Digitization According to PWC: Digital markets are expanding at an overall compound annual growth rate of 12% and are expected to be worth US$35 billion in 2015. Digitization could add as much as $820 billion to regional GDP and create 4.4 million new jobs by 2020. According to McKinsey & Co.: A unified regional online market could expand to include 160 million users by 2025 and add about $95 billion to gross domestic product. Saudi Arabia, the UAE, and other Arab states in the Gulf are leading this growth. However, according to PWC, this had made the region an attractive target for cyber threats. The number of virus-infected computing devices exceeds the global average by more than 4x.

Legal Landscape (sample) In Qatar, Saudi Arabia and the United Arab Emirates, the constitutions, together with certain statutes, recognize individual rights to privacy in specific circumstances and specific sectors. In addition, in Saudi Arabia, protection of personal data is provided through Sharia principles. Both the Dubai International Financial Centre and the Qatar Financial Centre have their own data protection specific laws or regulations. These legal provisions are generally consistent with data protection laws from the EU. They also contain restrictions on data transfer from within the respective Financial Centres to places outside those Financial Centers. Oman and Qatar both have laws relating to e-commerce which contain provisions relevant to data protection. Oman s Electronic Transactions Law and Qatar s Electronic Commerce and Transactions Law are both based largely on the UN Model Laws relating to e-commerce and electronic signatures - but the laws in both countries include specific provisions relating to data protection.

Legal Landscape (sample) (ctn) Data protection in Israel is governed primarily by the Protection of Privacy Law 1981, which governs data use and management. Chapter Two of the Privacy Law addresses procedures for registering databases, authorized the Registrar of Databases to refuse registration in certain circumstances, established the role of the database manager, excluded certain data stored on personal computers from registration requirements and added a subchapter dealing with direct mail solicitations. In April 2016, Turkey s law on Personal Data Protection came into force. Although the Turkish Constitution establishes a general right to privacy, and there are a patchwork of personal data protection provisions contained within sector-specific regulations, the Law represents Turkey s first dedicated privacy and data protection statute. The Law is based on the European Union s 1995 Data Protection Directive, but differs in a number of important respects.

Recent Developments Qatar First GCC member state to issue a generally applicable data protection law. Will be of particular interest to Qatar based employers given it introduces new requirements in relation to how employers maintain and manage their employee's information. Data breach reporting obligations for gross harm. Turkey New regulation introduced detailed provisions regarding the processing and transfer of personal health data, particularly in relation to the format of consent and the requirement for anonymization before transfer.

Recent Developments (ctn) UAE Released a framework for virtual currencies and electronic payment systems mostly pertaining to data protection and outsourcing. Israel New privacy-related information security regulations are about to take effect and introduce modern concepts, such as mandatory impact assessments, encryption and breach notification. ILITA, the local regulator, released three new draft guidelines on the right of access, workplace surveillance and direct marketing. The Israeli parliament has enacted a new anti-spam amendment increasing the scope of the law.

J. Paul Zimmerman Christian & Small LLP 1800 Financial Center 505 North 20th Street Birmingham, AL 35203 United States jpz@csattorneys.com Tel: 205.250.6616 Fax: 205.328.7234 Website: www.csattorneys.com

U.S. Regulatory Enforcement - The Landscape As to data breaches, the U.S. landscape is a confusing mix of federal and state laws. 48 of 50 states have data breach notification statutes. The U.S. does not have one single federal data protection law it has several. Applicable law can depend on type of data, industry sector, and public versus private company. Any number of regulatory agencies could be involved. As for privacy laws and regulation of commerce, the legal framework is mostly, but not exclusively, federal. 22

U.S. Regulatory Enforcement - Federal Enforcement At least 20 federal statutes relate to data protection in various ways Regulatory actions can include: Civil enforcement Injunctive relief Criminal proceedings 23

U.S. Regulatory Enforcement - Federal Enforcement The most commonly encountered are: Fair Credit Reporting Act Gramm Leach Bliley Act Health Insurance Portability and Accountability Act Children s Online Privacy Protection Act Federal Trade Commission Act 24

FTC Enforcement Trend FTC is relatively new in the data privacy enforcement space, but is increasingly active. FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD cases confirmed its role in data privacy regulation in the U.S. pursuant to Sec. 5 of the FTCA Generally leading to sanctions or injunctive relief consent settlements Related criminal investigations generally turned over to FBI, IRS, Secret Service, etc. 25

Joining Privacy Shield in the U.S. Self certify to the U.S. Dept. of Commerce through www.privacyshield.gov Similarities to the former Safe Harbor, but also key differences: Requirements for the company s privacy policy Enforcement mechanism Requirements for vendor contracts and onward transfer of data Increased enforcement, with U.S. FTC and U.S. Dept. of Transportation playing varying roles 26

Key Issues to Watch with Privacy Shield Requirements apply to privacy policies, but companies must establish the detailed procedures that will result in compliance. Bringing vendor contracts into compliance Dispute resolution through EU data protection authorities Must recertify annually

Regulation of Data by the States States regulate data to varying degrees, mostly with regard to consumer data breach notification. Some states have more expansive regulations or more aggressive enforcement. California Massachusetts New York 28

In Contrast to Many Other Countries, the U.S. Has: A tangled network of laws, regulations, and agencies. Very little restriction on offshore transfer of data. Technical requirements in some types of data or particular industries to facilitate transactions Military applications Little restriction on storing data outside the U.S. Jurisdictional limits that generally restrict enforcement to U.S. commerce. 29

Claudio Maglionia Garcia Magliona y Cía. Abogados La Bolsa 81, 6 th Floor Santiago, Chile cmagliona@garciamagliona.cl Tel: 56 2.2377.9449 Website: www.garciamagliona.cl

Data Protection: Latin America is not 1 Country Each country with different laws. Is it possible to find common regulations? Most of the countries have followed EU data protection regulations. Because mainly of Spain, the language. EU regulations can be found in Spanish US regulations are logically written in English

Data Protection: Latin America is not 1 Country cont. Most of the countries: independent data protection (few exception Chile) New bills in the region: normal structure: principles, rights, independent authority Data Protection plus: right to be forgotten and focus on technology companies (Big data). Goal: achieve balance between data protection and free flow of information

J. Paul Zimmerman Christian & Small LLP 1800 Financial Center 505 North 20th Street Birmingham, AL 35203 United States jpz@csattorneys.com Tel: 205.250.6616 Fax: 205.328.7234 Website: www.csattorneys.com Thank You Presenters Khizar Sheikh Mandelbaum Salsburg P.C. 3 Becker Farm Road, Suite 105 Roseland, NJ 07068 United States ksheikh@lawfirm.ms Tel: 973.821.4172 Fax: 973.325.7467 Website: www.lawfirm.ms Dr. Eckard von Bodenhausen Broedermann Jahn ABC-Straße 15 Hamburg, Germany 20354 Eckard.Bodenhausen@german-law.com Tel: +49 40 37 09 05 0 Fax: +49 40 37 09 05 55 Website: www.german-law.com Claudio Maglionia Garcia Magliona y Cía. Abogados La Bolsa 81, 6 th Floor Santiago, Chile cmagliona@garciamagliona.cl Tel: 56 2.2377.9449 Website: www.garciamagliona.cl

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback