European, Middle East, and Latin American Privacy and Cyber Developments For In-House Counsel May 11, 2017 Presented By: Dr. Eckard von Bodenhausen Broedermann Jahn, Hamburg, Germany Khizar Sheikh Mandelbaum Salsburg, Roseland, New Jersey, USA J. Paul Zimmerman Christian & Small LLP, Birmingham, Alabama, USA Claudio Magliona Garcia Magliona y Cia. Abogados, Santiago, Chile Association of Corporate Counsel www.acc.com
Today s Program is Sponsored by The International Society of Primerus Law Firms Primerus is an interna,onal society of the world s finest small to mid-size law firms. Membership in Primerus is by invita,on only, and all Primerus law firms are pre-screened before accepted, and audited annually for their con,nued commitment to providing excellent work product and superior client service at reasonable rates. Currently, there are nearly 3,000 Primerus lawyers in over 180 Primerus firms located in 45+ countries. If you would like to learn more about Primerus, please visit the Primerus website at www.primerus.com.
Dr. Eckard von Bodenhausen Broedermann Jahn ABC-Straße 15 Hamburg, Germany 20354 Eckard.Bodenhausen@german-law.com Tel: +49 40 37 09 05 0 Fax: +49 40 37 09 05 55 Website: www.german-law.com
Post Safe Harbor: REQUIREMENTS AND SOLUTIONS FOR TRANSATLANTIC DATA TRANSFERS
What are the legal sources of EU privacy law? Currently Starting 25th of May 2018 EU-Directive General Data Protection Regulation (GDPR) E-Privacy Regulation (Draft) 5/11/17 5
Who needs to comply with the GDPR? (1) Example A Every Non-EU/ EEA country www._ Example B Every Non-EU/ EEA country 5/11/17 6
Who needs to comply with the GDPR? (2) Example C Every Non-EU/ EEA country Data Processing Agreement Every Non-EU/ EEA country 5/11/17 7
Who needs to comply with the GDPR? (3) Examples Involved Parties Companies based within the EU contracting with companies based in a Third Country (including intercompany) Company based in a Third Country running a website which can be accessed via the internet by persons within the EU Company based in a Third Country running a website which is intended for customers within the EU (e.g. German language, webshop with German hotline, etc.) Company based in a Third Country acting as a data processor for a Company based within the EU. 5/11/17 8 Yes No Yes Yes
What are the legal requirements? (1) Legal requirements for international data transfers depend on the type of data involved only personal data according to Article 4 (1) GDPR the destination of the data to be transferred EU (European Union) EU Member States EEA (European Economic Area) Iceland Liechtenstein Norway Third Countries All other countries 5/11/17 9
What are the legal requirements? (2) Legal requirements for international data transfers depend on 1st step Is data transfer permitted (according to national law)? Data subject s consent, or Legal permission, Data Processing Agreement, if applicable 2nd step Can an adequate level of data protection be ensured in the third country, a territory or specified sector, or the international organization? 5/11/17 10
What are the legal requirements? (3) Adequate Level of data protection, esp. ( 2nd Step ) Adequacy decision by EU-Commission (cp. EU/US Privacy Shield) (Art. 45 (1) GDPR) EU Standard Data Protection Clauses (no further DPA necessary) (Art. 46 (2) c) GDPR) Binding corporate rules (Art. 47 GDPR) Specific consent of data subject (Art. 49 (1) a) GDPR) Etc. 5/11/17 11
What are the legal requirements? (4) Additional legal requirements for controllers or processors not established in the Union National representative established in one of the EU Member States where the data subjects are. Art. 27 GDPR, Except: occasional processing of non-special categories of data unlikely to result in a risk to data subject s rights) Art. 3 (2) (5) eprivacy Regulation (DRAFT), referring to all providers of an electronic communications service 5/11/17 12
What are the consequences for violations of the legal requirements for international data transfer? Administrative fines up to 20,000,000 EUR, or up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher (Art. 83 GDPR) Compensation of material or non-material damage (Art. 82 GDPR) 5/11/17 13
Khizar Sheikh Mandelbaum Salsburg P.C. 3 Becker Farm Road, Suite 105 Roseland, NJ 07068 United States ksheikh@lawfirm.ms Tel: 973.821.4172 Fax: 973.325.7467 Website: www.lawfirm.ms
Privacy, Cyber & Technology MIDDLE EASTERN DEVELOPMENTS
Countries Rapidly Pursuing Digitization According to PWC: Digital markets are expanding at an overall compound annual growth rate of 12% and are expected to be worth US$35 billion in 2015. Digitization could add as much as $820 billion to regional GDP and create 4.4 million new jobs by 2020. According to McKinsey & Co.: A unified regional online market could expand to include 160 million users by 2025 and add about $95 billion to gross domestic product. Saudi Arabia, the UAE, and other Arab states in the Gulf are leading this growth. However, according to PWC, this had made the region an attractive target for cyber threats. The number of virus-infected computing devices exceeds the global average by more than 4x.
Legal Landscape (sample) In Qatar, Saudi Arabia and the United Arab Emirates, the constitutions, together with certain statutes, recognize individual rights to privacy in specific circumstances and specific sectors. In addition, in Saudi Arabia, protection of personal data is provided through Sharia principles. Both the Dubai International Financial Centre and the Qatar Financial Centre have their own data protection specific laws or regulations. These legal provisions are generally consistent with data protection laws from the EU. They also contain restrictions on data transfer from within the respective Financial Centres to places outside those Financial Centers. Oman and Qatar both have laws relating to e-commerce which contain provisions relevant to data protection. Oman s Electronic Transactions Law and Qatar s Electronic Commerce and Transactions Law are both based largely on the UN Model Laws relating to e-commerce and electronic signatures - but the laws in both countries include specific provisions relating to data protection.
Legal Landscape (sample) (ctn) Data protection in Israel is governed primarily by the Protection of Privacy Law 1981, which governs data use and management. Chapter Two of the Privacy Law addresses procedures for registering databases, authorized the Registrar of Databases to refuse registration in certain circumstances, established the role of the database manager, excluded certain data stored on personal computers from registration requirements and added a subchapter dealing with direct mail solicitations. In April 2016, Turkey s law on Personal Data Protection came into force. Although the Turkish Constitution establishes a general right to privacy, and there are a patchwork of personal data protection provisions contained within sector-specific regulations, the Law represents Turkey s first dedicated privacy and data protection statute. The Law is based on the European Union s 1995 Data Protection Directive, but differs in a number of important respects.
Recent Developments Qatar First GCC member state to issue a generally applicable data protection law. Will be of particular interest to Qatar based employers given it introduces new requirements in relation to how employers maintain and manage their employee's information. Data breach reporting obligations for gross harm. Turkey New regulation introduced detailed provisions regarding the processing and transfer of personal health data, particularly in relation to the format of consent and the requirement for anonymization before transfer.
Recent Developments (ctn) UAE Released a framework for virtual currencies and electronic payment systems mostly pertaining to data protection and outsourcing. Israel New privacy-related information security regulations are about to take effect and introduce modern concepts, such as mandatory impact assessments, encryption and breach notification. ILITA, the local regulator, released three new draft guidelines on the right of access, workplace surveillance and direct marketing. The Israeli parliament has enacted a new anti-spam amendment increasing the scope of the law.
J. Paul Zimmerman Christian & Small LLP 1800 Financial Center 505 North 20th Street Birmingham, AL 35203 United States jpz@csattorneys.com Tel: 205.250.6616 Fax: 205.328.7234 Website: www.csattorneys.com
U.S. Regulatory Enforcement - The Landscape As to data breaches, the U.S. landscape is a confusing mix of federal and state laws. 48 of 50 states have data breach notification statutes. The U.S. does not have one single federal data protection law it has several. Applicable law can depend on type of data, industry sector, and public versus private company. Any number of regulatory agencies could be involved. As for privacy laws and regulation of commerce, the legal framework is mostly, but not exclusively, federal. 22
U.S. Regulatory Enforcement - Federal Enforcement At least 20 federal statutes relate to data protection in various ways Regulatory actions can include: Civil enforcement Injunctive relief Criminal proceedings 23
U.S. Regulatory Enforcement - Federal Enforcement The most commonly encountered are: Fair Credit Reporting Act Gramm Leach Bliley Act Health Insurance Portability and Accountability Act Children s Online Privacy Protection Act Federal Trade Commission Act 24
FTC Enforcement Trend FTC is relatively new in the data privacy enforcement space, but is increasingly active. FTC v. Wyndham Worldwide Corp. and In the Matter of LabMD cases confirmed its role in data privacy regulation in the U.S. pursuant to Sec. 5 of the FTCA Generally leading to sanctions or injunctive relief consent settlements Related criminal investigations generally turned over to FBI, IRS, Secret Service, etc. 25
Joining Privacy Shield in the U.S. Self certify to the U.S. Dept. of Commerce through www.privacyshield.gov Similarities to the former Safe Harbor, but also key differences: Requirements for the company s privacy policy Enforcement mechanism Requirements for vendor contracts and onward transfer of data Increased enforcement, with U.S. FTC and U.S. Dept. of Transportation playing varying roles 26
Key Issues to Watch with Privacy Shield Requirements apply to privacy policies, but companies must establish the detailed procedures that will result in compliance. Bringing vendor contracts into compliance Dispute resolution through EU data protection authorities Must recertify annually
Regulation of Data by the States States regulate data to varying degrees, mostly with regard to consumer data breach notification. Some states have more expansive regulations or more aggressive enforcement. California Massachusetts New York 28
In Contrast to Many Other Countries, the U.S. Has: A tangled network of laws, regulations, and agencies. Very little restriction on offshore transfer of data. Technical requirements in some types of data or particular industries to facilitate transactions Military applications Little restriction on storing data outside the U.S. Jurisdictional limits that generally restrict enforcement to U.S. commerce. 29
Claudio Maglionia Garcia Magliona y Cía. Abogados La Bolsa 81, 6 th Floor Santiago, Chile cmagliona@garciamagliona.cl Tel: 56 2.2377.9449 Website: www.garciamagliona.cl
Data Protection: Latin America is not 1 Country Each country with different laws. Is it possible to find common regulations? Most of the countries have followed EU data protection regulations. Because mainly of Spain, the language. EU regulations can be found in Spanish US regulations are logically written in English
Data Protection: Latin America is not 1 Country cont. Most of the countries: independent data protection (few exception Chile) New bills in the region: normal structure: principles, rights, independent authority Data Protection plus: right to be forgotten and focus on technology companies (Big data). Goal: achieve balance between data protection and free flow of information
J. Paul Zimmerman Christian & Small LLP 1800 Financial Center 505 North 20th Street Birmingham, AL 35203 United States jpz@csattorneys.com Tel: 205.250.6616 Fax: 205.328.7234 Website: www.csattorneys.com Thank You Presenters Khizar Sheikh Mandelbaum Salsburg P.C. 3 Becker Farm Road, Suite 105 Roseland, NJ 07068 United States ksheikh@lawfirm.ms Tel: 973.821.4172 Fax: 973.325.7467 Website: www.lawfirm.ms Dr. Eckard von Bodenhausen Broedermann Jahn ABC-Straße 15 Hamburg, Germany 20354 Eckard.Bodenhausen@german-law.com Tel: +49 40 37 09 05 0 Fax: +49 40 37 09 05 55 Website: www.german-law.com Claudio Maglionia Garcia Magliona y Cía. Abogados La Bolsa 81, 6 th Floor Santiago, Chile cmagliona@garciamagliona.cl Tel: 56 2.2377.9449 Website: www.garciamagliona.cl