THURSDAY 15 OCTOBER 2015 LONDON SAFE HARBOR: STAYING ALIVE? Stewart Dresner Chief Executive, Privacy Laws & Business Ulrich Wuermeling Partner, Latham & Watkins Gail Crawford Partner, Latham & Watkins Jennifer Archie Partner, Latham & Watkins Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan. The Law Office of Salman M. Al-Sudairi is Latham & Watkins associated office in the Kingdom of Saudi Arabia. Copyright 2015 Latham & Watkins. All Rights Reserved.
CRITIQUE OF SAFE HARBOR 1999/2000 - PL&B conducted a research project for the European Commission on the adequacy of the US/EU Safe Harbor. Results: Several weaknesses. Safe Harbor a pragmatic EU/US political compromise. The next two slides are by Galexia www.galexia.com - a consultancy and Safe Harbor analyst. Its evidence contributed to most FTC prosecutions. Page 2
A VERY BRIEF SAFE HARBOR REFORM AND ENFORCEMENT TIMELINE First EC Review Galexia Review FTC substantive action against Facebook and Google Snowden! Third EC Review Future of Privacy Forum Review FTC action against 2 false claimants Europe v Facebook at the European Court of Justice 2000 2002 2004 2008 2009 2011 2012 2013 2014 2015 Launch Second EC Review FTC action against 6 false claimants FTC substantive action against MySpace FTC action against 14 false claimants) FTC action against TRUSTe Page 3
AN ALTERNATIVE HISTORY BASED ON AN ISSUES ANALYSIS No public privacy policy RESOLVED False claims (by former members) RESOLVED False claims (by non-members) PENDING False trustmark claims RESOLVED Dispute resolution is not affordable RESOLVED Consumers threatened with mediation fees PENDING Dispute resolution is not independent LOST Fine print exclusions LOST National security issues PENDING Notice and consent cases RESOLVED Information broker cases RESOLVED Page 4
QUESTION 1 US: The US-EU Safe Harbor has been seen in Europe as a rather weak regulatory mechanism to enable the personal data to keep flowing from the EU to the US while several other countries, such as Canada, Switzerland, Israel and New Zealand, have been subject to close scrutiny to win their adequacy status. For years the Department of Commerce was under-resourced in its attempts to regulate the Safe Harbor. The FTC has in recent years been taking a more active enforcement role. Why did the FTC take so long to get started on active enforcement? How active is the Department of Commerce in its supervisory role now? Page 5
QUESTION 2 EU: From the start of the US-EU programme 15 years ago, the European Commission was aware of the weaknesses in the Safe Harbor system. Why did the European Commission take so long before presenting the US with its list of areas for improvement? Page 6
QUESTION 3 US and EU: Last year, the EU presented the US with a list of 13 Safe Harbor areas which it wanted to be improved. What are they and what are the results of the negotiations? Page 7
QUESTION 4 EU: Is the European Commission considering extending the Safe Harbor programme to other large countries, such as India and Brazil where an adequate data protection law could be far in the future? If so, which countries? If not, why not? Page 8
QUESTION 5 US: Is the US considering extending the Safe Harbor programme to other countries with comprehensive data protection/privacy laws? If so, which countries? Page 9
THE FUTURE FOR THE SAFE HARBOR? 1. What is the decision of the Court of Justice of the European Union? 2. How will the European Commission, the EDPS and the EU Art. 29 DP Working Party respond? 3. Will modified US-EU and US-Swiss Safe Harbor programmes continue in the future? 4. What are companies options for the transfers of personal data to 3rd countries? Page 10
Schrems vs. Facebook Page 11
SCHREMS VS. FACEBOOK 2011 Guest Student Santa Clara University (California) Speech of Facebook lawyer Schrems files 22 complaints to Irish Data Protection Commissioner 2012 2013 2014 Formation of europe-v-facebook.org Verein 23 rd complaint to Irish Data Protection Commissioner Irish Data Protection Commissioner dismisses complaints as being frivolous and vexatious Application for judicial review of the to the Irish Data Protection Commissioners dismissal of complaint 23 rd to the Irish High Court Irish High Court requests preliminary ruling to the Court of Justice of the European Union 12
THE JUDGMENT Court of Justice of the European Union Maximilian Schrems vs. Data Protection Commissioner Case C-362/14 6 October 2015 13
RULING 1: DECISION DOES NOT PREVENT EXAMINING Supervisory authority may examine case Only the Court can declare a Decision invalid How supervisory authority shall act: 1. examine the case 2. apply remedies for breach of instrument 3. engage in legal proceedings if validity of Decision is in question 4. reference to Court of Justice to evaluate validity of Decision 14
RULING 2: SAFE HARBOR DECISION 2000/520 INVALID Article 1 invalid Commission must duly state reasons, but did not state Article 2 invalid Denying national supervisory authority power Articles 2 and 3 invalid Due to invalidity of Articles 1 and 3 Court saw no need to examine the Safe Harbor principles! 15
NEXT STEPS IN THE CASE Back to the Irish High Court Hearing scheduled for 20 October 2015 Irish Data Protection Commissioner examines the complaint? 16
CONSEQUENCES FOR SAFE HARBOR FRAMEWORK Safe Harbor INVALID Decision Safe Harbor Certification VALID Does Safe Harbor still provide adequate protection? Not decided by the Court Requirements no legislation permitting public authorities access on a generalised basis legal remedies against access by public authorities 17
CONSEQUENCES FOR SAFE HARBOR AND OTHER INSTRUMENTS Adequate Safeguards Model Contracts Binding Corporate Rules Consent Others Derogations Performance of a contract with or in the interest of the data subject Public interest and legal claims Vital interests of the data subject Transfer from a register 18
THE RISK OF ENFORCEMENT Action by supervisory authorities data subjects consumer groups competitors against data exporter data importer in European Union United States for investigation remedies liability sanctions 19
EXPECTED DEVELOPMENTS Article 29 Working Party Supervisory Authorities European Commission United States Government plenary session on 15 October 2015 joint statement? withdrawal of authorizations? orders to discontinue data export? fines? finalization of Safe Harbor negotiation? revision of other Decisions? changes in US legislation? 20
That s all very well. but what do we do now? Page 21
CONSEQUENCES FOR SAFE HARBOR AND OTHER INSTRUMENTS Adequate Safeguards Others Derogations Model Contracts Binding Corporate Rules Make own assessment of adequacy? Consent Performance of a contract with or in the interest of the data subject Public interest and legal claims Vital interests of the data subject Transfer from a register Operational Change EU data centres? Alternative vendors? Anonymisation 22
THE ELEPHANT IN THE ROOM 23
MODEL CLAUSES Controller to Controller Model Clauses 2004 Controller to Processor Model Clauses 2010 Controller to Controller Model Clauses 2001 Law enforcement Clause 2(i) no disclosure to a data controller in third country unless it notifies data importer and third party ensures adequate protection, signs model clauses or data subjects are allowed to object. Clause 2(c) data importer has no reason to believe in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses. Also see clause 2(b) but has a carve out for where persons are required to access data by law. Clause 5(d) requires data importer to notify data exporter of any legally binding request for disclosure by a law enforcement authority unless otherwise prohibited. Clause 5(b) data importer has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter. Section 6 of the principles states that onward transfer to another controller is only permissible if information is provided to the data subject and new controller adheres to the clauses. Clause 5(a) data importer has no reason to believe in the existence of local laws which prevent him fulfilling his obligations under the contract or have a substantial adverse effect on the guarantees in the contract. Where he does become aware, he will notify the change to the data exporter. Sub- Processing Clause 2(b) must have in place procedures so that a third party it authorizes to access data (including processors) shall be obligated to process it only on instructions from data importer. Clause 5(h)/ Clause 11 Sub-processing prohibited unless prior written consent of data exporter is obtained and copy of sub-processing agreement sent to data exporter. No clear rules on appointment of data processors by data importers. Data importer must put in place a written agreement imposing the same obligations on the sub-processor as are imposed on the data importer. Liability Clause 3(a) Each party is liable to the other (and to data subjects) for damages it causes by breach of the clauses. Liability limited to actual damage suffered. Punitive damages excluded. Data subject to ask data exporter to enforce rights against data importer; data subject can take direct action if data exporter does not enforce. Clause 6 Any data subject who suffers damage resulting from breach is entitled to compensation from the data exporter, or data importer (where data exporter ceases to exist or becomes insolvent) Data subject may only claim against sub-processor where data importer and data exporter have ceased to exist in law or become insolvent. Clause 6 Data exporter and data importer are jointly and severally liable for damage to data subject. Optional indemnity which provides that if one party is held liable for a violation by the other party, the latter will indemnify the first party for any cost, charge, damages, expenses or loss. 24
MODEL CLAUSES - ADMINISTRATIVE BURDEN UK Co Fr Co De Co Ch Co US Co US Sub Mex Sub 25
STRUCTURING THE MODEL CLAUSES Intra-group Agreements: Agency; Deed of adherence. Onward transfers? Use of PoAs Still need prior approval many countries e.g. Austria, Belgium, France, Luxembourg, Norway, Malta and Spain Notification of clauses in others e.g. Greece, Romania and Liechtenstein What is unamended form? Level of detail in schedules Unilateral declarations? 26
DATA PROCESSORS Safe Harbor Certified UK Co Irish DP US Parent Tos IPP DC DP between US entity and EU customers DP to DP Model Clauses under consideration by Art. 29 Ability to adapt DC DP 2010? Get customer to warrant they have consents? Build EU data centres? DC to DP DP to DP Model Clauses 27
US ONLINE PROVIDER Was US Safe Harbor Certified Tos and PP US Co End Users Does EU law apply? Consent Transfer necessary for the purpose of contract How do you deal with existing data? Can UK Sales Agent sign model clauses with US Co? What are the data flows? UK Co Sales Agent 28
CONSENT Freely given and fully informed Can be withdrawn Not buried in Privacy policy Positive indication of intent Can employees or existing users of a service give valid consent? Similarly can you rely on a transfer being necessary for the purpose of contract if you do not clearly disclose you are a US company? 29
OWN ASSESSMENT OF ADEQUACY? Conduct a risk assessment Nature of data impact of unauthorised access to data? Country of origin? Nature of processing Period for which data will be used Country of importer level of protection under local law Security Can you take into account: Safe Harbor Principles? Adapted Model Clauses Internal rules (not signed off as BCRS) DPA position varies No clear guidance. 30
SCHREMS VS. FACEBOOK Next few weeks Article 29 Working Party Guidance / DPAs Likely to issue guidance and remediation period Can they agree approach? DPAs will then likely write to certain companies and ask them how they comply 20 th October Irish High Court reconsiders Facebook Case 20 th Oct Look at specifics of Facebook transfers 6-12 months Discussions on SH2 continue 2-4 years Schrems or others mount new challenges Challenge to other mechanisms? Class actions 2017/2018 New Data Protection Regulation 31
CHECKLIST (PENDING ART. 29 WP GUIDANCE ) 1. Map data flows (if not already done) 2. Identify where you rely on Safe Harbor Intra-group transfers US vendors US partners Sub-processors 3. Verify if other derogations apply? Consent Transfer is necessary for a contract Other 4. Add Model Contracts where appropriate DC to DC, DC to DP or DP to DP? Consider structure Consider signing mechanism 5. Inform stakeholders Sales representatives Customers Employees 6. Registrations, approvals and notification with DPAs Review current registrations, approvals and notifications Add or amend approvals with DPAs 7. Review privacy policies, notices and consents 8. Identify, review and amend internal documentation Policies and procedures e.g. procurement guidelines for vendors, data sharing policies Form agreements and clauses that allow reliance on Safe Harbor 9. Consider impact on current projects M&A Technology 10. Identify future risks and initiate strategic discussions given possible period of instability 32
YOUR CONTACTS Stewart Dresner Chief Executive, London Privacy Laws & Business T: +44.20.8868.9200 E: stewart.dresner@privacylaws.com Gail Crawford Partner, London Latham & Watkins T: +44.20.7710.3001 E: gail.crawford@lw.com Ulrich Wuermeling Partner, Frankfurt Latham & Watkins T: +49.69.6062.6502 E: ulrich.wuermeling@lw.com Jennifer Archie Partner, Washington, D.C. Latham & Watkins T: +1.202.637.2205 E: jennifer.archie@lw.com 33
34