SAFE HARBOR: STAYING ALIVE?

Similar documents
EU STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

Presentation to IAPP November 18, EU Data Protection. Monday 18 November 13

ARTICLE 29 DATA PROTECTION WORKING PARTY

Data Processing Agreement

DATA PROCESSING ADDENDUM

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

Telekom Austria Group Standard Data Processing Agreement

DocuSign Envelope ID: D3C1EE91-4BC9-4BA9-B2CF-C0DE318DB461

Working document 01/2014 on Draft Ad hoc contractual clauses EU data processor to non-eu sub-processor"

DATA PROCESSING ADDENDUM. 1.1 The User and When I Work, Inc. ("WIW") have entered into the Terms of Service, for the provision of the Service.

1. Why do third-country audit entities have to register with authorities in Member States?

Data Processing Agreement

TRUE AUSSIE TRADE MARK LICENCE APPLICATION AUSTRALIAN USERS

MINISTERIAL DECLARATION

Privacy and Protection of Personal Data in the EU Transfers of Personal Data to third Countries

SSLI \6.0 v1.0

Attachment 1. Commission Decision C(2010)593 Standard Contractual Clauses (processors)

FUJITSU Cloud Service K5: Data Protection Addendum

Data Protection Regulations (DPR)

100+ Data Privacy Laws: Their Significance and Origins

Exhibit MC - Standard Contractual Clauses (processors)

Customer Data Annual Privacy Agreement

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

Interactive Brokers Hong Kong Agreement for Advisors Providing Services to Interactive Brokers Clients

AGREEMENT FOR ACCESS, WHICH MAY RESULT IN PERSONAL DATA PROCESSING

Data Processing Addendum

BACKGROUND INFORMATION

DocuSign Envelope ID: 93578C7C-0B BEE9-0536AB6EDE32

DATA PROCESSING AGREEMENT

Asian Privacy Certification

Will the GDPR Kibosh EU-US Discovery? November 7, 2017

Visa issues. On abolition of the visa regime

PUBLIC PROCUREMENT AND ILLEGAL SETTLEMENTS

ARTICLE 29 Data Protection Working Party

32000D0520. Official Journal L 215, 25/08/2000 P

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Appendix 1 Data Processing Agreement

Timeline of changes to EEA rights

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE

Notes provided by Brendan Van Alsenoy (KU Leuven). Addition by Max Schrems (mainly tweets included). Check against delivery.

GDPR: Belgium sets up new Data Protection Authority

TECHNOLOGY AND DATA PRIVACY. Investigative Powers of the Data Protection Commissioner. by Peter Bolger, Jeanne Kelly

PROLAW Student Journal of Rule of Law for Development SECURING US-EU PERSONAL DATA FLOWS: A CRITICAL OUTLOOK ON THE RECENT AGREEMENTS

Anglo American Procurement Solutions Site

Bluemix Trademark License Agreement

Adequacy Referential (updated)

Page1. Eligibility to Work in the UK. Issue Date 01/01/2017 Issue 1 Document No: 003 Uncontrolled when copied

NON-DISCLOSURE AGREEMENT

EUROPEAN COMMISSION DIRECTORATE-GENERAL JUSTICE. Directorate C: Fundamental rights and Union citizenship Unit C.3: Data protection

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

Mapping physical therapy research

Setting National Broadband Policies, Strategies & Plans

WORLDWIDE DISTRIBUTION OF PRIVATE FINANCIAL ASSETS

European, Middle East, and Latin American Privacy and Cyber Developments For In-House Counsel

KINGDOM OF SAUDI ARABIA. Capital Market Authority. Draft Rules for Qualified Foreign Financial Institutions Investment in Listed Shares

1 V9 February 2018 SAAS AGREEMENT

Consumer Barometer Study 2017

EVIDENCE ON THE DATA PROTECTION BILL. For the House of Commons Public Bill Committee by Open Rights Group and Chris Pounder

RULES OF ARBITRATION

New York County Lawyers Association Continuing Legal Education Institute 14 Vesey Street, New York, N.Y (212)

WALTHAMSTOW SCHOOL FOR GIRLS APPLICANTS GUIDE TO THE PREVENTION OF ILLEGAL WORKING

ISO 37001:2016 Anti-Bribery Management Systems

Delaware Bankruptcy Court Confirms Lock-Up Agreements Are a Valuable Tool Not a Violation of the Bankruptcy Code

Terms of Business

EU Trade Mark Application Timeline

GDPR and India. By ADITI CHATURVEDI Edited by AMBER SINHA. The Centre for Internet and Society, India

Consultation on Remedies in Public Procurement

EUROPEAN MODEL COMPANY ACT (EMCA) CHAPTER 3 REGISTRATION AND THE ROLE OF THE REGISTRAR

South Africa - A publisher s perspective. STM/PASA conference 11 June, 2012, Cape Town Mayur Amin, SVP Research & Academic Relations

T he European Union s Article 29 Data Protection

Last revised: 6 April 2018 By using the Agile Manager Website, you are agreeing to these Terms of Use.

Q233 Grace Period for Patents

New technologies applied to travel facilitation airport controls and visa issuance

GERMANY, JAPAN AND INTERNATIONAL PAYMENT IMBALANCES

Education Quality and Economic Development

The Future of Central Bank Cooperation

EU GDPR - DATA PROCESSING ADDENDUM INSTRUCTIONS FOR CDNETWORKS CUSTOMERS

A Modern European Data Protection Framework. Bruno Gencarelli DG JUSTICE and CONSUMERS

Data Protection Transfer Agreement. Reference Number: CORP_142-a01 Policy

SKILLS, MOBILITY, AND GROWTH

ONLINE TRADING AGREEMENT

Latham & Watkins Finance Department

TRANSFER OF PRIORITY RIGHTS PARIS CONVENTION ARTICLE 4A(1)

Latham & Watkins Environment, Land & Resources Department

The EU Visa Code will apply from 5 April 2010

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

Annex 1: Standard Contractual Clauses (processors)

International Import and Export Authorization System (I2ES) Ha Fung NG, Cilla Psychotropic Control Section, INCB

VISA POLICY OF THE REPUBLIC OF KAZAKHSTAN

COMMUNICATION FROM THE COMMISSION. On the global approach to transfers of Passenger Name Record (PNR) data to third countries

Multidistrict Litigation, Forum Selection and Transfer: Tips and Trends Julie M. Holloway Partner, Latham & Watkins LLP

The Transfer of Data Abroad by Private Sector Companies: Data Protection Under the German Federal Data Protection Act

Is information about legal entities personal data? No. The DPA only applies to information about individuals as opposed to legal entities.

Right to Work in the UK Policy Contents

FIGHTING THE CRIME OF FOREIGN BRIBERY. The Anti-Bribery Convention and the OECD Working Group on Bribery

ORACLE REFERRAL AGREEMENT

The Ministry of Technology, Communication and Innovation and The Data Protection Office. Workshop On DATA PROTECTION ACT 2017

CASH MANAGEMENT SERVICES MASTER AGREEMENT

Myanmar Visa on Arrival

VOICE AND DATA INTERNATIONAL

Transcription:

THURSDAY 15 OCTOBER 2015 LONDON SAFE HARBOR: STAYING ALIVE? Stewart Dresner Chief Executive, Privacy Laws & Business Ulrich Wuermeling Partner, Latham & Watkins Gail Crawford Partner, Latham & Watkins Jennifer Archie Partner, Latham & Watkins Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan. The Law Office of Salman M. Al-Sudairi is Latham & Watkins associated office in the Kingdom of Saudi Arabia. Copyright 2015 Latham & Watkins. All Rights Reserved.

CRITIQUE OF SAFE HARBOR 1999/2000 - PL&B conducted a research project for the European Commission on the adequacy of the US/EU Safe Harbor. Results: Several weaknesses. Safe Harbor a pragmatic EU/US political compromise. The next two slides are by Galexia www.galexia.com - a consultancy and Safe Harbor analyst. Its evidence contributed to most FTC prosecutions. Page 2

A VERY BRIEF SAFE HARBOR REFORM AND ENFORCEMENT TIMELINE First EC Review Galexia Review FTC substantive action against Facebook and Google Snowden! Third EC Review Future of Privacy Forum Review FTC action against 2 false claimants Europe v Facebook at the European Court of Justice 2000 2002 2004 2008 2009 2011 2012 2013 2014 2015 Launch Second EC Review FTC action against 6 false claimants FTC substantive action against MySpace FTC action against 14 false claimants) FTC action against TRUSTe Page 3

AN ALTERNATIVE HISTORY BASED ON AN ISSUES ANALYSIS No public privacy policy RESOLVED False claims (by former members) RESOLVED False claims (by non-members) PENDING False trustmark claims RESOLVED Dispute resolution is not affordable RESOLVED Consumers threatened with mediation fees PENDING Dispute resolution is not independent LOST Fine print exclusions LOST National security issues PENDING Notice and consent cases RESOLVED Information broker cases RESOLVED Page 4

QUESTION 1 US: The US-EU Safe Harbor has been seen in Europe as a rather weak regulatory mechanism to enable the personal data to keep flowing from the EU to the US while several other countries, such as Canada, Switzerland, Israel and New Zealand, have been subject to close scrutiny to win their adequacy status. For years the Department of Commerce was under-resourced in its attempts to regulate the Safe Harbor. The FTC has in recent years been taking a more active enforcement role. Why did the FTC take so long to get started on active enforcement? How active is the Department of Commerce in its supervisory role now? Page 5

QUESTION 2 EU: From the start of the US-EU programme 15 years ago, the European Commission was aware of the weaknesses in the Safe Harbor system. Why did the European Commission take so long before presenting the US with its list of areas for improvement? Page 6

QUESTION 3 US and EU: Last year, the EU presented the US with a list of 13 Safe Harbor areas which it wanted to be improved. What are they and what are the results of the negotiations? Page 7

QUESTION 4 EU: Is the European Commission considering extending the Safe Harbor programme to other large countries, such as India and Brazil where an adequate data protection law could be far in the future? If so, which countries? If not, why not? Page 8

QUESTION 5 US: Is the US considering extending the Safe Harbor programme to other countries with comprehensive data protection/privacy laws? If so, which countries? Page 9

THE FUTURE FOR THE SAFE HARBOR? 1. What is the decision of the Court of Justice of the European Union? 2. How will the European Commission, the EDPS and the EU Art. 29 DP Working Party respond? 3. Will modified US-EU and US-Swiss Safe Harbor programmes continue in the future? 4. What are companies options for the transfers of personal data to 3rd countries? Page 10

Schrems vs. Facebook Page 11

SCHREMS VS. FACEBOOK 2011 Guest Student Santa Clara University (California) Speech of Facebook lawyer Schrems files 22 complaints to Irish Data Protection Commissioner 2012 2013 2014 Formation of europe-v-facebook.org Verein 23 rd complaint to Irish Data Protection Commissioner Irish Data Protection Commissioner dismisses complaints as being frivolous and vexatious Application for judicial review of the to the Irish Data Protection Commissioners dismissal of complaint 23 rd to the Irish High Court Irish High Court requests preliminary ruling to the Court of Justice of the European Union 12

THE JUDGMENT Court of Justice of the European Union Maximilian Schrems vs. Data Protection Commissioner Case C-362/14 6 October 2015 13

RULING 1: DECISION DOES NOT PREVENT EXAMINING Supervisory authority may examine case Only the Court can declare a Decision invalid How supervisory authority shall act: 1. examine the case 2. apply remedies for breach of instrument 3. engage in legal proceedings if validity of Decision is in question 4. reference to Court of Justice to evaluate validity of Decision 14

RULING 2: SAFE HARBOR DECISION 2000/520 INVALID Article 1 invalid Commission must duly state reasons, but did not state Article 2 invalid Denying national supervisory authority power Articles 2 and 3 invalid Due to invalidity of Articles 1 and 3 Court saw no need to examine the Safe Harbor principles! 15

NEXT STEPS IN THE CASE Back to the Irish High Court Hearing scheduled for 20 October 2015 Irish Data Protection Commissioner examines the complaint? 16

CONSEQUENCES FOR SAFE HARBOR FRAMEWORK Safe Harbor INVALID Decision Safe Harbor Certification VALID Does Safe Harbor still provide adequate protection? Not decided by the Court Requirements no legislation permitting public authorities access on a generalised basis legal remedies against access by public authorities 17

CONSEQUENCES FOR SAFE HARBOR AND OTHER INSTRUMENTS Adequate Safeguards Model Contracts Binding Corporate Rules Consent Others Derogations Performance of a contract with or in the interest of the data subject Public interest and legal claims Vital interests of the data subject Transfer from a register 18

THE RISK OF ENFORCEMENT Action by supervisory authorities data subjects consumer groups competitors against data exporter data importer in European Union United States for investigation remedies liability sanctions 19

EXPECTED DEVELOPMENTS Article 29 Working Party Supervisory Authorities European Commission United States Government plenary session on 15 October 2015 joint statement? withdrawal of authorizations? orders to discontinue data export? fines? finalization of Safe Harbor negotiation? revision of other Decisions? changes in US legislation? 20

That s all very well. but what do we do now? Page 21

CONSEQUENCES FOR SAFE HARBOR AND OTHER INSTRUMENTS Adequate Safeguards Others Derogations Model Contracts Binding Corporate Rules Make own assessment of adequacy? Consent Performance of a contract with or in the interest of the data subject Public interest and legal claims Vital interests of the data subject Transfer from a register Operational Change EU data centres? Alternative vendors? Anonymisation 22

THE ELEPHANT IN THE ROOM 23

MODEL CLAUSES Controller to Controller Model Clauses 2004 Controller to Processor Model Clauses 2010 Controller to Controller Model Clauses 2001 Law enforcement Clause 2(i) no disclosure to a data controller in third country unless it notifies data importer and third party ensures adequate protection, signs model clauses or data subjects are allowed to object. Clause 2(c) data importer has no reason to believe in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses. Also see clause 2(b) but has a carve out for where persons are required to access data by law. Clause 5(d) requires data importer to notify data exporter of any legally binding request for disclosure by a law enforcement authority unless otherwise prohibited. Clause 5(b) data importer has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter. Section 6 of the principles states that onward transfer to another controller is only permissible if information is provided to the data subject and new controller adheres to the clauses. Clause 5(a) data importer has no reason to believe in the existence of local laws which prevent him fulfilling his obligations under the contract or have a substantial adverse effect on the guarantees in the contract. Where he does become aware, he will notify the change to the data exporter. Sub- Processing Clause 2(b) must have in place procedures so that a third party it authorizes to access data (including processors) shall be obligated to process it only on instructions from data importer. Clause 5(h)/ Clause 11 Sub-processing prohibited unless prior written consent of data exporter is obtained and copy of sub-processing agreement sent to data exporter. No clear rules on appointment of data processors by data importers. Data importer must put in place a written agreement imposing the same obligations on the sub-processor as are imposed on the data importer. Liability Clause 3(a) Each party is liable to the other (and to data subjects) for damages it causes by breach of the clauses. Liability limited to actual damage suffered. Punitive damages excluded. Data subject to ask data exporter to enforce rights against data importer; data subject can take direct action if data exporter does not enforce. Clause 6 Any data subject who suffers damage resulting from breach is entitled to compensation from the data exporter, or data importer (where data exporter ceases to exist or becomes insolvent) Data subject may only claim against sub-processor where data importer and data exporter have ceased to exist in law or become insolvent. Clause 6 Data exporter and data importer are jointly and severally liable for damage to data subject. Optional indemnity which provides that if one party is held liable for a violation by the other party, the latter will indemnify the first party for any cost, charge, damages, expenses or loss. 24

MODEL CLAUSES - ADMINISTRATIVE BURDEN UK Co Fr Co De Co Ch Co US Co US Sub Mex Sub 25

STRUCTURING THE MODEL CLAUSES Intra-group Agreements: Agency; Deed of adherence. Onward transfers? Use of PoAs Still need prior approval many countries e.g. Austria, Belgium, France, Luxembourg, Norway, Malta and Spain Notification of clauses in others e.g. Greece, Romania and Liechtenstein What is unamended form? Level of detail in schedules Unilateral declarations? 26

DATA PROCESSORS Safe Harbor Certified UK Co Irish DP US Parent Tos IPP DC DP between US entity and EU customers DP to DP Model Clauses under consideration by Art. 29 Ability to adapt DC DP 2010? Get customer to warrant they have consents? Build EU data centres? DC to DP DP to DP Model Clauses 27

US ONLINE PROVIDER Was US Safe Harbor Certified Tos and PP US Co End Users Does EU law apply? Consent Transfer necessary for the purpose of contract How do you deal with existing data? Can UK Sales Agent sign model clauses with US Co? What are the data flows? UK Co Sales Agent 28

CONSENT Freely given and fully informed Can be withdrawn Not buried in Privacy policy Positive indication of intent Can employees or existing users of a service give valid consent? Similarly can you rely on a transfer being necessary for the purpose of contract if you do not clearly disclose you are a US company? 29

OWN ASSESSMENT OF ADEQUACY? Conduct a risk assessment Nature of data impact of unauthorised access to data? Country of origin? Nature of processing Period for which data will be used Country of importer level of protection under local law Security Can you take into account: Safe Harbor Principles? Adapted Model Clauses Internal rules (not signed off as BCRS) DPA position varies No clear guidance. 30

SCHREMS VS. FACEBOOK Next few weeks Article 29 Working Party Guidance / DPAs Likely to issue guidance and remediation period Can they agree approach? DPAs will then likely write to certain companies and ask them how they comply 20 th October Irish High Court reconsiders Facebook Case 20 th Oct Look at specifics of Facebook transfers 6-12 months Discussions on SH2 continue 2-4 years Schrems or others mount new challenges Challenge to other mechanisms? Class actions 2017/2018 New Data Protection Regulation 31

CHECKLIST (PENDING ART. 29 WP GUIDANCE ) 1. Map data flows (if not already done) 2. Identify where you rely on Safe Harbor Intra-group transfers US vendors US partners Sub-processors 3. Verify if other derogations apply? Consent Transfer is necessary for a contract Other 4. Add Model Contracts where appropriate DC to DC, DC to DP or DP to DP? Consider structure Consider signing mechanism 5. Inform stakeholders Sales representatives Customers Employees 6. Registrations, approvals and notification with DPAs Review current registrations, approvals and notifications Add or amend approvals with DPAs 7. Review privacy policies, notices and consents 8. Identify, review and amend internal documentation Policies and procedures e.g. procurement guidelines for vendors, data sharing policies Form agreements and clauses that allow reliance on Safe Harbor 9. Consider impact on current projects M&A Technology 10. Identify future risks and initiate strategic discussions given possible period of instability 32

YOUR CONTACTS Stewart Dresner Chief Executive, London Privacy Laws & Business T: +44.20.8868.9200 E: stewart.dresner@privacylaws.com Gail Crawford Partner, London Latham & Watkins T: +44.20.7710.3001 E: gail.crawford@lw.com Ulrich Wuermeling Partner, Frankfurt Latham & Watkins T: +49.69.6062.6502 E: ulrich.wuermeling@lw.com Jennifer Archie Partner, Washington, D.C. Latham & Watkins T: +1.202.637.2205 E: jennifer.archie@lw.com 33

34

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback