Privacy and Data Security in an Increasingly Globalized World

Slides:



Advertisements
Similar presentations
EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
Advertisements

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Sarah Branam Mehmet MunurDino Tsibouris
Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.
1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.
DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.
1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]
Key Points for a Privacy Programme for Multinationals Steve Coope.
General Data Protection Regulation (EU 2016/679)
EU-US Data Transfers for Payroll:
GDPR 12 POINTS 679/2016 DATA LEX 2016.
Contracts – the small print
Data Protection Officer’s Overview of the GDPR
General Data Protection Regulations: The Key Changes
Accountability & Structured Privacy Management
EU General Data Protection regulation (GDPR)
Industry 4.0 – New ways of cooperative working – are we prepared?
The future of data protection: General Data Protection Regulation
GDPR (General Data Protection Regulation)
THE NEW GENERAL DATA PROTECTION REGULATION: A EUROPEAN OR A GLOBAL STANDARD? Bart van der Sloot Senior Researcher Tilburg Institute for Law, Technology,
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
WORLD OF CLOUD COMPUTING AFTER GDPR challenges, opportunities and the unknown Matjaž Drev, MA. National Supervisor for Personal Data Protection, Information.
Presentation to GTMC on GDPR
GDPR – Legal Aspects Desislava Krusteva, Attorney-at-Law, CIPP/E
General Data Protection Regulations: what you really need to know
Data Protection The Current Regime
General Data Protection Regulation (GDPR
General Data Protection Regulation
International Regulatory Trends
Museums + Heritage webinar, 30 November 2017
GDPR Readiness Project
Information Governance and Data Privacy: A World of Risk
The European Union General Data Protection Regulation (GDPR)
INTRODUCTION TO GDPR 19/09/2018.
GDPR Road map to Compliance.
Bob Siegel President Privacy Ref, Inc.
GENERAL DATA PROTECTION REGULATION (GDPR)
Vikas Dewangan (Senior Technology Architect)
Introduction to GDPR 09/11/2018.
State of the privacy union
G.D.P.R General Data Protection Regulations
Employee Privacy and Privacy of Employee Information
GDPR Overview and Use Cases.
General Data Protection Regulation
Relocation CARNIVAL come one…come all
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Welcome!.
Data transfers to non-EU countries under the new GDPR
 How does GDPR impact your business? Pro Tip: Pro Tip: Pro Tip:
The General Data Protection Regulation Six months on – What’s changed
 GDPR Readiness Quiz Quick Insight: Quick Insight: Quick Insight:
The title: The implementation of Data Protection
General Data Protection regulation (GDPR)
European Commission proposals for data protection
GDPR: Understanding your obligations and the ongoing challenges
EU Data Protection Legislation
General Data Protection Regulation
Data Privacy and GDPR Jane Shvets
Getting Ready For GDPR Simon Marks Director
Presentation transcript:

Privacy and Data Security in an Increasingly Globalized World Q2 Phoenix ISSA Chapter Meeting April 11, 2017

Today’s Objectives We will discuss the following during this session: US Privacy Laws and Regulatory Framework High level overview of the Fluctuating Global Legal Framework of Privacy Laws and Regulations History of EU US Safe Harbor The Privacy Shield Options for Cross-Border Transfers of Data The General Data Protection Regulations

Overview of the Fluctuating US Legal Framework US Sectorial Privacy Laws and/or Standards Healthcare Industry - HIPAA Education - FERPA Financial Services – SEC; NYDFS Insurance – NAIC Energy – NERC CIP Requirements Nuclear - NRC FTC Enforcement Actions

Where we’ve been – Safe Harbor 1995 Data Protection Directive EU’s 1995 Data Protection Directive only allows transfer of personal data to third countries providing “adequate” level of protection – U.S. not deemed adequate. Safe Harbor developed by U.S. Department of Commerce in consultation with European Commission. Received an adequacy finding from the Commission in 2000

Safe Harbor – what was it? Companies would self-certify compliance with Safe Harbor principles of Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement. Publish a privacy statement that company adheres to Safe Harbor. Enforced by FTC

Safe Harbor – what happened? Snowden revelations of mass surveillance by U.S. government. Austrian law student Max Schrems, sued Facebook, claiming that the mass surveillance violated the EU Charter of fundamental human right to privacy. Court of Justice of the European Union invalidated Safe Harbor October 6, 2015. EU Data Protection Authorities (Article 29 Working Party) gave deadline of January 31 for U.S. and EU to come up with solution. Deadline also a grace period for compliance.

Between Safe Harbor and Privacy Shield Data kept flowing under Standard Corporate Clauses (SCCs) and Binding Corporate Rules Data transferred under Model Clauses and Binding Corporate Rules subject to same U.S. government access issues For 21 days in February and March of 2017, Max Schrems, Round 2, claims that SCCs are not adequate to protect US citizens because Facebook still subject to government surveillance Facebook lawyers relied upon Privacy Shield

Between Safe Harbor and Privacy Shield Commissioner argues that Facebook was relying on provisions of the Privacy Shield which aren’t generally binding Will Privacy Shield, SCCs and Binding Corporate Rules (“BCRs) continue to be valid? Chances are unclear

Privacy Shield Privacy Shield announced February 2, 2016; Text //Adequacy Decision released February 29, 2016. Annually self-certify compliance with Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Publicly declare commitment to comply with Principles Privacy Shield Privacy Policy

Privacy Shield Addressing deficiencies cited by EU U.S. Government Access Judicial Redress Act/Ombudsman Annual Joint Review Enforcement Department of Commerce will: Verify self-certification requirements Expand efforts to follow up with organizations that have been removed from the Privacy Shield list Search for and address false claims of participation Increase cooperation with DPAs

Privacy Shield Operational Impacts for Participants Additional information required to be provided for Notice principle (Privacy Shield privacy policy) Tightened conditions for onward transfer to third parties(contractual requirements for third party controllers) 45 days to respond to individual complaints Additional avenues to address individual complaints (take complaint to home DPA which can refer to FTC; Privacy Shield Panel)

Privacy Shield – what’s changed Organizations processing HR data must cooperate with and respond directly to DPAs regarding processing of such data Liability for third party agent violation of Principles Participants that drop out must continue to comply with respect to personal data collected under Privacy Shield

Alternatives to Safe Harbor and Privacy Shield Standard Corporate Clauses PROs Cheaper and faster than binding corporate rules No annual recertification High level of certainty for compliance Easy to monitor when relatively few contractual relationships are implicated

Alternatives to Safe Harbor and Privacy Shield Directly enforceable by data subjects Must be changed over time to account for new data and entities Title and Content Layout Click in text box to insert text Use “Increase/Decrease List Level” to format each level of sub-bullets No limitation of liability Strict subcontracting requirements May require filing or approval depending on EU member state

Alternatives to Safe Harbor and Privacy Shield Standard Contract Clauses, cont’d CONs Non-negotiable

Alternatives to Safe Harbor and Privacy Shield Binding Corporate Rules – Legally enforceable privacy rules for the transfer of personal information between entities in the same corporate group PROS Provides enterprise-wide approach for cross border data transfers Can be tailored to a company’s culture and processes Encourage implementation of privacy program within corporate group

Alternatives to Safe Harbor and Privacy Shield CONS Takes time and money to implement Only valid for transfers between entities in the corporate group Revisions to BCRs would require approval by DPAs, making change difficult

Alternatives to Safe Harbor-Consent Consent – agreement of data subject to transfer of their data. PROS Less burdensome than execution of multiple model clauses or implementation of BCRs CONS Interpreted restrictively Precise requirements to obtain voluntary, informed, unambiguous consent must be met (including affirmative action under new GDPR)

Alternatives to Safe Harbor-Consent CON’s Continued Consent can be withdrawn at any time Need to keep good records of consent Data subjects may not consent Freely given consent difficult to establish in employment context May be effective solution for B2C websites requiring consent for specific transactions

GDPR: some headline points “Privacy by design and default” Accountability - Record keeping requirements Privacy Impact assessments Data Mapping and Data Classification Data protection officers Breach notification Fines and penalties

Appointing a processor Definitions of Controller and Processor won’t change Processor = anyone who processes personal data on behalf of the Controller Can your processor guarantee data security? Processors are now directly responsible for compliance Some companies will be acting as both depending on the circumstances

Territoriality and General Concepts Widening the net – offering goods/services to Europeans The “one stop shop” and the controller’s “main establishment” Penalties and Enforcement Increased Fines 20 million EURO 4% of global turnover

GDPR – what will change (1) Now 2018 Notification No longer needed What is “personal data” Some changes – needs client review to assess impact on them (particularly direct marketing) Consent to processing Expanded requirement requires greater clarity

GDPR – what will change (1) Now 2018 Subject information Broad requirements to tell data subject what is going on – one to watch out for, since it is currently ignored Data accuracy No change – keep it accurate

GDPR – what will change (2) NOW 2018 Data security No change – keep it safe. Standards evolve over time Data retention No change – keep it only for so long as possible. NB enhanced rights of data subject to enforce this, and also “right to be forgotten” Export outside No substantial change EEA

GDPR – what will change (2) Use of third party More of the same. “processors” This will need contracts to (e.g payroll) be updated Subject Access Requests Clients need to become familiar with the new text – potentially broader requirements and shorter time to respond Data portability right New

GDPR – what will change (2) Now 2018 Intra-group transfers No substantial change

GDPRs and the US Perspective-Where do we go from here? Breach notification – 72 Hours (New) Contracts with transfers of personal data to the United States GDPR implementation

Attendee Questions & Insights