International Regulatory Trends Daily Journal Professional Education Cyber Boot Camp, January 12, 2017 Brian Michael, 21st Century Fox, Fox Networks Group Timothy J. Toohey, Greenberg Glusker Fields Claman & Machtinger LLP Dr. Kai Westerwelle, Taylor Wessing (US) Inc. Moderator: Tanya Forsheit

Agenda Privacy in Historical Context – EU v. US EU-US Cross-Border Data Transfers EU General Data Protection Regulation (GDPR) Russia Asia Latin America The Future?

EU v. US Privacy in Perspective

Privacy in Historical Context

EU-US Cross-Border Data Transfers

Background The Safe-Harbor Framework, 2000- 2015 The Schrems case

Adoption of Privacy Shield July 12, 2016 – Commission adopted Privacyshield.gov opened for business August 1, 2016

Principles Notice Choice Accountability for Onward Transfer Security Data Integrity and Purpose Limitation Access Recourse, Enforcement, Liability Supplemental Principals

Alternative Transfer Mechanisms Model clauses Controller to Processor Controller to Controller Binding Corporate Rules (BCRs)

GDPR

General Application Do you process personal data in the context of activities of an establishment in the EU? Do you process data of data subjects in the EU and does the processing relate to: (a) the offering of goods or services to those data subjects; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU?

Principles Process personal data lawfully, fairly, and in a transparent manner. Collect personal data for specified, explicit, and legitimate purposes. Personal data should be adequate, relevant, and limited to what is necessary. Keep personal data accurate and erase or rectify inaccurate personal data without delay. Keep personal data for no longer than is necessary for the purposes for which it is processed. Protect and use appropriate measures to securely process personal data.

Basis for Processing Consent Legitimate Interest Contractual Necessity Other Lawful Grounds Special Categories

Data Subject Rights Transparency Access Rectification Erasure Right to Be Forgotten Restrict Processing Object Data Portability Data Profiling Rights

Policies and Procedures Data Protection Officer (DPO) Record Keeping Privacy by Design and by Default Data Protection Impact Assessments Written Contracts between Controllers and Processors Data Security Measures Data Breach Response International Data Transfers

Enforcement Member State Courts and DPAs Administrative fines up to $20 million EUR; or 4% of the total worldwide annual turnover of the preceding fiscal year, … whichever is higher

Russia

Russia Data localization regulation and enforcement Cybersecurity issues

Asia A Few Recent Developments

Japan Personal Information Protection Act (“PIPA”) amendments will come into force on 30 May 2017. Restrictions on data transfers associated therewith.

China National People's Congress passed the cybersecurity act in November 2016 Will come into force June 1, 2017 Impact on data transfers and cybersecurity

Latin America A Sampling of Regulations

Argentina “Adequate” for EU purposes New development 2016: European- style Model Clauses

Mexico Federal Law on the Protection of Personal Data held by Private Parties Regulations under the Federal law issued 5 years ago Specific data security requirements, including for vendor relationships Short Form Privacy Notices

The Future?

The Future Impact of new US Administration Impact of Brexit What to expect from regulators around the globe going forward?