Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Slides:

Advertisements

Similar presentations

Damon Greer Safe Harbor Program October 15, 2007

Advertisements

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

The Data Protection (Jersey) Law 2005.

Sarah Branam Mehmet MunurDino Tsibouris

INTRODUCTION INTO PRIVATE INTERNATIONAL LAW OF THE EUROPEAN UNION Marko Jovanovic, LL.M. MASTER IN EUROPEAN INTEGRATION Private International Law in the.

Robert L. Rothman Donald A. Cohn

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

International Treaty in EU PIL

EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

1980 Hague Child Abduction Convention and Brussels II bis Interaction within the EU and beyond Prof. Dr. Marta Pertegás First Secretary Hague Conference.

Per Anders Eriksson

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

High Technology Cooperation Group: Data Privacy The Indo-U.S. High Technology Cooperation Group November 18, Privacy and Cyber Security:

Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Class 13 Internet Privacy Law European Privacy.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

Clinical Research Conference 2012 Legal, Ethical, and Social Dimensions of Clinical Research Takis Vidalis, Ph. D., Hellenic National Bioethics Commission.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

M. ANGELA JIMENEZ 1 UNIT 5. REGULATION OF EXTERNAL AUDIT IFAC AND E.C.

1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /

Attorney-Client Privilege and Privacy Considerations Between US Corporations & Foreign Affiliates General Counsel Conference, Washington, D.C. October.

The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.

European civil procedure law Judicial cooperation in civil matters.

Data Protection Compliance Professor Ian Walden Institute of Computer and Communications Law, Centre for Commercial Law Studies, Queen Mary, University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.

International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States Presented by: Sandee.

INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.

Undertakings for collective investment in transferable securities (UCITS) Worldbank Global Development Learning Network The Advanced Program in Accounting.

BC Public Libraries November, 2008 Privacy Principles.

© 2004 The IPR-Helpdesk is a project of the European Commission DG Enterprise, co-financed within the fifth framework programme of the European Community.

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

DG Information Society The EU and Data Retention Data Retention Meeting London, 14 May 2003 Philippe GERARD, DG Information Society The positions.

Dino Tsibouris (614) Updates on Cloud, Contracting, Privacy, Security, and International Privacy Issues Mehmet Munur (614)

1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

Data protection—training materials [Name and details of speaker]

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

ROMANIA NATIONAL NATURAL GAS REGULATORY AUTHORITY Public Service Obligations in Romanian Gas Sector Ligia Medrea General Manager – Authorizing, Licensing,

Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.

TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

EU-US Data Transfers for Payroll:

Convention 108 and the EU framework: Differing while Converging

Surveillance around the world

GDPR (General Data Protection Regulation)

Data Protection: EU & International

General Data Protection Regulation

International Regulatory Trends

Information Governance and Data Privacy: A World of Risk

EU Directive 95/46/EC (Paragraph 2) “Whereas data-processing systems are designed to serve man; whereas they must Respect their fundamental rights.

Bob Siegel President Privacy Ref, Inc.

Employee Privacy and Privacy of Employee Information

Updates to Expedited Review Procedures

חוק הגנת הפרטיות בהשוואה ל GDPR

Data transfers to non-EU countries under the new GDPR

The activity of Art. 29. Working Party György Halmos

The Modernisation of Convention108

Data Protection in Law Enforcement Area Chapter 9a of the draft law

EU Data Protection Legislation

Presentation transcript:

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New York, New York April 7, 2006

-2- Introduction Examine the mechanisms by which personal data (personally identifiable) can be transmitted from member states of the E.U. to a third country.  A determination that the third country has adequate safeguard (including U.S. Safe Harbor).  An ad hoc or standard agreement between the data controller and the party in the third country.  Binding Corporate Rules.  Consent of the data subject.  Master Agreement.

-3- Introduction (cont’d) Discuss some indicators on how frequently the formal mechanisms are being employed to transfer personal data.

-4- E.U. Data Protection Principles E.U. and member states have created most elaborate mechanism for protection of Personal Data.  Directive 95/46/EC of 25 October 1995 On the protection of individuals regarding processing or transfer of personal data.  Directive 2002/58/EC of 12 July 2002 On processing of personal data and protection of electronic communication.  Regulation (EC) 45/2001 of 18 December 2000 On the processing of personal data by Community Institutions.  Directive 2006/__/EC On retention of data generated in the provision of electronic communications.

-5- E.U. Data Protection Principles (cont’d) The 25 member states adopted laws implementing the Directive.  Process took a long time. – France 2004 – Ireland still has not notified the adoption.  Laws vary widely. – Not wholly consistent with the primary Directive. – Not wholly consistent with each other.

-6- E.U. Data Protection Principles (cont’d)  Difference between member states. – Definition of “collection” – Jurisdiction over foreign-based websites – Definition of “personal data” – Obligation to notify data protection authorities when collection and processing occurs – Attitudes toward trans-border data flow contracts

-7- E.U. Data Protection Principles (cont’d) Goal  Harmonize members’ laws and provide a high level of protection to accommodate the increased cross-border data flow. – Member state laws reflect a high level of protection of personal data. – Transborder data flow from the EEA (E.U. and Norway, Liechtenstein, and Iceland) is problematic.

-8- E.U. Data Protection Principles (cont’d) Articles 25 and 26 of Directive 95/46/EC prescribe the conditions under which personal data may be transferred to third countries. Article 25(1) requires an E.U. Commission finding that the level of data protection in the third countries is adequate.  Argentina  Canada  Guernsey  Isle of Man  Switzerland  U.S. (Safe Harbor participant)  U.S. (Air Passenger name record)

-9- Safe Harbor ( Became effective October 1998 after lengthy and sometimes ambiguous negotiations between the E.U. and DOC.  U.S. entities register with DOC.  U.S. entities establish a privacy policy and Safe Harbor procedure similar to but not precisely the same as the E.U. principles. – Notice of purpose of collection – Choice of disclosure to third parties – Onward transfer limitation – Reasonable security precautions – Data integrity – Access – Recourse mechanisms

-10- Safe Harbor ( (cont’d) Advantages  All E.U. members must allow transfer pursuant to Safe Harbor.  With limited exceptions, interpretation is based on U.S. law.  Certain exceptions, such as the U.S.-oriented journalistic exceptions apply.  Self-assessment or verification of compliance is available.  FTC enforcement only after self-regulation.  Extremely simple to join. Limitations  Applies to organizations subject to the FTC or air carriers subject to DOT.  Only legitimizes transfer, any required consent to collect must still be obtained.

-11- Alternatives (Derogations) Article 26 provides alternative.  26(1) Transfer can occur with the unambiguous consent of the data subject, to fulfill a contract or when it is necessary for other important public policies. – Working Party 29 (WP 114, 25 November 2005) and a number of data protection authorities question whether consent can be unambiguous, particularly in employee/employer setting or when there is long-term framework for repeated transfer of data.  26(2) Authorized transfer if adequate protection is provided through contractual provision. – Ad hoc – “Standard” claims

-12- Alternatives (Derogations) (cont’d) Two Commission Decisions adopted standardized clauses.  Decision 2001/497/EC applies to transfer from a data controller in the EC to a data controller in third countries.  Decision 2002/16/EC applies to transfer from a data controller in the EC to data processors in third countries.  Original Standard Clauses. – Incorporate principles similar to the Privacy Directive. – Specify the relevant E.U. member laws on governing. – Ad hoc contracts require approval of relevant data protection authority.

-13- Alternatives (Derogations) (cont’d) Almost as soon as the standard clauses were adopted, the Commission realized that they were not going to work. Decision C (2004) 5271 was adopted.  Alternative is slightly less onerous provision.  Effective April 1, 2005.

-14- Alternatives (Derogations) (cont’d) Binding Corporate Rules.  A number of business organizations lobbied for adoption of approval to transfer on the basis of Binding Corporate Rules (internal).  Article 29 Working Party adopted Initial Binding Rules in 2003 and a checklist for such rules of 14 April – Approval of the binding corporate rules by a member state’s data protection authority is required. – Member states do not have to approve Binding Corporate Rules.

-15- Alternatives (Derogations) (cont’d) Master Agreement  Business groups like the International Chamber of Commerce continued to lobby for simplification and expedition. – Commission Staff Document SEC (2006) 95 discussed this option, but the discussion contained some of the caveats that appeared in the early discussion of Binding Corporate Rules.

-16- Anomaly Staff Document SEC (2006) 95 tallied contractual clauses or Binding Corporate Rule notified to the Commission.  14 ad hoc contractual clauses or Binding Corporate Rules have been notified to the Commission.  64 standard contractual clauses have been notified. – Mostly H.R. to U.S. – These agreements do not have to be notified. Safe Harbor  884 Organization on the Safe Harbor List (24 Feb 2006). – Some small percentages are not current.

-17- CONCLUSION Elaborate formal proceedings are not being implemented to comply with the limits on transmission. Consent (26.1) or standard contractual (26.2) clauses may be used to justify transfer. A number of entities that transfer data from the E.U. may simply be ignoring the issue.