Presentation is loading. Please wait.

Presentation is loading. Please wait.

EU-US Data Transfers for Payroll:

Similar presentations


Presentation on theme: "EU-US Data Transfers for Payroll:"— Presentation transcript:

1 EU-US Data Transfers for Payroll:
What now? Thursday, October 6th 2016

2 Agenda Introduction EU Data Protection Rules: Current and New Data Transfer: The EU-US Privacy Shield Questions & Answers

3 EU Data Protection Rules Current and New

4 New EU Data Protection Rules (1)
New General Data Protection Regulations (GDPR) take effect on May 28, 2018 Replacing Data Protection Directive 95/46/EC – basis of all EU laws to date Aim of consistency – Regulations do not require legislation to take effect but there is scope to legislate on certain matters (eg derogations/exemptions) Applies to organisations that have an EU “establishment” and are processing data in the context of the activities of the establishment. Non- EU organisations will be subject to GDPR if: Processing data in connection with offering of goods or services; or Monitoring behaviour (eg tracking and creating profiles) Accessibility of a website is not sufficient but use of an EU language, ability to place orders will be relevant Easier to demonstrate now that EU rules apply – no more reference to equipment

5 New EU Data Protection Rules (2)
New concepts: Transparency and consent – unambiguous and not assumed from inaction (opt in) Regulated data – definitions of Personal and Sensitive Data have been expanded Pseudonymisation – a privacy enhancing concept enabling data to be held separately to ensure identity is hidden New security breach communication law in place Enhanced subject rights – right to be forgotten, data portability Supervisory authority and a new regular – EDPB – single POC for multinational groups Accountability – controllers must be able to demonstrate compliance

6 Consent Higher standard
New restrictions on use of “legitimate interests” exemption Prohibition on bundled consent As easily revoked as given Clear grounds for lawful processing Contractual necessity remains valid Separate consents for each activity

7 Access, portability Data subjects now request:
Purpose of the processing Categories of data being processed Recipients of the data Intended retention period Rights of rectification Source of the data (if not the data subject) Any automated decision making

8 Right to be forgotten (Erasure)
This is new right to have data erased in certain circumstances: When data are no longer necessary for the purpose for which they were collected or processed If the individual withdraws consent to processing The general catch-all allowing erasure requests to be made where data are ‘unlawfully’ processed is potentially onerous

9 Data Governance under GDPR
In addition to new obligations for processors: New criteria for EU Commission to assess adequacy of the level of data protection in a non EU country Binding Corporate Rules (BCRs) are specifically included in the General Data protection Regulation (GDPR) New data transfer mechanisms Non-compliance potential penalties: €20M/4% global revenue

10 Breach and notification
Data controllers and data processors are now subject to a general personal data breach notification regime. Data processors must report personal data breaches to data controllers. Data controllers must report personal data breaches following specific GDPR provisions. Data controllers must maintain an internal breach register.

11 Data Transfer: EU/US

12 Current EU Data Transfer Rules
EU-US Data Transfers: What Now? Prohibition of data transfers from the European Economic Area (EEA) to “non-adequate” countries EU Commission (EUC) considers only these countries “adequate”: Andorra Argentina Canada (for organizations subjected to PIPED Act) Faroe Islands Guernsey Isle of Man Israel Jersey New Zealand Switzerland Uruguay

13 Legal uncertainty since Schrems
EU-US Data Transfers: What Now? 2013 Following Snowden revelations, Max Schrems files complaint with Irish DPA regarding Facebook’s data transfers under Safe Harbor (June) 13 recommendations by EUC to improve Safe Harbor and beginning of EU-US negotiations (November)

14 Legal uncertainty since Schrems
EU-US Data Transfers: What Now? 2015 (October) EU Court of Justice declares EUC finds Safe Harbor inadequate (Schrems, C-362/14) High threshold for adequacy decisions and possible impact on other data transfer mechanisms Ability of each EU DPA to suspend transfers under adequacy decision 4,000+ US Companies had to implement alternative data transfer mechanisms

15 Legal uncertainty since Schrems
EU-US Data Transfers: What Now? 2016 EUC adopts adequacy decision regarding new EU-US Privacy Shield (July) US Companies can sign up for Privacy Shield Risk of legal challenges by EU DPAs and privacy activists (August) …Current case regarding validity of Standard Contractual Clauses in Ireland…

16 Future EU Data Transfer Rules
EU-US Data Transfers: What Now? 2018 (May 25th): New criteria for EUC to assess whether the level of data protection in a Non-EU country is adequate Binding Corporate Rules (BCR) are specifically included in the new GDPR New derogation of a limited scope: - Compelling interests of the controller

17 Future EU Data Transfer Rules
EU-US Data Transfers: What Now? New obligations for data processors No authorization required for EUC and DPA Standard Contractual Clauses Internal documentation requirement and obligation to include information about data transfers in privacy notice Non-compliance potential penalties: - €20M/4% global revenue

18 New EU Data Transfer Rules
Adequacy decisions Appropriate safeguards: – Binding Corporate Rules (BCRs) – Standard Contractual Clauses (SCC) – Approved codes of conduct and certification mechanisms with binding commitments – “Ad hoc” contractual clauses authorized by DPAs Derogations: – Consent – Performance of a contract – Public interest – Legitimate interests of a controller (with limitations)

19 Future EU Data Transfer Rules: Safeguards
EU-US Data Transfers: What Now? Adequacy decisions adopted by EUC (privacy shield) In the absence of an adequacy decision, appropriate safeguards: Binding Corporate Rules (BCR) Standard Contractual Clauses Approved Codes of Conduct & Certification Mechanisms w/Binding Commitments “Ad hoc” Contractual Clauses Authorized by DPAs

20 Future EU Data Transfer Rules: BCRs
EU-US Data Transfers: What Now? BCRs: Explicit recognition Available also for companies that are not part of the same corporate group but are engaged in a joint economic activity List of minimum requirements included in GDPR

21 Future EU Data Transfer Rules: SCCs
EU-US Data Transfers: What Now? 2. EUC’s Standard Contractual Clauses: Do not require DPA authorization 3. DPA’s Standard Contractual Clauses: Approved by EUC 4. “Ad hoc” contractual clauses Authorized by the DPA 5. Approved codes of conduct - Certification mechanisms together with binding and enforcement commitments

22 Future EU Data Transfer Rules: Derogations
EU-US Data Transfers: What Now? In the absence of an adequacy decision or appropriate safeguards: Consent Performance of a Contract Public Interest Legitimate Controller Interests (w/ Limitations)

23 EU-US Privacy Shield

24 EU-US Privacy Shield: Overview
EU-US Data Transfers: What Now? Voluntary self-certification mechanism, which needs to be renewed on a yearly basis Companies must publicly disclose their commitments to comply with the Privacy Shield DoC maintains a list of certified companies and a list of formerly certified companies (together with reasons for removal) Subject to enforcement powers of FTC (or DoT) Built on the skeleton of Safe Harbor (Principles and FAQs), but: – Introduces new definitions – Substantially tightens certain core restrictions – Creates new recourse mechanisms – Regulates access by US public authorities to EU personal data Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

25 EU-US Privacy Shield: Notice
EU-US Data Transfers: What Now? Elements to include in privacy policies: – Participation in the Privacy Shield and link to the Privacy Shield list – Types of personal data collected and purposes of the data collection and use – Affiliates and subsidiaries adhering to the Privacy Shield – Commitment to subject all personal data received from the EU in reliance on the Privacy Shield – Contact details for inquiries and complaints, including any EU establishment that can respond to complaints – Categories or identity of data recipients and purposes of data disclosures Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

26 EU-US Privacy Shield: Notice
EU-US Data Transfers: What Now? Elements to include in privacy policies (continued): – Individuals’ right of access and individuals’ choices – Independent dispute resolution body (and whether it is the EU DPAs Panel; ADR in the EU or U.S) – Confirmation of the jurisdiction of the FTC / DoT – Possibility for individuals to invoke binding arbitration – Requirement to disclose personal data to lawful public authorities’ requests, including for national security and law enforcement requirements – Liability in case of onward transfers to third parties Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

27 EU-US Privacy Shield: Choice
EU-US Data Transfers: What Now? EU Commission’s Guide to the Privacy Shield: – Use for incompatible purpose is not permitted – Choice Principle applies to use for a new purpose that is different but related to the original one (i.e. materially different) Triggers need for internal policies / procedures that ensure individuals are provided with opt-out mechanisms Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

28 EU-US Data Transfers: What Now?
EU-US Privacy Shield EU-US Data Transfers: What Now? Accountability for onward transfer More detailed rules on onward transfers to a third party controller Conclude agreement requiring the third party controller to: – Process data for limited and specific purposes consistent with the purpose of collection Protect the data with the same level of protection as provided by the Privacy Shield Principles – Notify the Privacy Shield company if it cannot meet the latter obligation, and stop processing or take steps to remediate Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

29 EU-US Privacy Shield: Security
EU-US Data Transfers: What Now? Higher threshold for security measures Companies must take reasonable and appropriate measures (instead of “precautions”) to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction and take into due account the risks involved in the processing and the nature of the personal data Closer to security requirements of current EU Data Protection Directive Triggers need to review data security policies / procedures Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

30 EU-US Data Transfers: What Now?
EU-US Privacy Shield EU-US Data Transfers: What Now? Data integrity and purpose limitation Broadly similar to Safe Harbor, but adds the concepts of purpose limitation and data retention Data integrity: data must be reliable for its intended use, accurate, complete and current Purpose limitation: – Obligation to limit the data to what is relevant for the purpose of processing Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

31 EU-US Data Transfers: What Now?
EU-US Privacy Shield EU-US Data Transfers: What Now? Data integrity and purpose limitation Three steps assessment: Incompatible purpose: prohibited unless specific authorization is obtained (i.e. new processing) Materially different purpose: opt-out Linked and compatible purpose Data retention: information may be retained in an identifiable form only as long as it serves the purpose of the collection A company must protect the data in accordance with the Principles for as long as it retains the data Triggers need for internal data handling and data retention policies / procedures Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

32 EU-US Privacy Shield: Access
EU-US Data Transfers: What Now? Similar but more detailed principle; the right of access is generally stronger Individuals must have access to personal data and be able to correct, amend or delete it when it is inaccurate, or when it has been processed in violation of the Principles Close to EU data protection law: – Confirmation of whether or not the organization is processing personal data, including information on the categories of data, purpose of processing and categories of recipients – Communicate the data so that individuals can verify its accuracy and lawfulness – Have data corrected, amended or deleted where it is inaccurate, outdated or processed in violation of the Principles Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

33 EU-US Privacy Shield: Access
EU-US Data Transfers: What Now? Modalities Exceptions Obligation to make good faith efforts to comply with individuals’ access requests. Burden or expense of providing access would be disproportionate Timeframe (reasonable time period) Confidential commercial information Format (in a reasonable manner, and in a form that is readily intelligible to the individual) Violation of third parties’ rights Individuals do not have to justify requests for access to the company (unless request too broad or vague) Breach of a legal or other professional obligation; prejudicing employee security investigations Possibility to charge fees (not excessive) Confidentiality requirements Any denial of or limitation to the right of access has to be necessary and duly justified Conflict with legal obligations Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

34 EU-US Data Transfers: What Now?
EU-US Privacy Shield EU-US Data Transfers: What Now? Recourse, enforcement and liability 1. Verification mechanism: self-assessment or outside compliance review – Content is specified (conformity of the privacy policy, information re: the complaint handling procedure, training and disciplinary sanctions, periodical objective reviews, signed by a corporate officer) – Outside compliance can be auditing, random reviews, use of “decoys” or technology tools – Obligation to maintain records on the implementation of Privacy Shield privacy practices Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

35 EU-US Data Transfers: What Now?
EU-US Privacy Shield EU-US Data Transfers: What Now? Recourse, enforcement and liability 2. Independent recourse mechanism: 3 ways to satisfy the requirements: private sector privacy programs with effective enforcement mechanism compliance with legal or regulatory supervisory authorities or commitment to cooperate with EU DPAs – Must be readily available, at no cost for the individuals, and expeditiously resolved – Selected by the company prior to self-certifying Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

36 EU-US Data Transfers: What Now?
EU-US Privacy Shield EU-US Data Transfers: What Now? Recourse, enforcement and liability – Remedies: non-compliance is reversed, compliance of future processing and stop the violation Including publicity for findings of non-compliance, deletion of data, compensation for individuals – Failure to comply with ruling of dispute resolution body must be notified to the DoC and the FTC / DoT / Courts – Organizations and their independent recourse mechanism must respond promptly to DoC requests and to complaints referred by EU DPAs via the DoC – Privacy notice must include information about independent dispute resolution body 3. Obligation to remedy problems arising out of non-compliance Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

37 EU-US Privacy Shield: What now?
EU-US Data Transfers: What Now? Assess which data Transfer mechanism(s) is (are) the most suitable for your business Many companies follow a belt-and-suspenders approach (SCCs, BCRs, Privacy Shield) The Privacy Shield is a workable data transfer mechanism Pros: – The Privacy Shield is a better fit to certain companies’ data flows (e.g., B2C data transfers) – Many tech companies will certify to the Privacy Shield or have already done so – Certifying to the Privacy Shield provides a greater opportunity to handle complaints under customary rules Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

38 EU-US Privacy Shield: What now?
EU-US Data Transfers: What Now? Cons: – Possible additional compliance obligations – Likely legal challenge in the EU, but same is true for the SCCs, which are currently being challenged by Schrems before courts in Ireland (a challenge would take time; the political context around the Privacy Shield is different) – May suffer lack of trust from certain EU business customers Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

39 EU-US Privacy Shield: Tips
EU-US Data Transfers: What Now? Review your privacy policy – Make sure to include all required information – Use the policy as a tool to assess compliance with the 7 principles and the 16 supplemental principles – DoC reviews privacy policies before listing companies on Select ADR (i.e. US / EU ADR, or EU DPAs). Register with the ADR as applicable Prepare / update inward facing policies, procedures and processes to comply with Privacy Shield requirements Review contract language with customer and sub-processor Prepare certification form, complete it online and certify Focus on verification principle and document compliance – Prepare for stronger enforcement than under Safe Harbor Be up-to-date with developments related to Privacy Shield as it may change in one year Plant One? Why go to the UK instead of Germany? A: Maybe Germany is right but….

40 Any Questions? Plant One? Why go to the UK instead of Germany?
A: Maybe Germany is right but….

41 Thank you for listening
Melissa Harkcom Director, North America


Download ppt "EU-US Data Transfers for Payroll:"

Similar presentations


Ads by Google