Presentation is loading. Please wait.

Presentation is loading. Please wait.

Global Security & Privacy Risks

Published byCaroline Mathews Modified over 7 years ago

Similar presentations

Presentation on theme: "Global Security & Privacy Risks"— Presentation transcript:

1 Global Security & Privacy Risks
Cross-border Data Transfer Practice Considerations

2 Andrew Tekippe Corporate Counsel, Privacy & Security Legal Oracle Vishnu Jonnalagadda Attorney Epsilon

3 What is the big deal about cross-border transfers?
Because of modern digital communications, data, including personal information, may cross international borders and be processed and held, even temporarily, in diverse international jurisdictions.  This generates concerns (among consumers, corporations and government entities alike) as to whether the level of data protection applied in a foreign jurisdiction is sufficient to meet domestic statutory or non-statutory requirements. What are examples of cross-border data transfers? Physically or electronically transferring data across national borders (FTP, , etc.) Consumer buying goods or services online Consumer or Organizations using social media services Consumers or Organizations using online IT applications (SaaS) Use of cloud based services for hosting and infrastructure (PaaS / IaaS)

4 What is Personal Information?
United States At Federal level, defined only by industry (Example: HIPAA “PHI” or GLBA”NPI”) At state level, generally defined as name PLUS social security number (SSN), driver’s license number, credit card # or similar information. Recent FTC Comments (Jessica Rich, Director, FTC’s Bureau of Consumer Protection): “we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.” EU (& Elsewhere) Personal data is "any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity“. Dynamic IP Address as Personal Data (C‑582/14 Breyer v Bundesrepublik Deutschland  the Court of Justice of the European Union (CJEU)).

5 What Laws Impose Obligations When Accessing, Permitting Access, or Transferring Personal Information Internationally? In Europe, the EU Data Protection Directive generally prohibits the transfer of personal data to countries outside the European Economic Area, unless (i) the transfer is to one of the few countries with privacy laws that the EU deems as providing an “adequate level of protection”; (ii) An exemption or derogation applies; or (iii) the data exporter puts in place appropriate safeguards regarding the protection of privacy and fundamental rights. There are few limits on the transfer of personal data outside the US (besides some state specific restrictions on the actions of state agencies and their supplies). But the position of the FTC and other regulators is that applicable US laws and regulations still apply to data after it leaves the US, and US regulated entities remain liable for (i) the security and privacy of data exported out of the US and for subcontractor actions in processing data overseas. The GLB Act requires a financial institution to disclose to a customer its privacy practices and provide the customer an opportunity to opt-out of certain disclosures before transferring any NPI. Under HIPAA, if a business associate has signed a business associate agreement that is HIPAA compliant, and the disclosure of PHI is otherwise permitted without obtaining consent from the data subject, the agreement is generally sufficient to effect the transfer. Some Countries have laws that impose data transfer requirements similar to those found in the EU Data Protection Directive (requiring the same level of data protection in the importing country). While other countries have adopted more flexible models for cross-border data transfers that still require specific terms to be in place. Certain countries like Russia, China, Brunei, Indonesia, Nigeria, Vietnam and now France have strong localization laws requiring companies to store and process data on servers physically located within national borders.

6 EU Data Transfers Can freely transfer Personal Data among EU member states and countries within the EEA (Norway, Iceland and Liechtenstein). Can transfer to Switzerland even though it is not a member of the EEA or the EU (because of a series of bi-lateral agreements with the EU). For Swiss to US transfers, the Swiss US Safe harbor program is still in force although its future is uncertain. Can transfer to third countries when no Personal Data is involved. Can transfer to third countries where a derogation or exemption exists. Can transfer to third countries which the Commission has determined as providing an adequate level of protection: Andorra, Argentina, Canada (to the extent subject to PIPEDA), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. Can transfer to third countries where the Data Exporter has put into place appropriate safeguards (e.g., Standard Contractual Clauses). Can transfer to entities belonging to the same multinational corporation if subject to Binding Corporate Rules or appropriate safeguards (SCCs). Can transfer to US entities which have self-certified under the Privacy Shield (adequacy decision as of July 12, 2016). If a company self-certified prior to Sept 30, 2016, such company can take advantage of a 9 month grace period for implementing the Accountability for Onward transfer principle under Safe Harbor.

7 Privacy Shield Obligations for US Companies
Annual self-certification Display privacy policy on website Reply promptly to any complaints For HR data: comply with EU data protection authorities’ requests Strict enforcement by the FTC Redress mechanisms for European individuals Complaints to be resolved within 45 days ADR free of charge Option to complain to EU DPAs Arbitration as last resort Threat of being taken off the Privacy Shield list Cooperation with DPAs (FTC to work with DPAs in the context of complaints) Privacy advocacy group Digital Rights Ireland is challenging the EU-U.S. Privacy Shield agreement. The complaint was filed last week with the EU’s General Court — the lower court of the Court of Justice of the European Union — and contests the European Commission’s adequacy decisions allowing companies to transfer personal data from the EU to the U.S (by seeking annulment). 

8 EU Data Transfers - Standard Contractual Clauses and Binding Corporate Rules
Standard Contractual Clauses (SCCs) After the invalidation of the EU-US Safe Harbor framework (October 2015) and before the Privacy Shield, Standard Contractual Clauses were the main transfer mechanism for EU Controllers to US- based Controllers or to US-based Processors. Even after Privacy Shield, SCCs are still requested by exporters for transfers to US importers. And SCCs are important for transfers to non-EU/EAA third parties outside the US, for intercompany transfers (to affiliates and subsidiaries) and for transfers to sub-processors and suppliers. Binding Corporate Rules (BCRs) BCRs create a framework of intra-corporate global privacy policies, set of practices, processes and guidelines that satisfies EU standards and may be available as an alternative means of authorizing transfers of personal data outside of the EU. BCRs are required to be approved by the data protection authority in each EU Member State in which the organization will rely on the BCRs. The EU has developed a mutual recognition process under which BCRs approved by one member state's data protection authority may be approved by the other relevant member states who may make comments and ask for amendments. BCRs have become a method of showing prima facie that a corporation can comply with EU data protection requirements.

9 EU Data Transfers - Impact of the GDPR and BREXIT
The GDPR maintains the existing data transfer mechanisms created under the Directive (with minor changes). Under the GDPR, several transfer mechanisms will no longer require notification to, and/or authorization from, DPAs. This significantly reduces the administrative burden on organizations. The GDPR introduces several new transfer mechanisms, including DPA Clauses, certifications, administrative arrangements and an exception for the purposes of legitimate interests. Transfer mechanisms such as BCRs and Codes of Conduct may become more important and accessible. BREXIT There is uncertainty as to what the UK’s relationship to the EU will look like after Brexit (will the UK seek membership in the EAA? will it instead have a relationship like Switzerland based on bi- lateral treatises? Will it instead be a third country?). No matter what relationship, the GDPR will govern all EU transfers to the UK. If the UK becomes a member of the EAA, then it will be obliged to fully implement the GDPR. The UK would no longer be a party to EU data transfer agreements with other third countries like Switzerland and the US (Privacy Shield) – and so presumably need to negotiate its own frameworks for data transfers.

10 Cross-Border Data Transfer Regimes Requiring a “Same Level” of Protection
Columbia, Peru, Morocco, South Africa, Lesotho, Angola, Mauritius, Turkey, Singapore, Macau, Japan, Australia, Iceland, Switzerland, Monaco, Bosnia and Herzegovina, Macedonia, Ukraine, UAE (Dubai), Israel, Trinidad and Tobagos. Common thread Depends, almost all require “same level” as their data protection laws; others have additional rules regarding security levels, transfer consent and like attributes; exceptions apply. Instances of country specific exceptions for data transfers - “unsafe” countries, with explicit consent, for performing services necessary or interest of provider under contract law, or for protecting civil liberties or safeguarding public interests. Some countries require pre-approval by a regulating agency. Similar Data Protection Characteristics Regulatory framework includes one or more of constitutional rights, promulgated rules, adopted frameworks, regulated industry requirements, and interpretive case law. Define PI/sensitive PI similarly with the former concerning identification, and the latter concerning sensitive characteristics (e.g. race/ethnicity, health, financial, religion, politics, sexual orientation, etc.). Have provider disclosure and consent requirements in connection with collection, processing, and transfer of PI/sensitive PI (many requiring express consent for sensitive PI) with certain exceptions. Have provider access, correction, and opt-out requirements.

11 India as an Example of a Jurisdiction Requiring the “Same Level” of Protection
Information Technology Act 2000 – specific provisions to protect electronic data generally. Information Technology Rules aka Privacy Rules – regulates entities that collect, process or store personal data, including sensitive personal information. Personal Data is any information that relates to a natural person, which either directly or indirectly, in combination with other information that is available or likely to be available to a corporate entity, is capable of identifying such person. Sensitive PI – password, financial information (bank/credit/debit), physical/physiological/mental health condition, sexual orientation, medical records, biometrics. Privacy Rules requires Data Exporter must obtain provider consent before transfer of PI/sensitive PI and can only transfer to entities (within India and international) that have the same level of data protection as Privacy Rules. generally accepted that U.S. has the same level of protection and that EU has stricter protection. Exemption– if necessary to perform under agreement with provider. Agreement requirements: Indemnification for third party breach; who has access and purpose of data transfer; specify secure mode of transfer.

12 Other Approaches to Cross-Border Data Transfer Restrictions
Canada – follows PIPEDA rules for cross-border transfers. Mexico – with provider consent, but exempt from requirement if transfer is pursuant to law/treaty to which Mexico is party, necessary for medical care, made to affiliates (within the same group, necessary to perform under contract between parties in interest of provider, necessary to safeguard public interest or to administer justice. Chile – considers data transfers as “treatment” of data (similar to processing definition under EU); no particular transfer rules but implies that a “same level” of data protection is required, with heavy focus on consent for “treatment” (consent exceptions). Argentina – “legitimate interests of the transferring and receiving parties” with provider consent (consent exceptions). Uruguay – same as Argentina “legitimate interest” requirement but also same level of protection (but then there is an exception for transfer to unsafe countries if consent, contractual clauses provide same level of protection, or self-regulated systems). Ghana – none but criminal imprisonment or fines for knowingly or recklessly disclosing personal data in violation of its Data Protection Act, 2012; Egypt also makes it a crime to transfer in violation of its Civil Code without consent.

13 Other Approaches to Cross-Border Data Transfer Restrictions (Cont’d)
Madagascar – if transferee country guarantees sufficient level of individual privacy protection and fundamental rights and liberties (multi-faceted approach), with exceptions if not. Nigeria – same level of protection but localization for telecommunication subscriber information. New Zealand and Seychelles – do so at your own risk of receiving a transfer prohibition notice in contravention; Taiwan has a similar claw-back. Malaysia – exclusively decided by the Minister to specific countries. Philippines – PI freely transferable; sensitive PI not allowed. Serbia – in general, freely transferable to EU Member Countries, otherwise need government pre- approval. On the other end, some countries do not have specific cross-border transfer restrictions UAE (General), Zimbabwe, Indonesia, Thailand, South Korea, Hong Kong, Cayman Islands, Venezuela, British Virgin Islands, Honduras, Costa Rica, Belarus provided transferor is in compliance with domestic data protection, constitutional and civil laws. Saudi Arabia is similar but subject to Islamic Shari’a law. At a minimum, unless subject to localization or expressly barred, it is always advisable to obtain provider consent specific to cross-border data transfer, identifying what data, to whom, and for what purposes, and identifying opt-out mechanisms.

14 Data Localization Regimes
Russia “When collecting personal data, including by means of the information and telecommunication network “Internet” the operator must provide the recording, systematization, accumulation, storage, adjustment (update, alteration), retrieval of personal data of citizens of the Russian Federation with the use of databases located in the territory of the Russian Federation…” France The Digital Bill as voted for by the French Senate on 3 May 2016 includes a data localization provision: “Data shall be stored in a data center located within any EU Member State territory, without prejudice to international agreements to which France and the EU are parties. They cannot be subject to a transfer to a third country“. The Bill’s data localization provision may be incompatible with Article 44 of the GDPR and perhaps the current Data Protection Directive 95/46, as it places stricter requirements on the transfer of personal data outside of the EU than provided for under those documents. China Personal data of Chinese citizens that is handled in information systems by private sector organizations can be transferred outside of China provided that explicit consent is obtained from data subjects (or if express authorization from relevant authorities is obtained, or specific laws permit the transfer). This is set out in a guideline drafted under the guidance of the Ministry of Industry and Information Technology so that, while not legally binding, the Chinese authorities encourage compliance as a base standard. Some Chinese industry regulators do prohibit the offshore transfer of certain personal data. (financial information and healthcare information). Personal data constituting “state secrets” should not be transferred outside of China. The draft PRC Cyber Security Law, issued in July 2015 (currently in the second reading), requires “key information infrastructure operators” to store Chinese citizens’ personal information and other important data gathered and produced during operations within the PRC.

Download ppt "Global Security & Privacy Risks"

Similar presentations

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Confidentiality and HIPAA

Confidentiality and HIPAA
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE.

© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Per Anders Eriksson

Per Anders Eriksson
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
LegalTech Asia DATA PRIVACY LAWS UPDATE Edward Chatterton 4 March 2013.

LegalTech Asia DATA PRIVACY LAWS UPDATE Edward Chatterton 4 March 2013.
Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.
HIPAA PRIVACY AND SECURITY AWARENESS.

HIPAA PRIVACY AND SECURITY AWARENESS.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

CLOUD AND SECURITY: A LEGISLATOR'S PERSPECTIVE 6/7/2013.

Similar presentations

Ads by Google