1. International Regulatory Trends
Daily Journal Professional Education Cyber Boot Camp, January 12, 2017
Brian Michael, 21st Century Fox, Fox Networks Group Timothy J. Toohey, Greenberg Glusker Fields Claman & Machtinger LLP Dr. Kai Westerwelle, Taylor Wessing (US) Inc. Moderator: Tanya Forsheit

2. Agenda Privacy in Historical Context – EU v. US
EU-US Cross-Border Data Transfers
EU General Data Protection Regulation (GDPR)
Russia
Asia
Latin America
The Future?

3. EU v. US
Privacy in Perspective

4. Privacy in Historical Context

5. EU-US Cross-Border Data Transfers

6. Background
The Safe-Harbor Framework,
The Schrems case

7. Adoption of Privacy Shield
July 12, 2016 – Commission adopted
Privacyshield.gov opened for business August 1, 2016

8. Principles Notice Choice Accountability for Onward Transfer Security
Data Integrity and Purpose Limitation
Access
Recourse, Enforcement, Liability
Supplemental Principals

9. Alternative Transfer Mechanisms
Model clauses
Controller to Processor
Controller to Controller
Binding Corporate Rules (BCRs)

10. GDPR

11. General Application
Do you process personal data in the context of activities of an establishment in the EU?
Do you process data of data subjects in the EU and does the processing relate to: (a) the offering of goods or services to those data subjects; or (b) the monitoring of those data subjects’ behavior as far as their behavior takes place in the EU?

12. Principles
Process personal data lawfully, fairly, and in a transparent manner.
Collect personal data for specified, explicit, and legitimate purposes.
Personal data should be adequate, relevant, and limited to what is necessary.
Keep personal data accurate and erase or rectify inaccurate personal data without delay.
Keep personal data for no longer than is necessary for the purposes for which it is processed.
Protect and use appropriate measures to securely process personal data.

13. Basis for Processing Consent Legitimate Interest Contractual Necessity
Other Lawful Grounds
Special Categories

14. Data Subject Rights Transparency Access Rectification Erasure
Right to Be Forgotten
Restrict Processing
Object
Data Portability
Data Profiling Rights

15. Policies and Procedures
Data Protection Officer (DPO)
Record Keeping
Privacy by Design and by Default
Data Protection Impact Assessments
Written Contracts between Controllers and Processors
Data Security Measures
Data Breach Response
International Data Transfers

16. Enforcement Member State Courts and DPAs Administrative fines up to
$20 million EUR; or
4% of the total worldwide annual turnover of the preceding fiscal year,
… whichever is higher

17. Russia

18. Russia Data localization regulation and enforcement
Cybersecurity issues

19. Asia
A Few Recent Developments

20. Japan
Personal Information Protection Act (“PIPA”) amendments will come into force on 30 May 2017.
Restrictions on data transfers associated therewith.

21. China
National People's Congress passed the cybersecurity act in November 2016
Will come into force June 1, 2017
Impact on data transfers and cybersecurity

22. Latin America
A Sampling of Regulations

23. Argentina “Adequate” for EU purposes
New development 2016: European- style Model Clauses

24. Mexico
Federal Law on the Protection of Personal Data held by Private Parties
Regulations under the Federal law issued 5 years ago
Specific data security requirements, including for vendor relationships
Short Form Privacy Notices

25. The Future?

26. The Future Impact of new US Administration Impact of Brexit
What to expect from regulators around the globe going forward?