Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Governance and Data Privacy: A World of Risk

Published byPhilip Cole Modified over 6 years ago

Similar presentations

Presentation on theme: "Information Governance and Data Privacy: A World of Risk"— Presentation transcript:

1 Information Governance and Data Privacy: A World of Risk
2016 Northeast eDiscovery & IG Retreat Panel Introduction September 26, 2016

2 Information Governance and Data Privacy
Data Privacy Laws The European Union Other Jurisdictions Effects on Information Governance Effects on Discovery Compliance

3 Introduction Realities of global enterprise information systems and infrastructure Obstacles to cross-border flow of business information that includes “personal information” and other specific types of data Jurisdiction-specific analyses of relevant legal considerations

4 Key Considerations Types of data subject to privacy protections
Actions with data (including cross-border transfer) that may be limited or restricted due to data privacy laws Interactions with government regulators and data subjects

5 Data Privacy Laws in the European Union
klgates.com

6 EU Data Protection Directive (Directive 95/46/EC)
It regulates the “processing” of “personal data” in the EU in light of seven key principles. “Processing” can include any actions upon data, including collection, storage, alteration, use, disclosure, transfer, combination, or disposal. “Personal data” broadly includes any information relating to an identifiable person.

7 EU Data Protection Directive as Implemented by Member States
Each EU nation adopted implementing legislation regarding the Directive. Accordingly, these countries vary in how they implement different aspects of the Directive. Data Protection Authorities (“DPAs”) in each country receive complaints and give advice to the government.

8 EU Data Protection Directive and Data Transfer
The Directive generally prohibits transfer of “personal data” from the EU to countries outside the European Economic Area in the absence of adequate data protection safeguards. The European Commission has determined that the US does not maintain adequate data safeguards.

9 Accomplishing Data Transfer to a Country Found to Lack Adequate Safeguards
Separate entities can enter into data transfer agreements incorporating model contract clauses regarding data protection. Transfers within a corporate entity can be accomplished pursuant to approved binding corporate rules. Data recipients were once able to comply with the EU-US Safe Harbor.

10 Safe Harbor No More: Schrems
The roughly 4,400 US entities that relied on the EU-US Safe Harbor should seek alternate means of compliance for their data transfers from the EU. Alternative means of compliance with regard to data transfers to the US may soon draw greater scrutiny from DPAs. A new “EU-US Privacy Shield” has been unveiled.

11 The Road to Schrems October 6, 2015: CJEU ruling July 2014:
Irish High Court asks the Court of Justice of the European Union (“CJEU”) for a preliminary ruling. September 2013: Irish DPA receives (and refuses to hear) complaint. September 2015: Advocate General Yves Bot issues advisory opinion to the CJEU. October 2013: Irish High Court agrees to review inaction by DPA.

12 Why Was Safe Harbor Invalidated?
The CJEU found that the US government has access to personal information “without limitation.” The CJEU also found that EU citizens could not pursue legal remedies in the US to access and correct their personal information.

13 Alternative Compliance Options: Data Transfer Agreements
These agreements must incorporate model contract clauses set forth by the European Commission. The agreements must describe the relevant data, its use and purposes, and relevant security measures. Relevant DPAs must be kept updated regarding the grounds for the data transfer.

14 Alternative Compliance Options: Binding Corporate Rules (“BCRs”)
BCRs can address a wide range of data protection issues. BCRs must be approved by the relevant DPAs. BCRs are often time-consuming and costly to adopt and implement.

15 Alternative Compliance Options: Consents from Data Subjects
Consents must be informed, explicit, and specific. Consents must be freely given and discretionary. Consents must be retractable at any time. Some consents may not be obtainable.

16 Ensuring Compliance Relating to Use of Personal Data
Consents from the data subjects can support such use. Certain uses related to legal proceedings and the provision of legal advice are exempt from the restrictions on use of such data.

17 EU-US Privacy Shield: A New Option
The European Commission has approved of a new “EU-US Privacy Shield,” and organizations are now able to register under this framework.

18 EU-US Privacy Shield: Broad Outline
Heightened requirements on US companies that accept personal data from European data subjects Limitations and transparency requirements on US governmental access to personal data from European data subjects when necessary for law enforcement and national security purpose Redress options for European data subjects

19 EU Data Privacy: A Moving Target
Agreement on General Data Protection Regulation is expected by early 2016, with the regulation likely coming into effect in 2018. The regulation will make more entities outside the EU subject to its data privacy law, make this law more consistent across the EU, bolster data subjects’ rights, require companies to appoint Data Protection Officers, and increase potential sanctions.

20 Data Privacy Laws in Other Jurisdictions
klgates.com

21 Data Privacy Laws in Russia
“Personal data” is subject to Russian data privacy law, and its processing often requires notification of government authorities. There are certain exemptions to the data privacy law when the personal data (and its processing) relate to employment functions. “Personal data” is subject to a localization requirement.

22 Data Privacy Laws in China
Personal information is subject to data privacy laws and restrictions on transfer. Collection, use, and transfer of personal information to the US must be preceded by consent from the relevant data subjects. Personal information collected by certain entities cannot be transferred outside of China.

23 Data Privacy Laws in Australia
Personal information is subject to data privacy laws, although there are certain exceptions related to such information found in “employee records” within the scope of the individual’s employment. Prior to transfer of personal information, data subjects must be notified. Collection statements and privacy policies can help to provide such notifications.

24 Effects on Information Governance
klgates.com

25 Record Retention Issues
Requirements differ across countries (and, often, among different jurisdictions within countries). Most retention requirements in the US define minimum retention periods. Some jurisdictions’ record retention requirements, informed by data privacy concerns, state maximum retention periods.

26 Data Security Requirements
Data privacy laws in some jurisdictions require data security assurances and limitations on the accessibility to access personal data. Data security standards must also meet other legal and contractual requirements.

27 Data Flows and Cross-Border Transfers
Understanding the relevant data flows within an organization is a key first step. Certain types of data transfers (and particularly cross-border transfers) can require the organization to meet additional data privacy requirements under applicable laws.

28 Effects on Discovery Compliance
klgates.com

29 Changes to Discovery Response Processes
“Processing” can include more than document processing, searching, and review. It can also include records preservation. Organizations should consider how to adapt certain discovery response processes to address data privacy requirements. For instance, should some screening or review to exclude personal data occur before transferring records from the EU to the US for discovery purposes?

30 Technological Support
What technologies can assist in discovery response in a way that maintains compliance with applicable data privacy laws?

31 Differing Privilege Standards
Privilege review is complicated by the potential applicability of different privilege standards across different jurisdictions.

32 Questions? klgates.com

Download ppt "Information Governance and Data Privacy: A World of Risk"

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)
Data Protection and Records Management

Data Protection and Records Management
Per Anders Eriksson

Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
Attorney-Client Privilege and Privacy Considerations Between US Corporations & Foreign Affiliates General Counsel Conference, Washington, D.C. October.

Attorney-Client Privilege and Privacy Considerations Between US Corporations & Foreign Affiliates General Counsel Conference, Washington, D.C. October.
The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.

The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.
Investigating Rights and Responsibilities at work

Investigating Rights and Responsibilities at work
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.

Similar presentations

Ads by Google