Presentation is loading. Please wait.

Presentation is loading. Please wait.

General Data Protection Regulation: A Primer for U.S. Companies

Published byWidyawati Lesmono Modified over 6 years ago

Similar presentations

Presentation on theme: "General Data Protection Regulation: A Primer for U.S. Companies"— Presentation transcript:

1 General Data Protection Regulation: A Primer for U.S. Companies
The European Union General Data Protection Regulation: A Primer for U.S. Companies February 21, 2018

2 U.S. Privacy Framework Segmented by industry (e.g., HIPAA, GLBA, FISMA, etc.). Established data breach procedures and legislation. Increasing state data security requirements.

3 EU Data Protection Directive 1995
Adopted by EU Parliament and Council of European Union on Oct. 24, 1995. “Directive” – set goals that Member states must meet, but each member state decides how to devise legislation to achieve those goals. Member states had a three year period to adopt implementing legislation. Designed to protect the privacy rights of natural persons with respect to the processing of their personal data. Generally, applies to entities that (1) are established in one or more Member State(s); and (2) process personal data (whether or not the processing takes place in the EU). Restricted transfers outside of EU unless the transfer is made to an “Adequate Jurisdiction”, the data exporter has implemented a lawful data transfer mechanism (e.g., model clauses), or an exemption applies (e.g., consent).

4 Issues and Gaps in 1995 Directive
Wide differences in EU member states with regard to enforcement. Data Protection Authorities (“DPAs”) in different member states frequently imposed different requirements with respect to the same processing and transfer activities. Did not require data breach notification. Liability of down-stream “processors” was not clearly addressed. Remedies for violations of 1995 Directive were determined at the member state level, but fines were generally less than € 1 million.

5 EU General Data Protection Regulation (“GDPR”)
Approved by EU Parliament on April 14, 2016. Enforcement begins on May 25, 2018. “Regulation” – binding legislative act (i.e., member states must apply in its entirety). Intended to harmonize data privacy laws across EU. Created European Data Protection Board designed to ensure consistency of interpretation and enforcement of GDPR. Contains significant changes from 1995 Directive.

6 GDPR: Key Terms “Personal data” is data relating to an identifiable natural person; an identifiable natural person is a person that can be identified, in particular by reference to: a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. “Controller” is a person or entity that determines the purposes and means of processing personal data. “Processor” is a person or entity that processes personal data on behalf of the Controller. “Processing” means any operations performed upon personal data such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment or combination, restriction, erasure or destruction.

7 GDPR: Key Terms “Data Protection Impact Assessment” or “DPIA” is an assessment of the impact of processing operations on the protection of personal data. A DPIA is required where processing is likely to result in high risk to data subjects (e.g., a hospital processing patients’ health data; an employer monitoring employee work stations/internet activity; use of CCTV to monitor behavior). “Data Protection Officer” or “DPO” is the person appointed by the controller or processor that is responsible for ensuring entity complies with applicable data protection obligations. A DPO must be appointed if the controller or processor: engages in regular and systematic monitoring of data subjects on a “large scale”; or processes, on a “large scale”, sensitive personal data (e.g., data relating to race/ethnicity, political opinions, religious beliefs, trade union membership, physical/mental health, sex life, genetic data, criminal convictions/offenses). DPIA must include description of proposed processing operations and purposes; assessment of the necessity/proportionality of processing and the risks to the data subjects, and measures to address risks and demonstrate compliance with GDPR.

8 The GDPR applies to the processing of personal data by:
GDPR: What is Covered? The GDPR applies to the processing of personal data by: automated means (e.g., a computerized system); and non-automated means that form part of a relevant filing system.

9 Territorial Scope – EU Establishment
GDPR Art. 3(1): “applies to the processing of personal data in the context of activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not.” “Establishment” can include branches or subsidiaries in the EU. Does U.S. entity have any commercial connection to local entity? Similar to Article 4(1)(a) of 1995 Directive: CJEU precedent – use of website in native language, advertise property in member state, use of a local agent, use of local address and bank account. Google Spain decision (right to be forgotten): Parent co. U.S. Google Inc. “established” in EU because its search activities connected with (financed by) Google Spain’s advertising sales. Search activities were “in context of activities” of Google Spain’s activities. First bullet - Art. 3(1).

10 Territorial Scope: Offering Goods and Services to EU Data Subjects
GDPR Art. 3(2): “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to a. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union.” Insufficient: Fact that a EU data subject has access to a U.S. company’s internet site from the EU. Could be sufficient. Offering goods or services in an EU language or currency, telephone number with international dialing code, paying for inclusion in search engines accessed from a particular Member State, use of top level domain name of Member State (i.e., .de for Germany), referencing customers or users from the EU. Must be intent to draw EU data consumers. First bullet - Art. 3(2):

11 Territorial Application: Monitoring EU Residents
GDPR Art. 3(2): “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: … b. the monitoring of their behavior as far as their behavior takes place within the Union.” Monitoring may include the tracking of EU residents online (creating profiles for individuals which track their behaviors and attitudes) in order to analyze or predict personal preferences. First bullet - Art. 3(2):

12 Territorial Application: Public International Law
GDPR “applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” Recitals – diplomatic mission or consular position. How will this be used? First bullet - Art. 3(3).

13 GDPR: Data Protection Principles
Processing must be done in a lawful, fair and transparent manner. Personal data may only be collected for specified, explicit and legitimate purposes and may not be processed for any incompatible purposes. Personal data must be adequate, relevant and limited to what is necessary in relation to its processing purposes. Personal data must be adequate and current. Personal data must be kept for no longer than is necessary. Personal data must be processed in a secure manner. Controller is responsible for & must demonstrate compliance with these principles.

14 GDPR: Lawful Basis for Processing
There must be a lawful basis for processing personal data, such as Consent of data subject (not always straightforward under GDPR). It is necessary for the entry into, or performance of, a contract with the data subject. It is necessary for compliance with obligation under EU or member state law. It is necessary to protect the vital interests of the data subject or another person (i.e., protection from death or injury). It is necessary for the public interest. It is necessary for protecting the legitimate interest of the Controller (e.g., HR administration, information security).

15 GDPR: Key Rights of Data Subject
Data subject must generally be informed about key facts of data processing. The data subject has right not to be subject to a decision based solely on “automated processing” (AI tools can fit into this category). Controllers must, within 1 month of request of the data subject, provide certain information (e.g., location of data processing, source of data, right to correct data). Data subjects have right to have their data erased in certain cases (e.g., data is no longer necessary for compliance with purposes for which it was collected, data subject revokes consent in cases where consent provided basis for processing). Data subjects can demand transfer of their personal data to another party in certain instances (e.g., the data was originally provided by the data subject to the Controller or is processed based on consent).

16 GDPR: Key Obligations of Data Controllers
Must be able to demonstrate compliance with Data Protection Principles. Must implement appropriate technical and organizational measures to ensure and to demonstrate compliance with GDPR. With a joint Controller, must allocate data protection compliance responsibilities with such other Controller and must make the key aspects of that allocation available to data subjects. Non-EU Controllers must appoint a representative within the EU (unless processing is small scale and infrequent and does not involve access to “sensitive” data). Controllers must have written agreements in place with any Processors.

17 GDPR: Additional Responsibility & Liability for Processors
GDPR, unlike the 1995 Directive, imposes direct liability on Controllers and Processors. If the Processor does not believe it can comply with Controller’s instructions and the GDPR, it must inform the Controller. Processors must protect the confidentiality and security of data (e.g., encrypt data, test its security measures). Cross-border transfer obligations apply to further transfers by Processor. If Processor makes its own decisions regarding processing it may be treated as, and have the liability of, a Controller in respect of that processing activity. Data subjects can bring claims directly against Processors.

18 GDPR: Cross-Border Transfers
Personal data transfers outside of the EU are generally restricted, unless transfer: is made to a jurisdiction deemed “adequate” by the EU Commission (U.S. is not adequate); safeguards are in place to ensure “adequacy”; or an exemption (derogation) applies.

19 GDPR: EU – U.S. Privacy Shield
The U.S. is not on the list of “Adequate Jurisdictions” provided by the EC. The EU-U.S. Safe Harbor was overturned by Schrems and has effectively been replaced by the EU-U.S. Privacy Shield. Compliance with Privacy Shield is deemed by EU Commission to be an “adequate” means of data protection. Eff. August 1, 2016; applies to companies regulated by DOT or FTC. Must self-certify on the Commerce Dept. Privacy Shield website & publish a privacy policy affirming Privacy Shield Principles. Must agree to recourse mechanism (i.e., ADR or DPA). Special rules for HR data transfers under Privacy Shield. Subject to annual review by EU to avoid another Schrems. Expect revisions. 11/2017 Art 29 WP report based on annual review. Changes need to be made by US by May 2018 or deficiencies will be referred to the CJEU.

20 GDPR: Transfers Pursuant to Model Clauses
Standard form approved by EU commission. Generally not negotiable. Advance approval from DPAs no longer needed. May be subject to Schrems type challenge.

21 GDPR: Transfers Pursuant to Binding Corporate Rules (BCRs)
Subject to approval by Data Protection Authority, but once approved, no further DPA approval required for personal data transfers made under the BCRs. BCRs: Apply to transfers within corporate group. Must be legally binding on group companies. Must specify the purposes of the transfer and affected categories of data. EU-based data exporters must accept liability on behalf of the entire group. Must be mechanisms to audit compliance.

22 GDPR: Transfer Exceptions and Derogations
Codes of Conduct/Certifications – New under GDPR. Falls under Art. 45 as “adequate” because requires assurances of appropriate safeguards. Derogations (8). WP Guidance makes clear will be narrowly construed because they do not provide adequate safeguards. Explicit Consent – Data subject gives explicit consent to transfer after being informed of the possible risks of such transfer b/c of lack of safeguards. Contract fulfillment (2) – Occasional transfer is necessary for performance of, or entry into, a contract between the data subject and the Controller, or conclusion or performance of contract conclude in interest of data subject between Controller and third person. Necessary for legal claims – Occasional transfer is necessary for establishment, exercise or defense of legal claims. But be aware of MS blocking statutes. 4 other derogations are (1) transfer necessary for important reasons of public interest (ie information exchange between countries for purpose of tracing contagious diseases); (2) transfer is necessary in order to protect the vital interest of the data subject or other persons where data subject legally or physically incapable of giving consent (i.e. patient unconscious outside of EU and only EU doctor is able to supply data); (3) transfer is made from a public register; (4) compelling legitimate interests (new. Last resort. Cannot be overridden by interests or rights or freedoms of the data subject. Have to inform data subject and supervisory authority). (1-3 need not be occasional. 4 (legit interests) must be occasional) Still must follow Article 5 requirements (i.e., data minimization, purpose limitations, rights of access/correction, protections (can the data be anonymized or puedonimyzed?) Discovery will continue to be tricky—order for request from third country authorities or courts will not be a legitimate ground for data transfer, and WP guidance recommend that EU companies should refuse such direct requests for data if there is an international agreement or mutual legal assistance treaty. (Hague Convention)

23 GDPR: Special Issues on Employees
Member state law can still impose additional rules with respect to processing employee/HR data. Processing employee data on the basis of consent may be difficult. If there is a "clear imbalance" between the Controller and the data subject, it is assumed that the data subject’s consent is not freely given. Collective bargaining/ “works” agreements may provide for special rules on processing employee data.

24 GDPR: Data Breach GDPR, unlike 1995 Directive, requires Controller “where feasible” to provide notice of personal data breach to DPA within 72 hours following knowledge of breach. If data breach is likely to result in a high risk to the rights of persons, the Controller shall communicate breach to data subject “without undue delay”. Processor shall notify Controller “without undue delay” after becoming aware of a data breach. Note: The GDPR does include a risk of harm test.

25 GDPR: One-Stop Shop Organizations with multiple establishments in EU member states, or carrying out processing “substantially affecting” data subjects in multiple states, may be subject to regulation by a lead DPA. DPA for the jurisdiction where the Processor or Controller has its “main establishment” in the EU will be the lead DPA. Lead DPA will have primary oversight over cross border data activities of an entity.

26 GDPR: Administrative Fines
Administrative fines for certain violation of GDPR can equal up to the greater of: €20 million; or 4% of the worldwide “turnover” (i.e., revenue) of an “undertaking” for the preceding financial year.

27 GDPR & BREXIT GDPR will come into effect in May 2018, and will be in force in UK until it leaves EU. Based on current draft of Data Protection Bill pending in Parliament, GDPR (in some form) is likely to be adopted as UK law post-Brexit.

28 GDPR: Practical Steps Document the types and location of personal data collected and processed (be prepared for data subject access, rectification, transfer, erasure). Update notices and consents. Update data breach incident response plans to ensure conformity with GDPR. Confirm that cross border data transfer mechanisms relied upon comply with GDPR. Review arrangements with vendors that handle EU personal data and ensure arrangements comply with GDPR. Document, and verify compliance with, “lawful” basis used for processing personal data. -- Determine the lead Data Protection Authority for the organization. Determine if you undertake (or are planning to undertake) any high risk activities that would require a Data Protection Impact Assessment. Determine if a Data Protection Officer is required for EU operations. If possible, consider using anonymized or pseudonymized data in connection with processing and transfers. Privacy by design.

29 Attorney Contacts Karin McGinnis Member 704.331.1078
Todd Taylor  Member Suzanne Gainey Associate

Download ppt "General Data Protection Regulation: A Primer for U.S. Companies"

Similar presentations

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Per Anders Eriksson

Per Anders Eriksson
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Data Protection Overview

Data Protection Overview
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,

LexisNexis Confidential EU Privacy Framework Michael Lamb LexisNexis Risk Solutions Vice President and Lead Counsel: Regulatory, Privacy & Policy May 19,
Data Protection Corporate training 2012. Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.

Data Protection Corporate training Data Protection Act 1998 Replaces DPA 1994 EC directive 94/46/EC The Information Commissioner The courts.
INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.

INTERNATIONAL E-DISCOVERY: WHEN CULTURES COLLIDE Alvin F. Lindsay Hogan & Hartson LLP.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.

The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.
Www.clarkholt.com Clark Holt Limited (Co. No. 8774683), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.
TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,

TRANSBORDER DATA FLOWS INA MEIRING. THE PROTECTION OF PERSONAL INFORMATION ACT (“POPI”) > 'personal information' means information relating to an identifiable,
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Students’ Unions 2011 Data Protection and Students’ Unions Mairead O’Reilly 19 July 2011.

Similar presentations

Ads by Google