webinar: us-eu safe harbor framework declared invalid...outsource medical analysis to subcontractors...
TRANSCRIPT
© Copyright 2015 by K&L Gates LLP. All rights reserved.
Webinar: US-EU Safe Harbor Framework Declared Invalid Bruce Heiman (Washington DC) Ignasi Guardans (Brussels) Etienne Drouard (Paris)
What happened?
1 klgates.com
The Schrems Case (Ruling C-362/14)
klgates.com 2
* 9/25/13 Irish DPA receives complaint from citizen on FB transferring his data to US DPA • States it has no right to verify data transfer, only EC can, based on EC
Decision 2000/520 (Safe Harbor decision) • Schrems takes DPA to Irish High Court
* 7/17/14: Irish High Court asks the CJEU for preliminary ruling • Is the Irish DPA bound by the EC findings on protections of data transfer to a
3rd state? • Can the DPA carry its own investigation?
* 10/6/15: CJEU ruling C-362/14 • EC decision 2000/520 can be reviewed and challenged at national level by
DPAs and courts • But only the CJEU can declare it void • EU Court reviews it, and declares it void
Why Is 2000/520 Declared Invalid? (= What’s the test for a valid one?) Transfers of data can only be allowed IF 3rd country ensures
“adequate level of protection”: measured according to non-exhaustive list of circumstances
The European Commission must assess level of protection of the 3rd country According to laws & practice. Reliability check: effective detection & supervision mechanisms in
case of infringement But EC acknowledges that:
National security, public interest, or law enforcement requirements have primacy over the safe harbor principles
No legal protection: data subjects have no administrative or judicial means of redress (FTC only for commercial disputes)
3 klgates.com
Why Is 2000/520 Declared Invalid? (= What’s the test for a valid one?) Derogations to protection of personal data can apply only if
“strictly necessary”. Not the case: no objective criterion determining limits of access by public authorities and its use for purposes that are “specific, strictly restricted, justifying the interference”
“Generalized” storage of and access to personal data by authorities compromise the “essence of the fundamental right for private life”
Effective judicial review is inherent to existence of rule of law The EC failed to prove “that US in fact ensures adequate level of
protection”: Decision 2000/520 establishing equivalent “adequate level of protection” is invalid
4 klgates.com
Essentially, Two Issues Make Safe Harbor Invalid These two issues will make a new agreement acceptable in the EU: US Government has access to personal information “without
limitation” EC had already raised concerns that access is beyond what is “strictly
necessary and proportionate” to protect national security EU citizens cannot pursue legal remedies to access and correct
data EC had already raised concerns that there is “no administrative or
judicial means of redress” for access and ability to rectify or erase data
klgates.com 5
Who May Be Impacted?
‘Personal Data’ Under the EU Framework Directive 95/46
Article 2.a) “[…] Any information relating to an identified or identifiable natural
person (‘data subject’) […], directly or indirectly, […] by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
Whereas 26 “[…] account should be taken of all the means likely reasonably to be
used either by the controller or by any other person to identify the said person.”
Opinions from the “Article 29 Working Party” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-
recommendation/index_en.htm
klgates.com 7
Are You Subject to EU-US Data Transfer Regulations?
klgates.com 8
Your company or group of companies is composed of: YES NO 1. A US company 1.1. with personnel, and/or subsidiaries, and/or affiliates, and/or holding/mother
company in the EU
1.2. using technical infrastructures (including e.g. servers) or service providers located in Europe
1.3. with commercial partners located in Europe (wholesalers, retailers, distributors, licensees…)
2. An EU company 2.1. with personnel, and/or subsidiaries and/or affiliates, and/or holding/mother
company in the United States 2.2. using technical infrastructures (including e.g., servers) or service providers
located in the United States
2.3. with commercial partners located in the United States (wholesalers, retailers, distributors, licensees…)
3. A US company operating services entirely from the United States and/or a non-EU country, directed at customers in Europe (draft EU Regulation)
Who May Be Impacted in Practice? Note:
Situations listed hereafter should be read with the following assumption: “… for the processing of personal data, browsing and localization data, or
behavioral data, which may relate, directly or indirectly, to an individual (employee, customer, etc.)”
klgates.com 9
Which US Companies May Be Impacted? Safe harbor certified US companies. Non-safe harbor certified US companies:
that are not bound by group-wide “Binding Corporate Rules” (“BCR”). that have not executed EU-compliant data transfer agreements with:
their EU mother company, sister companies, affiliates, contractors, subcontractors, service providers, business partners
that receive or access personal data from the EU without: the data subjects’ consent to the transfer to the US
klgates.com 10
Which EU Companies May Be Impacted? EU companies sending data to US mother company, sister companies, affiliates, contractors, subcontractors, service providers, business partners
EU companies sharing databases with their US mother company, sister companies or affiliates
without any EU-compliant data transfer agreement in place without any BCR in place without the data subjects’ consent
klgates.com 11
What Are the Risks?
Popular Solutions Under the Current EU Laws Execute EU-compliant data transfer agreements
Model clauses from the EU Commission Description of data, purposes and security measures Amend existing notifications with the data protection authority (“DPA”) re.
grounds for data transfer
Implement group-wide “Binding Corporate Rules” Binding list of data protection commitments Approval of the BCRs by the competent DPAs One representative EU entity liable before competent DPAs
All group entities liable before the representative EU entity
Obtain consent from data subjects Explicit, specific, freely given, discretionary, waivable… Impracticable?
klgates.com 13
Data Transfer Assessment
Data Transfer Assessment Perform a data transfer audit
Data transfers tailored checklist IT/Commercial/outsourcing contracts review
Look for references to “safe harbor” Look for data transfer agreements
Classify and prioritize Intra-group transfers Transfers to clients Transfers to contractors or subcontractors
Assess the most effective and practicable legal solution, following the priorities previously defined
klgates.com 15
Example of Data Transfers Standard Check List (US)
klgates.com 16
We are a US company and we do: YES NO
Access/extract HR data from our European-based affiliates
Access/extract CRM data from our European-based affiliates
Access/extract accounting data from our European-based affiliates
Implement a global anti-money-laundering and/or SOX compliance framework from the United States
Enforce and control a global IT policy from the United States
Draw statistics about our European employees/customers based on any of the following: health conditions, race, ethnicity, trade union membership, criminal offenses or allegations, religion, sexual orientation
Consolidate/assess a biometric database (e.g., fingerprint, hand shape, iris) for employee access control or other purposes
Consolidate/access a genetic database
Operate a global active directory including our European employees
Operate data centers in the EU
Outsource data hosting in the EU
Host data from our EU affiliates
Host data from our EU service providers
Operate global IT infrastructures from the United States
Example of Data Transfers Standard Check List (EU)
klgates.com 17
We are a European company and we do: YES NO
Use global IT services, tools and/or servers provided by our US affiliate/mother company
Outsource IT services to subcontractors in the United States
Outsource IT infrastructures to subcontractors in the United States
Outsource hosting activities to subcontractors in the United States
Outsource medical analysis to subcontractors in the United States
Share our database with our affiliates/mother company in the United States
Provide our subcontractors in the US with accesses to our EU database Provide information related to health conditions, race, ethnicity, trade union membership, criminal offenses or allegations, religion, sexual orientation, to our mother company in the United States for statistical purposes
Share an online recruiting tool and database with our affiliates/sister companies/mother company in the United States
Outsource biometric security services to subcontractors in the United States
Benefit from biometric security services provided and managed / operated by our mother company in the United States
EU Next Moves
Policy / Regulatory Follow-up in the European Union
klgates.com 19
EC VP Franz
Timmermans
EC Commissioner
Verá Jurovà
European Parliament
LIBE Committee
Article 29 Working Party
US Next Moves
Will a US-EU Safe Harbor 2.0 Provide Relief From the ECJ/EU Privacy Regulation Storms?
klgates.com 21
Safe Harbor 2.0 Negotiations Were in Final Stage… Impact of 2013 Snowden disclosures (June 2013) EC’s 13 Recommendations for Improvement (November 2013)
Transparency Redress
Increased FTC enforcement (January 2014) Key Issue Recommendation 13 – National Security exception
“Strictly necessary or proportionate” Note parallel initiative – EU-US umbrella agreement
Protection framework for data transfers for law enforcement purposes EU citizens should have same privacy rights and remedies available to US
persons
klgates.com 22
Enforcement Access by U.S. Authorities
Need to address two prongs of ECJ decision USG unrestricted access to information
PRISM program disbanded Section 215 bulk collection of telephone
meta data ended (USA Freedom Act) ? Final resolution of “strictly necessary and
proportionate” EU citizens ability to access and correct data
Judicial Redress Act (H.R. 1428) Legislative prospects
klgates.com 23
Commerce Secretary Pritzker Reaction “Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU. We are deeply disappointed in today’s decision…” “For the last two years, we have worked closely with the European Commission to strengthen the U.S.-EU Safe Harbor Framework, with robust and transparent protection, including clear oversight by the Department of Commerce and strong enforcement by the U.S. Federal Trade Commission.” “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible.”
klgates.com 24
Q&A With K&L Gates Presenters
klgates.com 25
Bruce J Heiman Partner, Public Policy and Law – Washington DC +1.202.661.3935 [email protected] Ignasi Guardans Partner, Public Policy and Law – Brussels +32.(0)2.336.1949 [email protected] Etienne Drouard Partner, Privacy, Data Protection and Information Management – Paris +33.(0)1.58.44.15.12 [email protected]