Download - Safe Harbor Webinar
GOOD. SMART. BUSINESS. PROFIT.TM
T h u r s d a y, F e b r u a r y 4 t h , 1 : 0 0 E S T
Safe Harbor WebinarDATA PROTECTION UPDATE: SAFE HARBOR AND THE
PRACTICAL IMPACT FOR COMPANIES
Speakers
Robert Bond, Partner, Charles Russell Speechlys
Dennis Haist, General Counsel & Compliance Advisor, STEELE CIS
Michael Scuvee, Director Global Data Privacy, Corporate Compliance, Johnson Controls
Topics of Discussion• Available Data Transfer Solutions
• Data Protection Notifications
• Summary of Schrems vs. Data Commissioner
• Article 29 Working Party Activities
• Tuesday’s Announcement of a “political deal”
• Likelihood of Safe Harbor 2.0 or EU-US Privacy Shield Framework
• Alternative mechanisms for data transfer (Unambiguous Consent, Binding Corporate Rules, Model Clauses)
UNDERSTANDING DATA TRANSFER SOLUTIONS
Binding corporate rules – not valid in
all countriesModel
clauses
Strategies for Trans border
Data flows
Safe Harbor/Privacy Shield
Consent
Presumption of adequacy
Adequate destination
Contractual necessity
Seals and trust marks
Data Exported
Within EEA
Automatically adequate
Outside EEAWhich country/jurisdiction?
Argentina, Channel Islands,Isle of Man, Switzerland,Faroe Islands, Israel, Uruguay, New Zealand
Adequate for transfer to proceed
Canada
Mostly adequate for transfer to proceed
USA
To a signatory of the Safe Harbor/Privacy Shield principles?
Other countries
Yes NoAdequate for transfer to proceed
Do any of the other key legal grounds for transfer apply?1. Transfers using the appropriate EU Commission approved Model Transfer Terms2. Transfers subject to the use of Binding Corporate Rules3. Transfers in accordance with an approved privacy contract4. Companies that have self-assessed their adequacy (in some jurisdictions)
Yes
Adequate for transfer to take place
No
Can adequacy be presumed?
Yes NoTransfer can proceed
Legal advice required
Data Protection notifications, filings and registrations – what is this?
• More than a tick the box exercise• More than a bureacratic formality• Purpose
To assist the Data Protection Authorities (DPAs) enforce the data protection laws
• You must be fully informed to present a registration/notification
• Types of notifications: Prior registration of processing operations Prior checking of processing operations Prior notification of data transfers from EEA
to 3rd countries Notification of breaches to the DPA Notification of breaches to the data subjects Other types of notifications / requests for
authorisation
Schrems v. Data Protection Commissioner (October 6, 2015)
• Background of appeal to Court of Justice• Significant Findings of the Court
Commission finding of “adequacy” does not prevent supervisory authority of Member State from examining claim of data subject that third country does not ensure adequate level of protection (paragraph 66)
“Adequate level of protection” must require third country to ensure by its domestic law or international commitments, a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed by EU (paragraph 73)
Decision 2000/250 recognizes that national security, public interest, or law enforcement requirements have primacy over the Safe Harbor principles. (paragraph 84)
Decision 2000/520 did not state that the U.S. “ensures” an adequate level of protection by reason of its domestic law or international commitments (paragraph 97)
Decision 2000/250 fails to comply with the requirements of Article 25(6) of Directive 95/46 and is accordingly invalid.
Schrems v. Data Protection Commissioner (October 6, 2015)
• Initial Reactions Law firm clients, Data Controllers, Data Processors
• Article 29 Working Party activities since Schrems
• Expiration of “Grace period” on January 31 Latest developments-Tuesday’s Announcement of a “political
deal” on EU-US Privacy Shield framework
• Judicial Redress Act of 2015 (HR 1428)
• Privacy Shield or Safe Harbor 2.0
Data Processing contracts• The Data Controller must ensure that the Data Processor is suitable for the processing
activities having regard to the nature of the data – so due diligence is required.
• Contractual controls need to be put in place – the Data Processor may already have these, but check!
• If the Data Processor is outside the EU then the EU Model Clauses for transfers to a Data Processor should be used.
• Reliance on Safe Harbor was possible provided that the Certification was in relation to the type of personal data being transferred.
• Privacy Shield may be a new solution
• Notwithstanding the use of Model Clauses, some DPA’s require notification and deposit of the contract for approval.
• Some DPA’s have difficulty in the concept that Sensitive Data needs to be transferred to a 3rd party outside the EU.
O p e n f o r u m
Questions?
Thank You
13
30-page summary of key insights from the 2015
Ethics Quotient and World’s Most Ethical
Companies data set …A “MUST READ” for all who
want to move their programs forward.
DOWNLOAD:http://ethisphere.com/worlds-most-ethical/2015-wme-insights-series/whitepaper/
MEASUREMENT MATTERS ..NEW WHITEPAPER
This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.
For more information on BELA contact:
Stefan Linssen Chief Content Officer [email protected]
Business Ethics Leadership Alliance (BELA)
8th Annual Global Ethics SummitGlobalEthicsSummit2016.com
New York City | Grand Hyatt March 9-10, 2016
Additional 15% off Discount for Webcast Attendees!
Discount code: WEBCAST
All upcoming Ethisphere events can be found at:http://ethisphere.com/events/
PLEASE JOIN US FOR
www.ethisphere.com
THANK YOU