Safe Harbor Is Invalid What Is It and What Shall We Do? White Paper. by Jessica Santos, Ph.D. November 2015

Size: px
Start display at page:

Download "Safe Harbor Is Invalid What Is It and What Shall We Do? White Paper. by Jessica Santos, Ph.D. November 2015"

Transcription

1 White Paper Catalysts driving successful decisions in life sciences. Safe Harbor Is Invalid What Is It and What Shall We Do? by Jessica Santos, Ph.D. November 2015

2 On October 6, 2015, the Court of Justice of the European Union (CJEU) declared invalid the EU/U.S. Safe Harbor program. 1 The Swiss data protection authority subsequently declared invalid the Swiss/U.S. Safe Harbor program. 2 EU regulators have been criticizing the FTC s absent role as a privacy regulator and the challenging redress ability for EU citizens since the birth of Safe Harbor. What Is Safe Harbor? The Safe Harbor program is a mechanism that permits personal data to be transferred from EU to U.S. companies that had self-certified compliance with Safe Harbor principles. The EU Data Protection Directive restricts transferring personal data from Europe to countries that do not ensure an adequate level of legal data protection. The U.S. is determined as inadequate by the European Commission because the U.S. does not have a comprehensive data protection law or a regulator. Instead, U.S. data law varies by industry, e.g., financial, health, transport or communications. In 2000, after EU-U.S. negotiations, Safe Harbor 3 principles were agreed to in which companies would annually self-certify with the U.S. Department of Commerce and include Safe Harbor principles in their online public privacy policies. This agreement helped extend the U.S. Federal Trade Commission s (FTC) enforcement powers for any unfair or deceptive consumer practices listed in public privacy policy and data practices. What Does Safe Harbor Invalidation Mean? The invalidation means companies can no longer rely on Safe Harbor principles to transfer personal data from the EU to the U.S., including intercompany transfer or via service providers or other third parties. Why now? EU regulators have been criticizing the FTC s absent role as a privacy regulator and the challenging redress ability for EU citizens since the birth of Safe Harbor. In a two-year-old case forced to the EU s highest court by Austrian privacy campaigner Max Schrems, the CJEU ruled that the European Commission s trans-atlantic data protection agreement enacted in 2000 was invalid because it does not adequately protect consumers in the wake of the Snowden revelations. For Facebook, which has been placed at the center of this case by Schrems, the decision means that the Irish data protection authority (DPA) will be forced to investigate his claims and Facebook s data protection practices. 4 How Urgent Is This? On October 16, a group of European data protection authorities (known as the Article 29 Working Party) issued a statement confirming that transfers under Safe Harbor are no longer valid and indicated that at the end of January 2016 they may start taking enforcement action against companies who are still transferring data without a valid legal basis. In the meantime, individual data protection authorities and various clients have already started making enquiries to companies concerning their data transfers to the U.S. Given the large number of EU companies that have been relying on Safe Harbor, the EU data protection authorities take serious enforcement action against all companies at the beginning of February 2016 might not be guaranteed. However, companies need to show they are taking prompt action to implement alternative measures to enable data transfers to the U.S. in compliance with EU law. What Does the Transfer of Personal Data Entail? The concept of a transfer of data to the U.S. is broad and includes: Sharing data with third parties in the U.S. Hosting data on servers physically located in the U.S. (whether those servers are

3 Under EU law, personal data also includes any information relating to an identifiable individual, even if the individual is identified only by a pseudonym. administered by intercompany units or a third-party service provider) Allowing remote access to the data from the U.S. (even if the data at rest remains in the EU) Under EU law, personal data is not limited to data that is personally identifiable information or PII, in the U.S. It also includes any information relating to an identifiable individual, even if the individual is identified only by a pseudonym (such as a randomly generated identifier associated with a cookie). Therefore, most data file research companies use of pseudonymous IDs and study data are classified as personal data. In addition, healthcare data are classified as sensitive personal data even there is no personal name or contact details in the data file. What Are the Alternatives? The alternatives to Safe Harbor will be: Obtaining unambiguous explicit consent from data subjects to their data being transferred to the U.S. Using standard contracts approved by the EU (known as standard contractual clauses or model clauses) to have contractual protection for the data transfer Putting in place formal arrangements for intragroup transfers (known as binding corporate rules) Consequences for each option are as follows: Consent seems to be the easiest option. It is also a valid option provided that consent is freely given and the wording of the consent is sufficiently clear, but it will not be appropriate for some data subjects (such as employees). Consent also can be withdrawn, so having a back-up plan for those who withdraw consent is essential. Most companies collect consent through the method of users ticking the box that says I agree to these terms and conditions, which is heavily challenged by DPAs and consumer groups, as few data subjects read and fully understand the terms and conditions content. Finding single data records from a large data file would be a difficult if not impossible task. Most data protection authorities interpret this derogation very restrictively, and companies should expect to be challenged if they seek to place reliance on consent alone. Model clauses (also known as standard contractual clauses or model terms) are standard terms that are approved by the European Commission for transferring data to the U.S. Standard model clauses adduce an adequate safeguard for data transfer for the privacy rights of individuals as stated in Article 26(4) in the EU Data Protection Directive. 5 Although they cannot be altered, model clauses recognize that companies using them regarding personal data transfers to countries (including the U.S.) outside the European Economic Area are offering adequate protection to the data. Model clauses impose obligations to both the data exporter and data importer. Model clauses may not be appropriate in all cases, and they may require broader changes to the way in which a company operates (i.e., the data would have to be collected by the EU group company so that the contract reflects how data flows actually operate). There are two EU standard model clauses contracts controller-to-controller transfer and controller-to-processor transfer. It is not clear at the moment whether model clauses need to be implemented per company, per project or per transfer. Companies implementing model clauses must be clear on their position as data controller or data processor in each transfer. Binding corporate rules (BCR) are developed by the Article 29 Working Party to allow multinational corporations, international organizations and groups of companies to make intra-organizational transfers of personal data across borders in compliance with EU Data Protection Law. The BCR must apply generally throughout the corporate group irrespective of the location of the members, the nationality of the individuals whose personal data is being processed or any other criteria or

4 The environment of consequences for safe harbor invalidation changes very quickly. consideration. Two elements must be stressed for BCR implementation binding nature and legal enforceability. BCRs are appropriate only for transfers to intercompany groups and cannot be used for transfers outside the group. They require companies data rules to be sent to at least one EU country Data Protection Authorities (DPAs) for review and approval. BCRs can involve a multiyear process with high external legal costs in addition to strictly applied EU rules to all members of the corporate group as well as each employee within it. Safe Harbor is in negotiation with EU and the FTC; however, it may take years and will not be ready in time to be inspected by EU data protection authorities. In addition, forthcoming EU General Data Protection Regulation (GDPR) 7 should have a clear definition on pseudonymous data and its implications. Which Is the Best Alternative? Each option has its pros and cons. It is strongly advised that companies start with an internal due diligence process. A thorough understanding on their data assets, data flow, and the position of the data controller and data processor for each transfer is an essential first step. If the volume of personal transfer from the EU to U.S. is minimal, companies might wait for the development of Safe Harbor 2.0. Another option could be restricting transfers of data in identifiable form. If aggregated data is sufficient for the business objective, e.g., group sales figure, is an individual sales record absolutely essential? Another possibility is to avoid transfers to the U.S. completely? Data localization law is already implemented in Russia, 8 and this trend will continue. Cloud providers with an EU data center instead of U.S. or directly transferring between EU clients and the EU vendor instead of routing through the U.S. are some options worth exploring. If personal transfers are all within the group and group members are all willing to conform to EU standards, BCR can be a once-andfor-all option. Senior management buy-in will be crucial for implementing BCR, followed by training for all individual employees, especially in countries that do not have strict privacy legislation and cultures. Model clauses will be the best option for companies with large data transfer volumes and multiple data imports and exports. It is advisable to generate a list of large data transfer partners, including clients, vendors and intercompany subsidiaries, and start to implement model clauses with the partner with highest data transfer volume. Last Thoughts Finally, the environment of consequences for safe harbor invalidation changes very quickly. Companies are advised to take a proactive approach instead of waiting for DPA enforcement actions. 1. Safe harbor is invalid but not illegal; it cannot be used as the only mechanism for personal data transfer from the EU to U.S. 2. Healthcare data are classified as sensitive personal data by the EU, even without personal contact details. 3. Check that your privacy policy clearly indicates that data storage or transfer could be in the U.S. 4. Explicit consent is not a trouble-free card but is easy to implement in some circumstance, especially for companies with a well-managed sample database. 5. Model clauses seem to be most feasible option at this time. 6. Internal and external due diligence on data flow is vital at this point, it can be seen by DPAs as actions from companies before January Involve legal and privacy department as early as possible for risk assessment exercise.

5 References 1 pdf/ /cp150117en.pdf 2 Switzerland is not a member of the European Union, but the US operates a separate Safe Harbor program that allowed personal data to be transferred from Switzerland to the US. This document refers to EU companies for brevity, but the steps set out here should also be taken in relation to group companies in Switzerland. While the Swiss data protection regime is similar to the European Union regime there are some differences; for this reason, it is important to legal if any transfers by Swiss companies are required oct/06/safe-harbour-european-court-declare-invaliddata-protection 5 contractual_clauses_en.pdf 6 safe-harbour-2-0-framework-begins-to-capsize-asjanuary-deadline-nears/ 7 en.htm 8 https://www.esomar.org/news-and-multimedia/ news.php?idnews=189

6 For more information, please visit About Kantar Health Kantar Health is a leading global healthcare consulting firm and trusted advisor to many of the world s leading pharmaceutical, biotech and medical device and diagnostic companies. It combines evidence-based research capabilities with deep scientific, therapeutic and clinical knowledge, commercial development knowhow, and brand and marketing expertise to help clients evaluate opportunities, launch products and maintain brand and market leadership. Kantar Health deeply understands the influence of patients, payers and physicians, especially as they relate to the performance and payment of medicines and the delivery of healthcare services. Our advisory services, built on a solid foundation of market research and data, span three areas critical to bringing new medicines and pharmaceutical products to market commercial development, clinical strategies and marketing effectiveness. Kantar Health operates in more than 40 countries and employs more than 600 healthcare industry specialists and practitioners, including a high number of medical doctors, epidemiologists, PhDs, PharmDs and pharmacists, and biologists, biochemists and biophysicists. We work across the product lifecycle, from preclinical development to launch, and are experts at bringing multiple stakeholders together to advance the commercialization of pharmaceutical products. Our team acts as catalysts to successful decision making in the life sciences industry, helping our clients prioritize their product development and portfolio activities, differentiate their brands and drive product success post-launch. Kantar Health is part of Kantar, the data investment management division of WPP. About the Author Jessica Santos, Ph.D. Dr. Jessica Santos is the Global Compliance Director in Kantar Health, the largest custom market research company focused on the life sciences industry. She is primarily responsible for providing oversight and support across the 40+ Kantar Health global offices in the areas of regulation, interaction with clients, suppliers and others within Kantar Health, Kantar and WPP. Dr. Santos is responsible for maintaining, anticipating and coordinating all activities with regard to compliance laws/regulations, industry guidelines, pharamcovigilance and client contracts, defining and driving the execution of Kantar Health s Quality Strategy our approach to measuring and improving our quality efforts. Dr. Santos is an experienced statistician, analyst, methodologist and market research scientist. She gained her reputation through her publications and professional committee work in the industry. She is a frequent speaker and contributor in major conferences and has a Ph.D. in Marketing, an MRS fellowship and Chartered Marketer status. Dr. Santos is a member of UK Research Ethics Committee, EphMRA, BHBIA and PMRG Government Affairs Committee, reviewer and co-chair of ISPOR, and MRS Professional Development Advisory Board and Examiner. If you would like us to act as catalysts for you, contact us at

The Myth of Anonymization: Has Big Data Killed Anonymity? White Paper. by Jessica Santos, Ph.D. March 2015

The Myth of Anonymization: Has Big Data Killed Anonymity? White Paper. by Jessica Santos, Ph.D. March 2015 White Paper Catalysts driving successful decisions in life sciences. The Myth of Anonymization: Has Big Data Killed Anonymity? by Jessica Santos, Ph.D. March 2015 www.kantarhealth.com Anonymization has

More information

CATALYSTS DRIVING SUCCESSFUL DECISIONS IN LIFE SCIENCES REGULATORY IMPACT ON THE FUTURE OF MHEALTH WEARABLES BY DR. JESSICA SANTOS

CATALYSTS DRIVING SUCCESSFUL DECISIONS IN LIFE SCIENCES REGULATORY IMPACT ON THE FUTURE OF MHEALTH WEARABLES BY DR. JESSICA SANTOS CATALYSTS DRIVING SUCCESSFUL DECISIONS IN LIFE SCIENCES REGULATORY IMPACT ON THE FUTURE OF MHEALTH WEARABLES BY DR. JESSICA SANTOS SEPTEMBER 2016 REGULATORY IMPACT ON THE FUTURE OF mhealth WEARABLES PAGE

More information

mhealth Wearables Data Usage, Accuracy Advancement + white paper + catalysts driving successful decisions in life sciences by Jessica Santos, Ph.d.

mhealth Wearables Data Usage, Accuracy Advancement + white paper + catalysts driving successful decisions in life sciences by Jessica Santos, Ph.d. white paper catalysts driving successful decisions in life sciences mhealth Wearables Data Usage, Accuracy and Future Advancement by Jessica Santos, Ph.d. July 2016 mhealth Wearables Data Usage, Accuracy

More information

Diabetes Trends in the U.S.: Results from the National Health and Wellness Survey. White Paper. by Kathy Annunziata and Nikoletta Sternbach

Diabetes Trends in the U.S.: Results from the National Health and Wellness Survey. White Paper. by Kathy Annunziata and Nikoletta Sternbach White Paper Catalysts driving successful decisions in life sciences. Diabetes Trends in the U.S.: Results from the National Health and Wellness Survey by Kathy Annunziata and Nikoletta Sternbach January

More information

+ REACTIONS. Kantar Health discusses. disease (IBD) market. pharma.

+ REACTIONS. Kantar Health discusses. disease (IBD) market. pharma. REACTIONS the evolving inflammatory bowel disease (IBD) market Kantar Health discusses the increased prevalence of ibd, how it will affect the current and future market, and opportunities for pharma. april

More information

US Safe Harbor Framework declared invalid How to continue legally transferring personal data to the United States

US Safe Harbor Framework declared invalid How to continue legally transferring personal data to the United States US Safe Harbor Framework declared invalid How to continue legally transferring personal data to the United States Summary of the ruling October 6, 2015, in a ground-breaking judgment, the Court of Justice

More information

The Battle Between Big Data and Big Privacy. White Paper. by Jessica Santos, Ph.D. November 2014

The Battle Between Big Data and Big Privacy. White Paper. by Jessica Santos, Ph.D. November 2014 White Paper Catalysts driving successful decisions in life sciences. The Battle Between Big Data and Big Privacy by Jessica Santos, Ph.D. November 2014 www.kantarhealth.com Undoubtedly, Big Data is helping

More information

Uncharted Waters: Navigating Data Transfers After Safe Harbor. By Alan Seem, Richard Hsu and Mark Langer

Uncharted Waters: Navigating Data Transfers After Safe Harbor. By Alan Seem, Richard Hsu and Mark Langer Uncharted Waters: Navigating Data Transfers After Safe Harbor By Alan Seem, Richard Hsu and Mark Langer The past six months have seen sweeping changes to the global privacy landscape spearheaded by the

More information

Research Gamification for Quality Pharmaceutical Stakeholder Insights. White Paper. by Brian Mondry and Leah Fink March 2015

Research Gamification for Quality Pharmaceutical Stakeholder Insights. White Paper. by Brian Mondry and Leah Fink March 2015 White Paper Catalysts driving successful decisions in life sciences. Research Gamification for Quality Pharmaceutical Stakeholder Insights by Brian Mondry and Leah Fink March 2015 www.kantarhealth.com

More information

Data Privacy and Information Security Group Client Alert: Safe Harbor Briefing Note

Data Privacy and Information Security Group Client Alert: Safe Harbor Briefing Note 9 October 2015 CONTACT Joel Harrison +44-20-7615-3051 jharrison@milbank.com Sean Keaton +44-20-7615-3078 skeaton@milbank.com Laurence Jacobs +44-20-7615-3096 ljacobs@milbank.com Nicholas Smith +1-212-530-5275

More information

SAFE HARBOUR IN A STORM?

SAFE HARBOUR IN A STORM? SAFE HARBOUR IN A STORM? OCTOBER 2015 DISPUTE RESOLUTION & LITIGATION W W W.C A R E YO L S E N.C O M B R I T I S H V I RG I N I S L A N D S C AY M A N I S L A N D S GUERNSEY JERSEY C A P E TOW N LO N D

More information

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data Jisc Safe Harbour NOTE ON THE COURT OF JUSTICE OF THE EUROPEAN UNION'S JUDGMENT ON 'SAFE HARBOUR' ARRANGEMENTS FOR THE TRANSFER OF PERSONAL DATA FROM THE EEA TO THE USA KEY POINTS Safe Harbour Agreement

More information

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor

Pensions. Data protection and pensions. Briefing. Application Data Controller v Data Processor Financial institutions Energy Infrastructure, mining and commodities Transport Technology and innovation Life sciences and healthcare Pensions Data protection and pensions Briefing January 2016 Trustees

More information

Work programme 2016 2018

Work programme 2016 2018 ARTICLE 29 Data Protection Working Party 417/16/EN WP235 Work programme 2016 2018 Adopted on 2 February 2016 This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European

More information

European Court of Justice Rules U.S. EU Safe Harbor Program Invalid

European Court of Justice Rules U.S. EU Safe Harbor Program Invalid Westlaw Journal COMPUTER & INTERNET Litigation News and Analysis Legislation Regulation Expert Commentary VOLUME 33, ISSUE 11 / NOVEMBER 6, 2015 EXPERT ANALYSIS European Court of Justice Rules U.S. EU

More information

The HR Skinny: Effectively managing international employee data flows

The HR Skinny: Effectively managing international employee data flows The HR Skinny: Effectively managing international employee data flows Topics we will cover today Laws affecting HR data flows HR international data protection challenges and strategic solutions Case study

More information

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world To cloud or not to cloud, that is a very serious question EEMA / TrustCore Legal challenges in a post Safe Harbour and pre GDPR cloud world 18 November 2015 hans.graux@timelex.eu Context Major cloud providers

More information

Safe Harbor invalid. What next for transfers of personal data to the US?

Safe Harbor invalid. What next for transfers of personal data to the US? October 2015 Safe Harbor invalid. What next for transfers of personal data to the US? Edward Snowden marked Max Schrems victory in the European Court of Justice with a tweet - You ve changed the world

More information

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq. EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update By Stephen H. LaCount, Esq. Overview The European Union Data Protection Directive 95/46/EC ( Directive ) went effective in

More information

Update on EU Data Protection Law & U.S. Perspectives on Data-Related Contracts (and Privacy Policies)

Update on EU Data Protection Law & U.S. Perspectives on Data-Related Contracts (and Privacy Policies) Update on EU Data Protection Law & U.S. Perspectives on Data-Related Contracts (and Privacy Policies) Laura De Boel & Jon Adams Privacy and Data Protection Group TTG Attorney Meeting March 10, 2016 1 Agenda

More information

Safe Harbor Invalidated What Next?

Safe Harbor Invalidated What Next? Safe Harbor Invalidated What Next? Eduardo Ustaran, London Stefan Schuppert, Munich Winston Maxwell, Paris Bret Cohen, Washington DC 7 October 2015 Background of the case (I) Original complaint by Max

More information

Safe Harbor 2.0 on it's Way

Safe Harbor 2.0 on it's Way D&I Alert Data Protection, Marketing & Consumers 2016 Safe Harbor 2.0 on it's Way D&I Alert 3 February 2016» Data Protection, Marketing & Consumers D&I Alert Data Protection, Marketing & Consumers 2016

More information

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL EUROPEAN COMMISSION Brussels, 6.11.2015 COM(2015) 566 final COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL on the Transfer of Personal Data from the EU to the United States

More information

Special Edition. Data Transfers from Switzerland to the US post-safe Harbor. Newsletter. November 2015

Special Edition. Data Transfers from Switzerland to the US post-safe Harbor. Newsletter. November 2015 November 2015 Newsletter Special Edition Data Transfers from Switzerland to the US post-safe Harbor Overview and guidelines from a Swiss perspective Data Transfers from Switzerland to the US post-safe

More information

FCPA Update A Global Anti Corruption Newsletter

FCPA Update A Global Anti Corruption Newsletter FCPA Update 1 FCPA Update A Global Anti Corruption Newsletter Also in this issue: Click here for an index of all FCPA Update articles If there are additional individuals within your organization who would

More information

ARTICLE 29 DATA PROTECTION WORKING PARTY

ARTICLE 29 DATA PROTECTION WORKING PARTY ARTICLE 29 DATA PROTECTION WORKING PARTY 16/EN WP 238 Opinion 01/2016 on the EU U.S. Privacy Shield draft adequacy decision Adopted on 13 April 2016 This Working Party was set up under Article 29 of Directive

More information

EU- US NGO Letter on 1 To Secretary Pritzker

EU- US NGO Letter on 1 To Secretary Pritzker November 13, 2015 Secretary Penny Pritzker U.S. Department of Commerce 1401 Constitution Ave., NW Washington, D.C. 20230 Commissioner Věra Jourová Justice, Consumers and Gender Equality European Commission

More information

THE TRANSFER OF PERSONAL DATA ABROAD

THE TRANSFER OF PERSONAL DATA ABROAD THE TRANSFER OF PERSONAL DATA ABROAD MARCH 2014 THIS NOTE CONSIDERS THE SITUATION OF AN IRISH ORGANISATION OR BUSINESS SEEKING TO TRANSFER PERSONAL DATA ABROAD FOR STORAGE OR PROCESSING, IN LIGHT OF THE

More information

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Binding Corporate Rules ( BCR ) Summary of Third Party Rights Binding Corporate Rules ( BCR ) Summary of Third Party Rights This document contains in its Sections 3 9 all provision of the Binding Corporate Rules (BCR) for Siemens Group Companies and Other Adopting

More information

Hearing on. International Data Flows: Promoting Digital Trade in the 21 st Century November 3, (Submitted November 13, 2015)

Hearing on. International Data Flows: Promoting Digital Trade in the 21 st Century November 3, (Submitted November 13, 2015) Statement for the Record of Nuala O Connor, President and CEO Center for Democracy & Technology and Gregory T. Nojeim Director, Freedom, Security & Technology Project Center for Democracy & Technology

More information

The EFPIA Disclosure Code: Your Questions Answered

The EFPIA Disclosure Code: Your Questions Answered The EFPIA Disclosure Code: Your Questions Answered Working together: why do the pharmaceutical industry and healthcare professionals work together? 1 Why does industry pay health professionals to provide

More information

IP/IT (Intellectual Property/Information Technology)

IP/IT (Intellectual Property/Information Technology) IP/IT (Intellectual Property/Information Technology) European Court of Justice declares US Safe Harbor invalid Special Newsletter II Legal advice. Tax advice. Luther. Special newsletter II IP/IT European

More information

GSK Public policy positions

GSK Public policy positions Safeguarding Personally Identifiable Information A Summary of GSK s Binding Corporate Rules The Issue The processing of Personally Identifiable Information (PII) 1 and Sensitive Personally Identifiable

More information

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Overview of Employment and Employee Privacy Laws and Key Trends in Austria P a g e 1 Privacy Interviews with Experts August 2011 Toronto / Washington DC / Brussels www.nymity.com Rainer Knyrim Attorney and Partner Preslmayr Attorneys at Law Vienna, Austria Overview of Employment

More information

Cloud Security Trust Cisco to Protect Your Data

Cloud Security Trust Cisco to Protect Your Data Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

More information

Privacy & Data Security: The Future of the US-EU Safe Harbor

Privacy & Data Security: The Future of the US-EU Safe Harbor Privacy & Data Security: The Future of the US-EU Safe Harbor NAOMI MCBRIDE, LISA J. SOTTO AND BRIDGET TREACY, HUNTON & WILLIAMS LLP, WITH PRACTICAL LAW US INTELLECTUAL PROPERTY & TECHNOLOGY AND UK IP&IT

More information

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament September 5, 2012 Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament Lara Comi Rapporteur, Committee on Internal market and Consumer Protection

More information

The CJEU Safe Harbor Decision: Keep Calm but Protect Your Business October 14, 2015

The CJEU Safe Harbor Decision: Keep Calm but Protect Your Business October 14, 2015 The CJEU Safe Harbor Decision: Keep Calm but Protect Your Business October 14, 2015 Privacy and Data Protection Team Named Practice Group of the Year by Law360 Chambers USA 2014 Nationally-Ranked Privacy

More information

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation The Data Protection Landscape Before and after GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection)

More information

Health information privacy and security. Norton Rose Fulbright US LLP October 6, 2015

Health information privacy and security. Norton Rose Fulbright US LLP October 6, 2015 Health information privacy and security Norton Rose Fulbright US LLP October 6, 2015 Speaker Mark Faccenda Mark Faccenda is a Partner in the Washington, D.C. office. As part of Norton Rose Fulbright's

More information

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions Meeting European Data Protection and Security Requirements with CipherCloud Solutions 2015 1 TABLE OF CONTENTS

More information

The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution?

The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? SCCE Webinar May 24, 2016 Presenter: Dan Cotter dcotter@butlerrubin.com 312-696-4497 Agenda - What is the Privacy Shield - What

More information

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively. Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in

More information

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students

University of Liverpool Online Programmes - Privacy Policy for Visitors and Students University of Liverpool Online Programmes - Privacy Policy for Visitors and Students PLEASE NOTE: The following privacy terms relate to the University of Liverpool s online programmes and not The University

More information

Important aspects of the new Regulation third country data transfers

Important aspects of the new Regulation third country data transfers Important aspects of the new Regulation third country data transfers Dr. Christopher Kuner Senior Of Counsel Wilson Sonsini Goodrich & Rosati, Brussels 3 rd European Data Protection Days Berlin, 14 May

More information

AIFP Disclosure Code Frequently asked questions

AIFP Disclosure Code Frequently asked questions AIFP Disclosure Code Frequently asked questions Obsah Question No. 1: Which Transfers of Value should be disclosed in the aggregate and which ones individually?... 3 Question No. 2: What Transfers of Value

More information

Under European law teleradiology is both a health service and an information society service.

Under European law teleradiology is both a health service and an information society service. ESR statement on the European Commission Staff Working Document on the applicability of the existing EU legal framework to telemedicine services (SWD 2012/413). The European Society of Radiology (ESR)

More information

THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION

THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION CLIENT MEMORANDUM THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION The ICC Report analyzes the use of binding

More information

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY

E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY E-COMMERCE GOES MOBILE: SEEKING COMPETITIVENESS THROUGH PRIVACY Oana Dolea 7 th Annual Leg@l.IT Conference March 26th, 2013 Montreal, Canada INTRODUCTION Mobile e-commerce vs. E-commerce Mobile e-commerce:

More information

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I. International Chamber of Commerce The world business organization Policy Statement Employee privacy, data protection and human resources Prepared by the Commission on E-Business, IT and Telecoms I. Introduction

More information

Data privacy in the cloud Navigating the new privacy regime in a cloud environment

Data privacy in the cloud Navigating the new privacy regime in a cloud environment Data privacy in the cloud Navigating the new privacy regime in a cloud environment The era of the cloud is here! It is a game-changing innovation that includes a broad set of public, private, and business

More information

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING

AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING AN INSIDE VIEW FROM THE EU EXPERT GROUP ON CLOUD COMPUTING 1. Overview and Background On 27 September 2012, the European Commission adopted a strategy for "Unleashing the potential of cloud computing in

More information

Legal Analysis of the EU-U.S. Privacy Shield

Legal Analysis of the EU-U.S. Privacy Shield - i - Legal Analysis of the EU-U.S. Privacy Shield An adequacy assessment by reference to the jurisprudence of the Court of Justice of the European Union - ii - CLAUSE CONTENTS PAGE 1. INTRODUCTION IN

More information

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document

COMMISSION STAFF WORKING DOCUMENT. on the existing EU legal framework applicable to lifestyle and wellbeing apps. Accompanying the document EUROPEAN COMMISSION Brussels, 10.4.2014 SWD(2014) 135 final COMMISSION STAFF WORKING DOCUMENT on the existing EU legal framework applicable to lifestyle and wellbeing apps Accompanying the document GREEN

More information

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems

The Impact of EU Data Protection Legislation. Thomas Rivera Hitachi Data Systems Privacy PRESENTATION vs Data TITLE Protection: GOES HERE The Impact of EU Data Protection Legislation Thomas Rivera Hitachi Data Systems SNIA Legal Notice The material contained in this tutorial is copyrighted

More information

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Overview. Data protection in a swirl of change 28.03.2014. Cloud computing. Software as a service. Infrastructure as a service. Platform as a service Data protection in a swirl of change Overview 1 Data protection issues in cloud computing 2 Consent for mobile applications Security Seminar 2014: Privacy Radboud University Nijmegen 3 The WhatsApp case

More information

From Safe Harbour to European Data Protection Reform

From Safe Harbour to European Data Protection Reform From Safe Harbour to European Data Protection Reform Tihomir Katulić, Ph.D., Goran Vojković, Ph.D. University of Zagreb, Trg maršala Tita 14, Zagreb, Croatia E-mail: tihomir.katulic@pravo.hr, goran.vojkovic@fpz.hr

More information

Biomet Safe Harbor Policy

Biomet Safe Harbor Policy Biomet Safe Harbor Policy POLICY STATEMENT Biomet, Inc. and its subsidiaries (collectively, Biomet or us ) are committed to protecting the privacy of those who entrust us with their Personal Data. All

More information

The eighth data protection principle and international data transfers

The eighth data protection principle and international data transfers Data Protection Act 1998 The eighth data protection principle and international data transfers The Information Commissioner s recommended approach to assessing adequacy including consideration of the issue

More information

Brexit: Will it happen? What happens if it happens?

Brexit: Will it happen? What happens if it happens? Page 1 Brexit: Will it happen? What happens if it happens? Marie Bates 4 March 2016 A referendum is to be held on 23 June 2016 on the United Kingdom's continued membership of the European Union (EU). This

More information

Data transfers in the Cloud

Data transfers in the Cloud Data transfers in the Cloud Rapporteur: Emmanuelle Bartoli Meeting date: 28 th March 2014 1 The purpose of this document is to explore options for how contracts between Cloud providers and consumers and

More information

AIRBUS GROUP BINDING CORPORATE RULES

AIRBUS GROUP BINDING CORPORATE RULES 1 AIRBUS GROUP BINDING CORPORATE RULES 2 Introduction The Binding Corporate Rules (hereinafter BCRs ) of the Airbus Group finalize the Airbus Group s provisions on the protection of Personal Data. These

More information

Preparing for the EU General Data Protection Regulation

Preparing for the EU General Data Protection Regulation RESEARCH REPORT Preparing for the EU General Data Protection Regulation Assessing Awareness, Readiness & Impact of the Proposed Changes in US, UK, France & Germany TRUSTe Inc. 1 888 878 7830 +44 203 078

More information

TCI Whitepaper. Data Transfer to the USA. What will happen after the ECJ judgment regarding Safe Harbor?

TCI Whitepaper. Data Transfer to the USA. What will happen after the ECJ judgment regarding Safe Harbor? TCI Whitepaper Data Transfer to the USA What will happen after the ECJ judgment regarding Safe Harbor? (Version 1.0; as of October 7, 2015) 1. What is the Safe Harbor Agreement? Under German and European

More information

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING CCBE response regarding the European Commission Public Consultation on Cloud Computing The Council of Bars and Law

More information

Conference "Taking on the Data Retention Directive" Brussels, 3 December "The moment of truth for the Data Retention Directive"

Conference Taking on the Data Retention Directive Brussels, 3 December The moment of truth for the Data Retention Directive Conference "Taking on the Data Retention Directive" Brussels, 3 December 2010 "The moment of truth for the Data Retention Directive" Peter Hustinx European Data Protection Supervisor Today we are discussing

More information

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister 2011 Morrison & Foerster LLP All Rights Reserved mofo.com Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister Presenter Miriam Wugmeister Morrison & Foerster LLP New York

More information

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen Tilburg University U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen Published in: International Data Privacy Law Document version: Preprint (usually an

More information

TRUSTe Privacy Insight Series: Cross Border Data Transfer Strategies March 26, 2015

TRUSTe Privacy Insight Series: Cross Border Data Transfer Strategies March 26, 2015 TRUSTe Privacy Insight Series TRUSTe Privacy Insight Series: Cross Border Data Transfer Strategies March 26, 2015 Privacy Insight Series v v 1 Today s Speakers Anick Cousens, Corporate Privacy IBM Myriam

More information

Insurance and compensation in the event of injury in Phase I clinical trials

Insurance and compensation in the event of injury in Phase I clinical trials Insurance and compensation in the event of injury in Phase I clinical trials Guidance developed by the Association for the British Pharmaceutical Industry, the BioIndustry Association and the Clinical

More information

NOTE ON EXPORTING PERSONAL DATA FROM THE UNITED KINGDOM

NOTE ON EXPORTING PERSONAL DATA FROM THE UNITED KINGDOM NOTE ON EXPORTING PERSONAL DATA FROM THE UNITED KINGDOM KEMP LITTLE LLP NOTE ON EXPORTING PERSONAL DATA FROM THE UNITED KINGDOM TABLE OF CONTENTS A. INTRODUCTION... 3 B. THE LEGISLATIVE CONTEXT... 3 1.

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

New EU Data Protection legislation comes into force today. What does this mean for your business?

New EU Data Protection legislation comes into force today. What does this mean for your business? 24 th May 2016 New EU Data Protection legislation comes into force today. What does this mean for your business? After years of discussion and proposals, the General Data Protection Regulation ( GDPR )

More information

Before the AmCham EU Transatlantic Conference (Mar. 3, 2011), available at http://useu.usmission.gov/kennard_amchameu_030311.html.

Before the AmCham EU Transatlantic Conference (Mar. 3, 2011), available at http://useu.usmission.gov/kennard_amchameu_030311.html. One Year Later: Privacy and Data Security in a World of Big Data, the Internet of Things, and Global Data Flows Keynote Address Before the USCIB/BIAC/OECD Conference on Promoting Inclusive Growth in the

More information

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL Cloud computing and personal data protection Gwendal LE GRAND Director of technology and innovation CNIL 1 Data protection in Europe Directive 95/46/EC Loi 78-17 du 6 janvier 1978 amended in 2004 (France)

More information

Testimony of Peter Allgeier President Coalition of Services Industries (CSI)

Testimony of Peter Allgeier President Coalition of Services Industries (CSI) Testimony of Peter Allgeier President Coalition of Services Industries (CSI) Hearing On International Data Flows: Promoting Digital Trade in the 21st Century House Committee on the Judiciary Subcommittee

More information

Lots of clouds: a stormy weather for information privacy?

Lots of clouds: a stormy weather for information privacy? Lots of clouds: a stormy weather for information privacy? Michel Jaccard Sylvain Métille Web idest.pro Twitter @idestavocats Introduction Purpose: know what you do, why you do it, the risks and the best

More information

WikiLeaks Document Release

WikiLeaks Document Release WikiLeaks Document Release February 2, 2009 Congressional Research Service Report RS20823 The EU-US Safe Harbor Agreement on Personal Data Privacy Martin A. Weiss, Foreign Affairs, Defense, and Trade Division

More information

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing

Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010. Panel IV: Privacy and Cloud Computing Third European Cyber Security Awareness Day BSA, European Parliament, 13 April 2010 Panel IV: Privacy and Cloud Computing Data Protection and Cloud Computing under EU law Peter Hustinx European Data Protection

More information

Recent Developments of Hong Kong Personal Data Privacy Protection. Mr Stephen Wong Privacy Commissioner for Personal Data, Hong Kong

Recent Developments of Hong Kong Personal Data Privacy Protection. Mr Stephen Wong Privacy Commissioner for Personal Data, Hong Kong Recent Developments of Hong Kong Personal Data Privacy Protection Mr Stephen Wong Privacy Commissioner for Personal Data, Hong Kong Personal Data Privacy Protection - 1996 Personal Data (Privacy) Ordinance

More information

Safety Science Leader, LEAD

Safety Science Leader, LEAD Date: 07/06/16 Safety Science Leader, LEAD Job ID: 00448399 Job Function Drug Safety Location United States - California South San Francisco Company/Division Full-time Schedule Full-time Job type Regular

More information

Data Protection & Cyber Security Law Update 1 st October 2015

Data Protection & Cyber Security Law Update 1 st October 2015 Data Protection & Cyber Security Law Update 1 st October 2015 Robert Bond, Partner Janine Regan, Associate Viktoria Protokova, Data Protection Executive charlesrussellspeechlys.com Brief introduction to

More information

Privacy and Data Protection

Privacy and Data Protection Hewlett-Packard Company 3000 Hanover Street Palo Alto, CA 94304 hp.com HP Policy Position Privacy and Data Protection Current Global State of Privacy and Data Protection The rapid expansion and pervasiveness

More information

Telehealth and the Law: An Update from Both Sides of the Atlantic

Telehealth and the Law: An Update from Both Sides of the Atlantic Telehealth and the Law: An Update from Both Sides of the Atlantic John Williams, MD Associate Medical Director, University of Pittsburgh Medical Center International and Commercial Services Division (Moderator)

More information

Creating excellence in professional standards and practices to enable Healthcare market researchers to become highly valued business partners

Creating excellence in professional standards and practices to enable Healthcare market researchers to become highly valued business partners Creating excellence in professional standards and practices to enable Healthcare market researchers to become highly valued business partners EphMRA Vision EMA Workshop on Patient Support Programmes and

More information

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini Personal data and cloud computing, the cloud now has a standard by Luca Bolognini Lawyer, President of the Italian Institute for Privacy and Data Valorization, founding partner ICT Legal Consulting Last

More information

Data Protection and Cloud Computing: an Overview of the Legal Issues

Data Protection and Cloud Computing: an Overview of the Legal Issues Data Protection and Cloud Computing: an Overview of the Legal Issues Christopher Kuner Partner, Hunton & Williams, Brussels Research Assistant, University of Copenhagen Nordic IT Law Conference Copenhagen,

More information

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY Introduction The continuous globalization of the world economy influences the international transfer of personal data. The transfer of personal

More information

Data Processing Agreement for Oracle Cloud Services

Data Processing Agreement for Oracle Cloud Services Data Processing Agreement for Oracle Cloud Services Version December 1, 2013 1. Scope and order of precedence This is an agreement concerning the Processing of Personal Data as part of Oracle s Cloud Services

More information

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP

The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP Published by Life Sciences Law360 on January 26, 2015. Also ran in Health Law360. The Future Of UK Pharmaceutical Best Practices --By Lincoln Tsang and Silvia Valverde, Arnold & Porter LLP Law360, New

More information

Life Sciences & Healthcare

Life Sciences & Healthcare Life Sciences & Healthcare 03 Taylor Wessing is a leading European law firm advising life sciences and healthcare businesses, those who fund them and those who work for them Taylor Wessing has been voted:

More information

Response of the German Medical Association

Response of the German Medical Association Response of the German Medical Association To the Green Paper on mobile Health ( mhealth ) of the European Commission Berlin, 3 July 2014 Bundesärztekammer Herbert-Lewin-Platz 1 10623 Berlin We are grateful

More information

AN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA

AN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA AN INTRODUCTION TO THE EU DIRECTIVE ON THE PROTECTION OF PERSONAL DATA By Peter K. Yu Introduction The Internet and new communications technologies have made shopping more convenient than ever. Online

More information

Giuseppe Busia Segretario generale Garante per la protezione dei dati personali

Giuseppe Busia Segretario generale Garante per la protezione dei dati personali mhealth enablers panel The Health & Wellness @ Mobile World Congress 2015 Giuseppe Busia Segretario generale Garante per la protezione dei dati personali 1 mhealth main concern Mobile Health (mhealth)

More information

Implementing Privacy Compliant Hybrid Cloud Solutions

Implementing Privacy Compliant Hybrid Cloud Solutions Implementing Privacy Compliant Hybrid Cloud Solutions SESSION ID: DSP-T07A Peter J Reid Privacy Officer, Enterprise Business Hewlett-Packard Company Historical IT Outsourcing Perspective Cloud Web 2.0

More information

Office 365 Data Processing Agreement with Model Clauses

Office 365 Data Processing Agreement with Model Clauses Enrollment for Education Solutions Office 365 Data Processing Agreement (with EU Standard Contractual Clauses) Amendment ID Enrollment for Education Solutions number Microsoft to complete 7392924 GOLDS03081

More information

DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES

DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES DATA TRANSFERS WITHIN A MULTINATIONAL GROUP SAFELY NAVIGATING EU DATA PROTECTION RULES MAY 2013 INTRODUCTION Multinational corporations increasingly have a need to share their data throughout their group.

More information

Personal Data Protection

Personal Data Protection Data Protection Personal Data Protection Protection of personal data Living in an area of freedom, security and justice Croatia and Turkey Screening Chapter 23 - Judiciary and fundamental rights Brussels,

More information

Position Paper. Introduction. General Remarks. Online Platforms

Position Paper. Introduction. General Remarks. Online Platforms Position Paper UEAPME 1 s reply to the Public Consultation on Regulatory environment for platforms, online intermediaries, data and cloud computing and the collaborative economy. Introduction UEAPME welcomes

More information

The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief

The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief The EU-U.S. Safe Harbor Agreement on Personal Data Privacy: In Brief Martin A. Weiss Specialist in International Trade and Finance Kristin Archick Specialist in European Affairs October 29, 2015 Congressional

More information