EU Data Protection Compliance Trends - What US Companies Need to Know. 30 January 2013

Transcription

1 EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013

2 Session Contents Why European data protection rules matter and an introduction to the main privacy rules Transferring data outside of Europe the Compliance Options Outsourcing A brief UK perspective on privacy compliance A French perspective on privacy compliance A German perspective on privacy compliance Concluding remarks 2

3 Your Speakers Today Ann La France London, UK Caroline Egan Birmingham, UK Stephanie Faber Paris, France Andreas Fillmann Frankfurt, Germany 3

4 INTRODUCTORY OVERVIEW

5 Why Does EU Data Protection Law Matter Why European DP law matters to US companies Applies to European subsidiaries in their domestic processing of personal data (even when US parent is Safe Harbor certified) Applies when they transfer/allow access to personal data from US or outside EEA. Our focus on transfers of data outside Europe Though based on EU Directive there are differences in implementation in individual countries Applies to all types of personal data Employee Customer Supplier 5

6 Why Does EU Data Protection Law Matter Downsides of non-compliance? Fines and regulatory sanctions substantial and increasing See table on next slide Reputational damage - name and shame policy of regulators Employee data - damaged employee relations Potential conflicts with US law - eg Sarbanes Oxley and whistleblowing in France 6

7 Examples of Fines Imposed by EU DPAs Country/DPA Date Company Fine imposed Reason UK (ICO) Jan 2013 Sony 250,000 GBP Failing to prevent personal data of Playstation users being hacked UK (ICO) Oct 2012 The Prudential 50,000 GBP Mixing up accounts of two customers UK (ICO) May 2012 NHS Trust 325,000 GBP Failure to prevent sensitive personal data being sold on internet auction site France (CNIL) March 2011 Google 100,000 EUR Collection of Wi-Fi and login/ data during its Street View operations; France (CNIL) July 2011 Association Lexeek 10,000 EUR and injunction Published legal cases online containing parties names Germany (Hamburg DPA) Hamburger Sparkasse 200,000 EUR Using neuromarketing techniques without customer consent Spain (AEPD) April 2007 Zeppelin Television 1,000,000 EUR Failure to protect personal data of 7000 applicants for Big Brother 7 Netherlands (OPTA) Dec 2011 DollarRevenue 1,000,000 EUR Installing adware/spyware software on 22million computers

8 Why Does EU Data Protection Law Matter Existing law tough; new law tougher? Proposed new European Data Protection Regulation Harmonised stricter rules Regulation direct effect no scope to alter Much higher penalties Up to 2% of global turnover Mandatory data breach notification Requirement to appoint Data Protection Officer Territorial application - applies even if no European presence if market to Europe or monitor European citizens 8

9 Timescale for Implementation A long way to being finalised Earliest date for finalising Regulation 2014 Implementation 2018? 9

10 Overview of EU Data Protection Rules Key terms Personal data Data controller Data processor especially as these terms not used in Safe Harbor Processing Transfer outside EEA - including allowing access Sensitive personal data EEA EU plus Norway, Iceland and Liechtenstein 10

11 Overview of EU Data Protection Rules Data protection compliance principles Must have justification consent or other permitted purpose Notice to individuals about usage of their data (privacy policy) Accurate and up to date Sufficient and not excessive for purpose Destroyed when no longer needed for purpose Compliance with individual's rights - eg providing information on request Kept secure (and higher security required for sensitive data) Only transferred outside EEA if adequate protection 11

12 TRANSFERS OUTSIDE OF THE EEA

13 Compliance Options When Transferring Data Outside the EEA Approved country Switzerland, Argentina, Australia, Canada, Israel, Uruguay US Safe Harbor (some sectors excluded) EC approved Model Clauses Controller to Controller Controller to Processor Binding Corporate Rules - within multi-national groups NB: EU law treats group companies as separate third parties 13

14 Safe Harbor Advantages/Disadvantages Safe Harbor Geographical limitations Issues with onward transfers Some sectors excluded eg financial services, telecoms Check exact certification Lack of fit for pure processors Long term future? 14

15 EU Model Clauses - Advantages/Disadvantages EU standard model clauses Must be used unamended Jurisdictional issues governing law of exporting country Notification/prior approval in many countries Service providers becoming more familiar with them Sub-contracting further complications 15

16 EU Standard Model Clauses Complexity of contracting an administrative nightmare! Non-EU operations EU operations

17 Binding Corporate Rules - Advantages/Disadvantages Binding corporate rules Only apply within multi-national groups Favoured by many regulators Costly and time consuming Involves getting approval of regulators in all affected countries, through lead regulator up to a year Useful if a lot of data being transferred/accessed 17

18 Overview on Compliance Options In theory straightforward In practice tricky EU requirements not business-friendly getting third parties to agree additional requirements of local regulators/national laws The UK position least prescriptive least red tape particular sensitivities 18

19 OUTSOURCING OVERVIEW OF PRIVACY ISSUES

20 Outsourcing Nature of outsourcing Providing services to other group members External providers Examples Global HR databases Global hosting Using external marketing companies Cloud computing» Data may be transferred to multiple jurisdictions Frequently involve sub-contracting 20

21 Outsourcing Practical issues You appointing service provider who will access/use data from Europe You as service provider to third parties or member of group either to EU clients or US parent and its European affiliates Understanding who is data controller and who is data processor; usually service provider is processor Virtually all obligations on data controller Considering privacy issues at the outset Increasing willingness of processors to address customer compliance issues 21

22 Practical Issues (continued) If personal data comes to you first, before you appoint processor/sub-processor Compliance for transfer to you Compliance for transfer to processor/sub-processor 22

23 Outsourcing Appointing a Processor Processor Agreement always needed - even if processor is in the EEA, or recipient is Safe Harbor certified ("basic processor agreement") Due diligence - up front and ongoing Mandatory terms of basic processor agreement Only process on data controller's instructions Take appropriate technical and organisational measures to keep data secure, proportionate to amount and sensitivity of data Security - major priority of regulators, especially in UK» Encryption in transit and when accessed from mobile devices» Possibly always encryption? Strongly advisable terms Notify data breaches within 24/48 hours Obligation to take remedial measures if breach Audit rights 23 Often involve sub-processing

24 EU Processor Model Clauses 2010 Not very business friendly Don't apply if initial processor is inside EEA Audit requirement compulsory Must identify in agreement security measures to be taken Appointing sub-processors Significant formalities Requires notification to and consent of controller Can give generic consent» May be okay within groups» Risky if arm's length transaction 24

25 UK Hot Topics Data security Encryption Data breach reporting Not mandatory Aggravating factor in fines Power to fine Data breach Liability for processors Not having agreement in place Not checking security measures Inaccurate data 25

26 A FRENCH PERSPECTIVE ON PRIVACY COMPLIANCE

27 Cloud Computing CNIL s (French DPA) guidance on Cloud (June 2012) : Similar to opinion of WP 29 Also contains a list of contractual requirements failing which data controller will not be compliant; as well as proposed clauses 27

28 Data for Litigation Disclosure Cultural difference: no pre-trial discovery in France Guidelines of the CNIL (cooperation through Hague and data minimization) So called French Blocking Statute on business data 28

29 Employment Related Issues Whistle-blowing specific restrictions Works councils often have to be consulted prior to implementation of processing and/or transfers Employee consent not deemed freely given Pre-employment vetting: CNIL Guidelines Employee monitoring Any other areas of particular concern to the CNIL (social security number, ethnic origin, etc.) 29

30 Marketing Implementation of eprivacy Directive Marketing by , fax, telephone (automated calls and calls) Opt in or opt out Marketing for similar products and services Cookies Location data Data subjects rights: Fair information Right to object and/or prior consent Hot topics Issue of combination of data by Google and recommendations by WP 29 lead by CNIL (French DPA) Recommendations of Irish DPA to Facebook CNIL currently working on: smartphone apps, facial recognition 30

31 A GERMAN PERSPECTIVE ON PRIVACY COMPLIANCE

32 Germany Overview of Compliance Rules Data Protection Officer General duty to register a company with the data protection authority Notification is not necessary if the company has appointed its own Data Protection Officer (more than 9 people are engaged with data processing) Proper use of data processing programs Familiarize management and employees with data protection rules and regulations Note: DPO can only dismissed only for cause Employee data Employee data can only be processed if necessary for the administration of the employment relationship Works Council s approval (if established) is required for personal data transfer: Before/instead of obtaining the employees consent When establishing a whistle blower hotline 32

33 Germany Overview of Compliance Rules Data Transfer No exemption for data transfer/processing within company groups Within the EU/EEA: a permission for data transfer from a data protection authority or a notification is not required In case of outsourcing direct marking activities a written agreement for the processing of personal data is required which meets 10 conditions Companies using online marketing tools by outsourcing data collection and processing services in Germany should enter into an agreement with the service provider as data controller and should collect data on their own website to be protected in case of insolvency of the service provider (recent high court decision). To third countries: admissible, if an adequate data protection level is guaranteed, for example Approved country EU Model Clauses (data protection authority may request inspection of the Model Clause Agreement) BCR With permission of the data protection authority 33

34 Germany Overview of Compliance Rules Safe Harbor» Düsseldorfer Kreis (informal association of the German data protection authorities for the private sector), April 2010:» A German data exporter needs to examine the data importer s self-certification according to the Safe Harbor Agreement» Accordingly, the German data exporter has to obtain evidence showing how the US company fulfills its duties to provide information to the data subject, and has to be able to prove this check upon request of the DP authorities» A US company should declare that they are giving the information to the data subject 34

35 Germany Overview of Compliance Rules Data Breach According to German Data Protection Act a data breach duty applies, if: Sensitive personal data. personal data subject to professional secrecy, personal data related to criminal/administrative offences, personal data relating to bank or credit card accounts, certain telecommunication and online data are abused or lost and an unauthorized party(s) acquires knowledge; In case of telecommunications and online data there is a threat of interference with the interest of the concerned individual(s); and Threat of significant harm for the individual DPO have to notify the data protection authority and the individuals without delay: Must include description of the type of unlawful disclosure and recommendation measures to limit the possible consequences Information to the individuals directly or via two newspapers publicly Information to individuals has to observe various further issues (e.g. pending criminal investigations) 35 Internet use/cookies Cookies should be used for statistical purposes only and not for transmitting user data Website privacy rules should address the cookie aspect and the opportunity to object

36 CONCLUDING REMARKS

37 For questions regarding CLE credit, please contact: Robin Hallagan

38 QUESTIONS

39 Contact Us Ann La France T: +44 (0) Caroline Egan T: +44 (0) Stephanie Faber T: Andreas Fillmann andreas.fillmann@squiresanders.com T:

40 Worldwide Locations North America Latin America Europe & Middle East Asia Pacific Cincinnati Northern Virginia Bogotá+ Beirut+ Leeds Beijing Cleveland Columbus Palo Alto Phoenix Buenos Aires+ Caracas+ Berlin Birmingham London Madrid Hong Kong Perth Houston San Francisco La Paz+ Bratislava Manchester Seoul Los Angeles Miami Tampa Washington DC Lima+ Panamá+ Brussels Bucharest+ Moscow Paris Shanghai Singapore New York West Palm Beach Santiago+ Budapest Prague Sydney Santo Domingo Frankfurt Kyiv Riyadh Warsaw Tokyo 40 + Independent Network Firm