The E.U.-US Privacy Collision: A Turn to Institutions and Procedures



Similar documents
LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 3 February /12 LIMITE JAI 53 USA 2 DATAPROTECT 13 RELEX 76

How To Protect Your Data In The Cloud

Application of Data Protection Concepts to Cloud Computing

RESTREINT UE/EU RESTRICTED

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Privacy & Data Security: The Future of the US-EU Safe Harbor

How To Regulate Data Protection In European Union

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Privacy Level Agreement Outline for the Sale of Cloud Services in the European Union

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

EU- US NGO Letter on 1 To Secretary Pritzker

Proposal of regulation Com /4 Directive 95/46/EC Conclusion

Version 56 (29/11/2011)

The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Proposal for a COUNCIL REGULATION (EU) implementing enhanced cooperation in the area of the law applicable to divorce and legal separation

Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Inter-Institutional Common Approach to Impact Assessment (IA) General principles

5419/16 ADD 1 VH/np 1 DGD 2C

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

slaughter and may The new EU Data Protection Regulation revolution or evolution?

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

Improving self-regulation through (law-based) Corporate Data Protection Officials *

AIRBUS GROUP BINDING CORPORATE RULES

A guide for in-house lawyers

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

European Council Brussels, 2 February 2016 (OR. en)

THE EU-U.S. PRIVACY COLLISION: A TURN TO INSTITUTIONS AND PROCEDURES

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

BCS, The Chartered Institute for IT Consultation Response to:

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

EBA FINAL draft Regulatory Technical Standards

Suspend the negotiations for a free trade agreement with the USA no agreement at the expense of workers, consumers or the environment

Factsheet on the Right to be

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

2. Europol's cooperation agreements with third countries and international organisations (Art. 31);

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Rebuilding Trust in EU-US Data Flows

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

13772/14 GS/np 1 DG D 2C

CONSUMER PRIVACY AND DATA PROTECTION

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Board Charter. May 2014

Tilburg University. U.S. Subpoenas and European data protection legislation Moerel, Lokke; Jansen, Nani; Koëter, Jeroen

Data protection legislation influence on cloud computing from local as well as EU perspective

US Sentencing Commission Compliance Recommendations Page 1 of 5

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Consultation Paper. Draft Regulatory Technical Standards on the content of resolution plans and the assessment of resolvability EBA/CP/2014/16

Data Protection, Software Licenses and other Legal Issues in the Cloud

Guidelines. Complaints-Handling by Insurance Undertakings

ARTICLE 29 DATA PROTECTION WORKING PARTY

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL. Proposal for an Interinstitutional Agreement on Better Regulation

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

EUROPEAN COMMISSION Directorate General Internal Market and Services. CAPITAL AND COMPANIES Audit and Credit Rating Agencies

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Corporate Policy. Data Protection for Data of Customers & Partners.

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

Data Protection Policy.

ARTICLE 29 - DATA PROTECTION WORKING PARTY

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

Data Protection and Cloud Computing: an Overview of the Legal Issues

Article 29 Working Party Issues Opinion on Cloud Computing

Managing General Agents (MGAs) Guideline

PRIVACY & CRIMINAL JUSTICE INFORMATION: A PRIMER

SUBSIDIARY LEGISLATION PREVENTION OF MONEY LAUNDERING AND FUNDING OF TERRORISM REGULATIONS

Client Update A New Ruling by the French Data Protection Authority: Is the Right to Be Forgotten Crossing the Atlantic to the U.S.?

Annex 1: Conceptual Framework of the Estonian-Swiss Cooperation Programme

Interview with Gabriel Bernardino, Chairman of EIOPA, conducted by Fabrizio Aurilia, the Insurance Review (Italy)

Value of the EU Data Protection Reform against the Big Data challenges. Keynote address 5th European Data Protection Days Berlin, 4.5.

COMMISSION DELEGATED REGULATION (EU) /... of

Council of the European Union Brussels, 26 June 2015 (OR. en)

How To Regulate Data Processing In European Union

August 10, Many of these principles will be familiar to U.S. readers, but these are global principles that would be new to many countries.

OECD GUIDELINES FOR PENSION FUND GOVERNANCE

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper

[Brought into force by appointed day notice on 16 th June 2003.]

EXECUTIVE DIRECTOR, SKILLS & EMPLOYMENT JOB & PERSON SPECIFICATION SEPTEMBER 2015

VACANCY NOTICE FOR THE POSTS. 3 Project Managers. to the Bio-Based Industries Joint Undertaking (BBI-JU)

Compliance Management Systems

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

A Pragmatic Guide to Big Data & Meaningful Privacy. kpmg.be

How To Protect Your Data In European Law

Transcription:

The E.U.-US Privacy Collision: A Turn to Institutions and Procedures Paul M. Schwartz UC Berkeley School of Law Berkeley Center for Law & Technology www.paulschwartz.net

Data Protection Directive of 1995

The Data Protection Directive (1995) Goals: (1) Facilitate the free flow of personal data within the EU (2) Ensure an equally high level of protection within all countries in the EU for fundamental rights and freedoms of natural persons, and in particular the right to privacy (3) Protect the privacy of the information of EU citizens worldwide by permitting data transfers only to third countries with adequate protection

The Data Protection Directive (1995) Impact: Shaped the form of numerous laws, inside and outside the EU Contributed to the development of a substantive EU model of protection The US has proven to be an outlier

EU: Omnibus Privacy Laws, US: Sectoral Privacy Laws

Fair Information Practices (FIPs) Both the EU and US legal systems share an approach around FIPs for personal information

Fair Information Practices (FIPs) EU emphasizes: (1) Limits on data collection (2) Data quality principle (3) Notice, access, and correction rights for individual

Fair Information Practices (FIPs) EU exclusive FIPs: (4) A processing of personal data made only pursuant to a legal basis (5) Regulatory oversight through an independent data protection authority (6) Restrictions on data exports to countries that lack sufficient privacy protection (7) Limits on automated decision-making (8) Additional protection for sensitive data

Fair Information Practices (FIPs) US heightened interest in free flow of information due to First Amendment

The Brussels Effect Anu Bradford Preconditions for de factor unilateralism are in place But Brussels negotiates with US. Why? Other competing interests in place: Interest in free flow of information to expand international trade Centrality of global information economy

Harmonization Networks Anne- Marie Slaughter Role of Harmonization networks : states now interact through a variety of de-aggregated channels involving different kinds of contacts, institutions, officials and even NGO s Result is a cross-fertilization of policy models

Bottom line: Directive In absence of adequacy, Member States to prevent any transfer of data... to the third country in question (Directiv e, Article 25)

Negotiated EU-US Solutions Safe Harbor Model Contractual Clauses Binding Corporate Rules

The Safe Harbor

Model Contractual Clauses 2001 Set: Requirement of joint and several liability between the data exporter and data imported. Must provide redress, support, and other help to affected individuals. 2004 Set: Makes each party liable for the damages that it caused. Contains a due diligence clause

Binding Corporate Rules

Binding Corporate Rules

The Proposed Data Protection Regulation (2012)

Proposed Regulation: Heightened Individual Rights Right to be Forgotten Right to Erasure Heightened protection for sensitive data (new protection for genetic data, and criminal convictions or related security measures) philosophical beliefs no longer protected; rather protection is now for religion or other [spiritual] beliefs

Proposed Regulation: Centralization of Regulatory Power Role of the Commission Power under the consistency process Power to adopt implementing acts and delegated acts European Data Protection Board (EDPB) Upgrades status of Article 29 Committee EDPB provides a useful forum for national supervisory authorities to reach consensus about important issues But Commission has last word

Proposed Regulation: Paths to Accommodation Article 45: Call for collaboration in data protection among European officials, national regulators, and non-governmental organizations Consolidates many of the policies negotiated post- Directive Incorporates a number of privacy policy innovations Some with roots outside the EU: e.g. Privacy by Design

Averting the Privacy Collision Ahead Harmonization networks matter Accountability through transparency Checks-and-balances on EU institutions, such as the Commission Subsidiarity: Jean Monnet meets Louis Brandeis

Averting the Privacy Collision Ahead Accountability through transparency FTC and EU contacts? Too much power to Commission in Proposed Regulation Checks and balances Role in consistency process for a new entity: an EU Data Protection Authority located within EU Parliament, and not Commission Subsidiarity A Minimalized Regulation that concentrates on key field definitions, that is basic conceptual categories (e.g. personal information ). More power remaining with Member States

Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information