6 months without Safe Harbor How to use cloudservices as a European? Thorsten Rendel (Microsoft) Kai Bodensiek

Similar documents
How To Understand The Privacy Shield

technical factsheet 176

Data Protection Policy.

Corporate Policy. Data Protection for Data of Customers & Partners.

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Cloud computing and the legal framework

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Data Protection, Software Licenses and other Legal Issues in the Cloud

GSK Public policy positions

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

AIRBUS GROUP BINDING CORPORATE RULES

Important aspects of the new Regulation third country data transfers

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

The HR Skinny: Effectively managing international employee data flows

Legal issues in the Cloud

Corporate Guidelines for Subsidiaries (in Third Countries ) *) for the Protection of Personal Data

Privacy & Data Security: The Future of the US-EU Safe Harbor

PRACTICAL LAW DATA PROTECTION MULTI-JURISDICTIONAL GUIDE 2012/13. The law and leading lawyers worldwide

Privacy Policy. February, 2015 Page: 1

AlixPartners, LLP. General Data Protection Statement

Personal information, for purposes of this Policy, includes any information which relates to an identified or an identifiable person.

Article 29 Working Party Issues Opinion on Cloud Computing

Key issues in data protection: a pan-european view

GUIDE ON DATA PROTECTION REQUIREMENTS IN THE CONTEXT OF CLOUD COMPUTING SERVICES

Data Protection. Processing and Transfer of Personal Data in Kvaerner. Binding Corporate Rules Public Document

Privacy and cloud computing

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

GENERAL ELECTRIC COMPANY EMPLOYMENT DATA PROTECTION STANDARDS

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Information Technology - Switzerland

Data protection issues on an EU outsourcing

2. A Note about Children. We do not intentionally gather Personal Data from visitors who are under the age of 13.

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

Citavi End User License Agreement

An overview of UK data protection law

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Johnson Controls Privacy Notice

Data Transfer Policy London Borough of Barnet

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

Service Schedule for CLOUD SERVICES

Excellence in igaming (EiG), 22 October Quickfire Update on Dutch regulatory progress

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Privacy Policy (as of )

Data Processing Agreement for Oracle Cloud Services

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL OF PROTECTION

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper

International E-Discovery E-Discovery vs. German Data Protection

Privacy Policy. This includes data you provide to other users when communicating with them on websites and games operated by TRAVIAN GAMES.

DailyMailz may collect and process the following personal information about you:

THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION

The potential legal consequences of a personal data breach

LIABILITY FOR NON-COMPLIANCE WITH DATA PROTECTION OBLIGATIONS

Microsoft Online Services - Data Processing Agreement

Comments and proposals on the Chapter IV of the General Data Protection Regulation

Office 365 Data Processing Agreement with Model Clauses

The reform of the EU Data Protection framework - Building trust in a digital and global world. 9/10 October 2012

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Data Protection and Cloud Computing: an Overview of the Legal Issues

Legal Aspects of Cloud Computing. Dr. Susann Wolfgram & Ulrike Weinbrenner Dr. Alexander Duisberg (Bird&Bird)

Data Protection Standard

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

Data Protection and the Cloud

General Terms and Conditions of Trade for the use of the Bitplaces management platform and the Bitplaces software

Using AWS in the context of Australian Privacy Considerations October 2015

How To Protect Your Data In The Cloud

Data Protection Policy Information for Clients

ARTICLE 29 DATA PROTECTION WORKING PARTY

Cloud Computing and Data Protection Compliance - Experiences from Norway

STATEMENT FROM THE CHAIRMAN

Personal data and cloud computing, the cloud now has a standard. by Luca Bolognini

Application Programming Interface (API) Application (app) - The API app is the connector between epages and the developers service.

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Federal Act on Data Protection (FADP) Aim, Scope and Definitions

Statement on the general concept of the European Union towards Data Protection by Aktion Freiheit statt Angst e.v.; EU Register ID

ECSA EuroCloud Star Audit Data Privacy Audit Guide

ZIMPERIUM, INC. END USER LICENSE TERMS

Cloud Computing. Patrick Van Eecke. Partner, DLA Piper Brussels Professor Universiteit Antwerpen

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

A list of CIArb subsidiaries relevant to this notice and their activities is set out below.

Guidelines on Data Protection. Draft. Version 3.1. Published by

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Surveying with CustomerGauge - Legal Considerations:

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

APPROVED BY: DATE: NUMBER: PAGE: 1 of 9

DESTINATION MELBOURNE PRIVACY POLICY

Terms & Conditions of HYPE Softwaretechnik GmbH ( HYPE ) for HYPE Enterprise Express (Version October 2015) 1 Scope

Purpose of the document:

We may collect the following types of information during your visit on our Site:

Privacy Policy documents for

Privacy, the Cloud and Data Breaches

How To Protect Your Data In European Law

Binding Corporate Rules Privacy (BCRP) personal Telekom Group rights in the handling of personal data within the Deutsche Telekom Group

Zubi Advertising Privacy Policy

LATISYS SAFE HARBOR POLICY

Transcription:

6 months without Safe Harbor How to use cloudservices as a European? Thorsten Rendel (Microsoft) Kai Bodensiek

Seite 2 Personal Data Art. 2 Data Protection Directive (95/46/EC) For the purposes of this Directive: (a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); relating information every information regarding a person, including whereabouts, visits of websites, purchase of goods, download of an app identified or identifiable it is sufficient that a person may be identified with a reasonable efforts, unclear: IP addresses Alternativs: anonymize or use of pseudonyms

Seite 3 Statuatory authorisation for data use Consent consent has to be given voluntarily (problem: employees) and has to relate to express data and specific uses (problem: informed consent) Fulfilling contractual obligations if the use of data is reasonably required for fulfilling contractual obligations (e.g. shipping address, purchase history etc.) Legitimate Interest if the data processor has a legitimate interest to use the data but only if the interest of the respective person is not more important (e.g. storing data for system maintenance or security, delivery adress when goods are shipped to a third party). Additional authorisations contained in European or national law

Seite 4 Transfer of Data Every transfer of data requires a legal authorization Alternatives of transfer: Controller -> Processor (contractual data processing) Controller -> Controller ( real transfer including the ownership of the data) Principle: Unless there is a separate legal authorization an informed consent is always required.

Seite 5 Transfer within the EU Transfer Controller -> Processor: Legal without consent only if a data processing agreement has been executed Minimum requirements (under German law): subject of the underlying service agreement, scope, subject and purpose of the data processing, category of data and of the respective data subjects, technical and organizational measures for data security, obligations to correct, delete, return or block data, obligation to report violations, right of final decision, right to audit the processor Examples: hosting provider, payroll accounting, SaaS

Seite 6 Transfer to third countries For so called secure third countries the same rules as within the EU apply; commission decides on adequate data protection level; currently: Andorra, Argentina, Australia, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, Canada, New Zealand, Switzerland, Uruguay Special case until last year: USA with Safe Harbor Else only if: with a valid consent Using standard clauses of the EU-Commission The recipient has implanted binding corporate rules

Seite 7 Valid Consent CONSENT requires that the data subject is aware of the scope and the impact of the consent and has been fully informed about it ( informed consent ). If this is not granted, the consent is void. Companies have to inform the data subject on all ACTUAL uses in advance. The information has to be clear without any lack of clarity (negative example: privacy policies of most US major companies that simply try to allow all possible kinds of use). The data subject has to be informed about the specific risks of the transfer. Requirements on clarity and completeness are very high in regard of such consent.

Seite 8 Standard Clauses EU-Commission has drafted standard clauses that shall secure a sufficient data protection level. The standard clauses have to be used without ANY changes, otherwise the data transfer is considered illegal. The respective data protection authorities are entitled to forbid a transfer, even if the standard clauses are used, if they reasonably expect that the recipient will not adhere to the standard clauses or that the national authorities will not respect EU data protection principles.

Seite 9 Binding corporate rules Recipient has to draft and implement rules for the processing of data including technical and organizational measure for data security. This is usually a rather large compliance handbook. Those rules have to be approved by the data protection authorities of the data exporter. The data exporter is obliged to control compliance. In fact this alternative is due to the approval requirements rather rare.

Seite 10 Situation USA Safe Harbor is according to the judgment of the ECJ void, because US authorities did not grant EU citizens sufficient legal protection and remedy. Furthermore EU data protection principles were not accepted and the Safe Harbor agreement violated the rights of the national data protection authorities because they were not granted any control rights. Companies may not claim Safe Harbor privileges anymore since October 6, 2015 Public authorities are already taking steps against German companies that exported data under Safe Harbor and have not stopped such export

Seite 11 Situation USA Germany until February 2016 The conference of the German data protection authorities decided not to take any steps against companies transferring data using individual consent, standard clauses of the commission or binding corporate rules until end of January 2016 but they will not except such export thereafter based on the following considerations: Consent: in theory possible, but the conference agreed that a sufficient information would require to provide detailed information about the risks of data processing in the USA (including access by public agencies) and that such information is only possible and sufficient in rare cases but anyway not in cases of mass export. Employee s consent is always not voluntarily because the employee has to fear for his job. This includes transfer to affiliated companies. Minors can not grant a valid consent or only in very rare cases.

Seite 12 Situation USA Germany until February 2016 Standard Clauses: Conference decided that standard clauses are no longer a valid alternative, since the USA do not respect EU data protection principles including legal remedy for consumers. The ECJ expressly stated that the local data protections authorities may decide on that questions. Binding Corporate Rules: Currently the conference agreed that they will not allow any further binding corporate rule for Export to USA for the same reasons. Consequence: With some rare exceptions, currently any transfer of personal data to the USA in illegal in Germany. Cloud services for personal information that use servers in the US or allow US employees to access such servers are in violation of German data protection law.

Seite 13 Situation USA March onward PRIVACY S.H.I.E..SHIELD*: US and EU authorities have announced that they reached an agreement on a new cooperation model, that is now called Privacy Shield. Meanwhile first drafts of a general data export agreement and of the Privacy Shield agreement have been published. While Privacy Shield contains significant new rules on the oversight of the data protection rules and for the first time actual reviews have become mandatory, most other parts are very similar to Safe Harbor. No guarantees that are liable in court will be granted in regard to access to personal data by security agencies, only a statement is provided. * SCNR

Seite 14 Situation USA March onward Just last week the Article 29 Working Party (a group consisting of the EU data protection authorities whose rights have been significantly strengthened by the ECJ) has published a harsh statement regarding the lack of clarity of the Privacy Shield provisions. The drafts use a different wording that the EU data protection provisions and do make clear that those EU principles are to applied. The Working Party criticized the lack of provisions in regard of the purpose limitation principles (data may only be used for the purpose it has been collected for) as well as a clear system of legal remedy and venue in the draft. Last but very important is that the Working Group does believe that the statement regarding the massive collection of personal data is sufficient and will not accept such a low level of disclosure by the US authorities.

Seite 15 Breach Unauthorized Use: fine of up to 350.000 Euro; in individual cases higher in order to collect profits Commercial unauthorized use : criminal charge (board members and directly involved employees): prison of up to 2 years or a fine. Cease and Desist from data subjects and consumer protection agencies Negative Publicity

Seite 16 What can we do until there are new rules? Thorsten, what will Microsoft and the other cloud service providers do in the meantime to resolve this issue?

Thank you for listening! Kai Bodensiek Rechtsanwalt -------------------------------------------- Anna-Louisa-Karsch-Str. 2 10178 Berlin Tel.: 030 26 93 950 Fax.: 030 26 93 95 15 Kai.Bodensiek@bvm-law.de www.bvm-law.de

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information