EU-US Privacy Shield Update

Similar documents
Health information privacy and security. Norton Rose Fulbright US LLP October 6, 2015

Privacy & Data Security: The Future of the US-EU Safe Harbor

Work programme

InsureTech 2015: Addressing cybersecurity and fraud in the ME insurance industry

MiFID II Academy: Product Governance. Floortje Nagelkerke 12 April 2016

AlixPartners, LLP. General Data Protection Statement

Italian insurance regulatory updates

CLOUD COMPUTING Contractual and data protection aspects

EU- US NGO Letter on 1 To Secretary Pritzker

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

MiFID II/MiFIR series

Asset management. Strategic use of technology and outsourcing to address cost pressures and enhance market position

Big Data and the Internet of Things

The Art of Constructing Global Whistleblowing Programmes

Cybersecurity and Privacy 2015: Presentation to Institute of International Bankers

Privacy Policy. February, 2015 Page: 1

The U.S.-EU Safe Harbor Guide to Self-Certification

Acquia Comments on EU Recommendations for Data Processing in the Cloud

Pensions. Duties of employers, trustees and administrators to members: recent Pensions Ombudsman determinations. Briefing. Summary

Vendor Management Challenge Doing More with Less

Litigation trends. Survey report

CCBE RESPONSE REGARDING THE EUROPEAN COMMISSION PUBLIC CONSULTATION ON CLOUD COMPUTING

Antitrust-approval risks:

Accountability: Data Governance for the Evolving Digital Marketplace 1

Inhouse Masterclass: Data Developments - Cyber Security & the Right to be Forgotten. MHC.ie

PRIVACY MANAGEMENT ACTIVITIES

M&A in 2015: Successor Liability Under the FCPA. Norton Rose Fulbright US LLP Thursday, February 26, 2015

Compliance issues for pharmaceutical companies in Germany

Safe Harbour Agreement no longer a valid basis for EEA to US transfers of personal data

MiFID II/MiFIR series

FIRST DATA CORPORATION PROCESSOR DATA PROTECTION STANDARDS

The Legal Pitfalls of Failing to Develop Secure Cloud Services

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

Important aspects of the new Regulation third country data transfers

Privacy Risk Assessments

Doing Business. A Practical Guide. casselsbrock.com. Canada. Dispute Resolution. Foreign Investment. Aboriginal. Securities and Corporate Finance

Data Protection and Cloud Computing: an Overview of the Legal Issues

Big Data: Navigating the Recent and Pending Releases of CMS Data Sets

OSRAM BCR Binding Corporate Rules ( BCR ) for OSRAM Group Companies and Adopting Companies for the protection of personal data

PRIVACY CHECKLIST FOR CLOUD SERVICE CONTRACTS

Privacy Statement. What Personal Information We Collect. Australia

Working and ordinarily working in the UK

South East Asia: Data Protection Update

Copyright 2014 Nymity Inc. All Rights Reserved.

ARTICLE 29 DATA PROTECTION WORKING PARTY

COMMISSION IMPLEMENTING DECISION. of XXX

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

Processor Binding Corporate Rules (BCRs), for intra-group transfers of personal data to non EEA countries

Global Privacy and Data Security in the Cloud September 14, 2011 Miriam Wugmeister

TERMS OF REFERENCE OF THE AUDIT COMMITTEE UNDER THE BOARD OF DIRECTORS OF CHINA PETROLEUM & CHEMICAL CORPORATION

Lots of clouds: a stormy weather for information privacy?

THE INTERNATIONAL CHAMBER OF COMMERCE PROPOSES AN ALTERNATIVE FOR LEGITIMIZING INTERNATIONAL TRANSFERS OF PERSONAL DATA FROM THE EUROPEAN UNION

EU Regulatory Trends in Data Protection & Cybersecurity What should be on the industry s agenda?

Feasibility. A guide to feasibility planning for junior mining companies

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

Representing Yourself In Employment Arbitration: An Employee s Guide

FACEBOOK STATEMENT RICHARD ALLAN NOVEMBER 11, My name is Richard Allan, and I am the Director of Public Policy

Competition litigation

WHITE PAPER Meeting European Data Protection and Security Requirements with CipherCloud Solutions

ARTICLE 29 DATA PROTECTION WORKING PARTY

CPA Global North America LLC SAFE HARBOR PRIVACY POLICY. Introduction

Best Practices for Engaging With Intermediaries. Introduction

Checklist: Cloud Computing Agreement

The United States Federal Trade Commission ("FTC") and the Office of the Data Protection Commissioner of Ireland (collectively, "the Participants"),

MiFID II / MiFIR seminar Planning your MiFID II / MiFIR Project. Hannah Meakin, Partner Norton Rose Fulbright LLP 15 October 2014

Article 29 Working Party Issues Opinion on Cloud Computing

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

Intellectual Property & Data Protection 2015: Legal developments you need to know about

InfoNet MiFID II/R Seminar Series

DETAILED TABLE OF CONTENTS

Cybersecurity in the Health Care Sector: HIPAA Responsibilities from a Legal and Compliance Perspective

HIPAA Privacy Rule Policies

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

RPM INTERNATIONAL INC. AND ITS SUBSIDIARIES AND OPERATING COMPANIES SAFE HARBOR PRIVACY NOTICE. EFFECTIVE AS OF: August 12, 2015

U. S. EU SAFE HARBOR FRAMEWORK GUIDE TO SELF-CERTIFICATION MARCH 2009

Data Processing Agreement for Oracle Cloud Services

Cybersecurity and Data Breach: Mitigating Risk and How Government Policymakers Approach These Critical Issues

The HR Skinny: Effectively managing international employee data flows

Tax considerations for US companies offering international equity incentive programmes

Audit and Risk Committee Charter. 1. Membership of the Committee. 2. Administrative matters

IAPP Privacy Certification

DEFINITIVE ADVICE PRACTICAL GUIDANCE POWERFUL ADVOCACY LLP

China new healthcare reform 2020

A Privacy and Data Security Checklist for All

I. Introduction to Privacy: Common Principles and Approaches

AIRBUS GROUP BINDING CORPORATE RULES

This Applicant Privacy Notice Continental Europe is dated: July 2012 WILLIS.COM: PRIVACY NOTICE

the paris office Elizabeth Naud and Luc Poux, architects

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

NORTON ROSE FULBRIGHT FORUM TM Web Seminar. A Monthly

RECOGNIZING that the Participants each have functions and duties with respect to the protection of personal information in their respective countries;

Trust in the Cloud Legal and Regulatory Framework

Ship finance leasing in China

Information Technology: This Year s Hot Issue - Cloud Computing

APPLICANT INFORMATION (please print or type)

PIPEDA and Online Backup White Paper

Customer Responsiveness Strategy

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

Asset management. Briefing. Establishing an asset management presence in Hong Kong and Singapore. Introduction. Hong Kong

Transcription:

EU-US Privacy Shield Update July 15, 2016 Boris Segalis, Partner, New York Jay Modrall, Partner, Brussels

Data Protection, Privacy & Cybersecurity Practice Global Reach US, Europe, Canada, SE Asia, China, Latin America, Australia, Middle East, Africa, Russia Across Industries Energy, Utility, Pharma, Consumer Products, Financial, Technology, New Media dataprotectionreport.com 2

Agenda Privacy Shield Timeline Privacy Shield Requirements Certification Path Certification Decision Privacy Shield vs. Model Clauses Legal Challenges to Privacy Shield 3

Privacy Shield Timeline 4

Privacy Shield Timeline EU: Privacy Shield adopted and entered into force on July 12, 2016 by EU Commission. Privacy Shield framework will be published in the Federal Register. DOC certification available August 1, 2016. WP29 will meet on July 25, 2016, to finalize its position on the Privacy Shield, but WP view is not binding, but may set out roadmap for future challenges Compliance Grace Period 5

Privacy Shield Requirements 6

Privacy Shield Requirements DOC, FTC, DPAs commit to robust, proactive oversight, limiting path to check the box certification, may signal new era of scrutiny of certified companies Compliance may be limited for national security, public interest or law enforcement requirements, conflicting legal requirements or explicit limited/tailored authorizations, member state law exceptions or derogations De-listed companies must address cross-border compliance or can t hold on to the data Companies should think about Privacy Shield as PbD element 7

Privacy Shield Principles Principles Notice Choice Accountability for Onward Transfer Security Data Integrity and Purpose Limitation Access Recourse, Enforcement & Liability + FAQs 8

Privacy Shield Requirements - Regulators FTC and DOT enforce the public commitment to comply with Privacy Shield Principles DOC robust oversight, scrutiny mean more emphasis on quality of certification Verify certification submissions all requirements/checklist Maintain SH list current + list of companies no longer certified Inform de-listed companies they can t retain data, follow up by questionnaire Actively review privacy policies of de-listed companies to identify relevant misrepresentations, false claims After warning, refer non-compliance to FTC/DOC Promptly review and assess complaints Actively enforce program, including by direct, substantive inquiries in the event of complaint, failure to respond to DOC inquiries, or other evidence of non-compliance with Privacy Shield Better website, including Privacy Shield guide for EU audience Increased DPA collaboration, including by establishing a dedicated contact Facilitate resolution of complaints, 90 day deadline to respond to DPA Establish arbitration procedures (Annex 2) and fund financed by certified businesses Annual interagency compliance meetings 9

Privacy Shield Requirements - Regulators DPAs will create a panel for resolving complaints, to ensure harmonized approach to enforcement Independent recourse mechanisms must provide Privacy Shield-related information on claim resolution & publish annual report on aggregate stats 10

Privacy Shield Requirements - Regulators FTC Commits to making Section 5 review of referrals from arbitrators, DOC or DPAs a priority Standardizes referral process Will take action against false claims of participation Participates in periodic meetings and annual reviews DOT commits to enforcement State establishes an Ombudsperson position for EU authorities to submit requests on behalf of EU individuals regarding US intelligence practices Commitment to facilitate, communicate, but remedies are within confines of existing legal processes 11

Path to Certification 12

Path to Certification Assess the company s data processing practices Where and what data the company collects (+ notices, choices) For what purposes the information is collected and used (identify and determine compatibility ) How the data is disclosed (service providers + others) How the data is safeguarded How long the data is retained Assess data security practices Identify and review vendor agreements Benchmark all privacy and security practices against Privacy Shield principles, and address gaps Verify/implement notices, choices, safeguards, onward transfer, access and integrity mechanisms, recourse mechanism. Keep in mind Privacy Shield does not excuse EU non-compliance Document the due diligence and gap remediation process Certify compliance to DOC Review periodically and recertify Train relevant employees, put policies and procedures in place (e.g., to catch new business activities that are in scope, to ensure in-scope vendors are subject to onward transfer requirements) 13

Privacy Shield Certification Decision Factors 14

Privacy Shield Certification Decision Current state of cross-border compliance did the company invest in model clauses? Past Safe Harbor certification and state of data protection due diligence Business requirements and buy-in (B2B vs. B2C; leverage) Privacy Shield v. Model Clauses Prior approvals + registrations Substantive requirements (liability flow downs, audit rights, governing law, registration, disclosure of processing agreements, de-identification) Business risk from inability to flow down requirements Arms-length vs. intracompany transfers Certainty legal challenges in Europe 15

Data transfer suspension under Shield, MCs & BCRs Privacy Shield Under the Privacy Shield decision, DPAs must allow transfers unless and until European Court of Justice invalidates it However, WP 29 essential guarantees concerns could lead to suspensions under EU MCs and BCRs before Shield challenge is heard Same essential guarantees concerns could apply to transfers to other non-eea countries with inadequate surveillance protections under EU MCs or BCRs EU Model Clauses Commission Decision approving EU MCs allows DPAs to suspend transfers under them if it is established that surveillance does not meet EU standards in non-eea importing country Binding Corporate Rules Binding Corporate Rules are based on approvals from DPAs, not on a Commission Decision, and DPAs can withdraw approval unilaterally 16

Challenges to Privacy Shield -- Process The Privacy Shield does not address all concerns raised by the WP29 in April 2016; WP29 is likely to reiterate at least some concerns on July 25, 2016 WP29 opinion may set out roadmap for future challenges The Irish DPC is asking the Irish High Court to review the Privacy Shield in connection with Schrems II Unlikely to succeed (Facebook has not adopted Privacy Shield) Irish court approach to Schrems II and any ECJ preliminary reference may nonetheless be relevant to future challenges Challenges can be expected to be raised in new cases in Ireland or elsewhere In theory, Member States could challenge the decision directly to the ECJ (four Member States are believed to have abstained) 17

Path forward Privacy Shield, Model Clauses, BCRs 18

Speaker Boris Segalis Partner, New York Boris Segalis is a US co-chair of Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group. Boris counsels clients regarding a broad range of privacy, information security, cybersecurity and information management issues. The practice addresses all aspects of information management lifecycle, including its collection, use, storage, disclosure and destruction, as well as the protection of the information and the infrastructure supporting the data. Boris advises clients on information law issues that arise in the context of databased products and services, big data programs, smart grid operations, marketing and advertising, corporate transactions (including M&A and bankruptcy), state and federal investigations and regulatory actions, cross-border data transfer, vendor management, cloud computing, technology transactions, incident and breach response and pre-response planning. Boris represents clients in a variety of industries, ranging from start-ups to Fortune 100 companies. His clients include companies in the consumer products and services areas, online retailers and media companies, pharmaceutical companies, utilities, travel-related businesses, B2B technology providers, payment processing businesses, and non-profit organizations. Boris is a member of Crain s Business 40 under 40 class of 2015. He has been recognized by Chambers as an up and coming attorney in Privacy & Data Security. Boris is a Certified Information Privacy Professional (CIPP/US) through the IAPP, and serves on the IAPP s Research Board. 19

Speaker Jay Modrall Partner, Brussels Jay Modrall is a partner in Norton Rose Fulbright's Antitrust and Competition practice group based in the Brussels office. Jay counsels clients regarding a broad range of EU law issues, including not only antitrust and competition law issues but also EU aspects of privacy and data protection law. Jay s data protection work has included advising a wide range of clients on European data protection requirements, from the origins in the Council of Europe Convention in the 1980s to the fallout of the Court of Justice s Schrems decision today. As one of the few Brussels-based EU lawyers with extensive experience in the financial services sector, Mr. Modrall played a key role in the drafting and early implementation of many of the key EU directives and regulations including AIFMD, Banking Union, CRD IV/CRR, Credit Agency Regulation, EMIR and MiFID, gaining extensive hands-on experience with the EU legislative process. Mr. Modrall has written extensively and is a frequent speaker at conferences on a wide range of EU financial services regulatory and Eurozone topics A U.S.-qualified lawyer by background, Jay is a member of the Bar in New York, Washington, D.C. and Brussels, Belgium. He joined Norton Rose Fulbright LLP in September 2013 as partner, having been a resident partner in a major US law firm since 1995. Jay s native language is English. He is fluent in Italian, having lived and worked for several years in Italy, and proficient in Dutch and French 20

Disclaimer Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to clients. References to Norton Rose Fulbright, the law firm and legal practice are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together Norton Rose Fulbright entity/entities ). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is described as a partner ) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity. The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual contact at Norton Rose Fulbright. 22

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information