OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES 4 April 2013 James Castro-Edwards Solicitor Monica Salgado Advogada / Portuguese Lawyer

OUR TEAM Speechly Bircham is an ambitious, full-service law firm with over 250 lawyers, headquartered in London. We work with business and private clients across the UK and internationally and focus on the financial services, private wealth, technology, real estate and construction sectors We have offices in Luxembourg and Zurich Our Data Protection & Information Law team provide a range of expertise on data privacy audit, compliance, risk management, information security and data breaches We are listed in Chambers 2013 as a leading law firm for Data Protection and have advised on this area of law since 1983 Robert Bond and his team have always provided comprehensive, practical advice on a timely basis. Their knowledge of the EU regulatory scene, including experience with specific agencies, as well as privacy issues globally has been instrumental in establishing our privacy policies and procedures. 2

James Castro-Edwards James.Castro-Edwards@speechlys.com +44 (0)20 7427 6781 James is a senior commercial solicitor in the IP, Technology & Data Group with extensive experience in data protection. James' recent work includes ownership of global data protection compliance projects for multinationals, including implementation of Sarbanes-Oxley driven whistleblower hotlines. He frequently works with senior in-house counsel, finding solutions to complex cross-border data issues and 'has a pan-european perspective on data protection compliance' according to clients. James has significant experience of the differing requirements of the many European data protection authorities particularly in relation to data transfers. He has advised clients in relation to subject access requests, acting for both data controllers and data subjects, and enabled database owners to optimise their personal data for marketing purposes while remaining in compliance with the law. James also advises online and innovative businesses looking to exploit new intellectual property. In doing so he has advised in relation to distribution, supply and licensing agreements, and regularly advises clients in relation to new online business models. James provides practical advice and commercial solutions to data hosting businesses. James frequently speaks on data protection and has been published in World Data Protection Report, Data Protection Law & Policy, Journal of Database Marketing & Customer Strategy Management, the Marketer and Journal of Intellectual Property Law & Practice. He also contributed to the Fifth Edition of Butterworths' Encyclopaedia of Forms and Precedents Volume 19(1). 3

Monica Salgado Advogada registered with the Ordem dos Advogados Registered European Lawyer Monica.Salgado@speechlys.com +44(0)20 7427 6554 Monica has experience assisting clients with the most varied data protection issues, both in Portugal and the UK. Monica has advised on filings with relevant data protection authorities, processor / controller agreements, trans border flows of personal data, data protection compliance measures and tools, compliance assessments and training. Monica has also provided legal advice on how to comply with the E- Privacy rules, notably by conducting cookies audits, drafting cookies policies and implementing cookies consent tools. Monica has been referred by clients in Legal 500, 2011 edition, as providing top-notch client service. 4

WHAT WE WILL COVER 1. Global Data Protection / Privacy Landscape 2. The Data Protection Principles 3. Key Data Protection Principles relevant to Outsourcing 4. Outsourcing: DPA Registration Requirements 5. Outsourcing: Practical Considerations 6. The Data Protection Regulation 5

Global Data Protection / Privacy Landscape Legislation Landscape Data Protection Directive 95/46/EC applies throughout Europe Takes effect in European Member States through implementing legislation e.g. Data Protection Act 1998 (UK); EU rules are the longest established and strictest Data protection laws not confined to Europe: - Approved countries Canada/Argentina/Switzerland/Israel - US takes sector based approach e.g. COPPA / HIPPA; - Emerging laws Singapore, Hong Kong, Malaysia, South Korea the Philippines Many similarities between laws because of OECD guidelines (1980) 6

The Data Protection Principles European Data Protection Principles: Fair and lawful processing; Specified purposes; Adequate, relevant, not excessive; Accurate and up-to-date; Not held longer than is necessary; Held in accordance with the data subjects rights; Technical and organisation of security measures; Not transferred to a country outside the EEA. Organisations must comply with the principles AND register with the relevant Data Protection Authority (DPA) These are the EU principles, but similar approach adopted outside EU following OECD guidelines. 7

Key Data Protection Principles relevant to Outsourcing 1. Fair & Lawful Processing Legitimate ground for processing + notice to data subjects 2. Security Outsourcing provider must ensure personal data is protected but data controller remains liable for compliance with the law 3. Data Transfers Outsourcing arrangements frequently result in transfers of personal data out of the EEA 4. Registration / Notification with DPA DPA should be informed of outsourcing arrangements and transfers of personal data out of the EEA 8

Key Data Protection Principles relevant to Outsourcing Fair and Lawful Processing the Fundamental Data Protection Principle Requirements: Legitimate Ground establishing a legitimate ground: (consent / contract performance / legal obligation / vital interests/ legitimate interests) + Fair processing information Provision of fair processing information when data is first processed ; telling individuals who you are and what will be done with their personal data (e.g. privacy policy) Relevant each time data is collected, shared or used for a new purpose e.g. implementation of outsourced solution 9

Key Data Protection Principles relevant to Outsourcing Appropriate Technical Organisational and Physical Security Measures Legal Requirements EU data protection law requires data controllers to implement appropriate technical and security measures to protect personal data against: - Accidental or unlawful destruction or loss; - Unauthorised alteration, disclosure or access (in particular where the processing involves the transmission of data over a network); and - All other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures. 10

Key Data Protection Principles relevant to Outsourcing Appropriate Technical Organisational and Physical Security Measures Practical Considerations Physical measures (physical locks to building; secure physical storage). Organisational access to data on need to know basis/appointment of third party processors Technical IT security/encryption, destruction of data Contractual binding third party processors to comply - The law currently does not apply to processors - The data controller remains liable for breaches of the law 11

Key Data Protection Principles relevant to Outsourcing Data Transfers Personal data must not be transferred to a country which does not provide adequate protection. - European Member States all provide adequate protection - Approved countries (Argentina, Canada, Switzerland, New Zealand) - US Safe Harbor - Binding Corporate Rules - EU Approved Model Clauses - Data controller to data controller - Data controller to data processor Even between members of the same group of companies Non-EU jurisdictions have similar provisions Transfers may require notification with DPA 12

Outsourcing: DPA Registration Requirements Overview Most European DPAs require registration / notification of processing operations - Specific requirements vary - Notification may be filed online - Register is usually public The use of outsourcers and data transfers should generally be notified; some DPAs must grant prior authorisation Generally one registration per individual company Exemptions exist Some require Data Protection Officer instead Some DPAs require additional documentation or steps More and more DPAs outside Europe are adopting similar positions 13

Outsourcing: DPA Registration Requirements More than a tick the box exercise More than a bureaucratic formality Purpose - to assist the DPA enforcing the data protection law You must be fully informed to present a registration/notification Types of notifications: - Prior registration of processing operations - Prior checking of processing operations - Notification of breaches to the DPA - Notification of breaches to the data subjects - Other types of notifications / requests for authorisation 14

Outsourcing: DPA Registration Requirements Current EU framework - prior registration of processing operations Obligation set out in the 1995 EU Data Protection Directive - Member States shall provide that the controller or his representative, if any, must notify the supervisory authority ( ) before carrying out any wholly or partly automated processing operations or set of processing operations intended to serve a single purpose or several related purposes article 18 no. 1 of the Directive Member States have transposed the Directive, adapting how in practice controllers should register processing operations Common issues: - The main criteria is the purpose of the processing - The registration is either previous or contemporary with the beginning of the processing operations - Registration can be exempted or simplified in specific circumstances - The main content of the registration are predefined in the Directive - Details of the controller - Description of the processing operation, including its purpose, categories of data and data subjects - Recipients - Transfers - Security measures 15

Outsourcing: DPA Registration Requirements Current EU framework - prior checking of processing operations Obligation set out in the 1995 EU Data Protection Directive - Member States shall determine the processing operations likely to present specific risks to the rights and freedoms of data subjects and shall check that these processing operations are examined prior to the start thereof article 19 no. 1 of the Directive Relevant issues - More freedom for Member States to transpose this obligation - Checking is also prior to the beginning of the processing operation - Prior checking is also required before legislative initiatives with data protection impact Usually covers: - Transfers of personal data to non adequate countries - Processing of sensitive personal data - CCTV or other forms of surveillance - Combination of data 16

Outsourcing: DPA Registration Requirements - main differences between prior registration and prior checking Prior registration Aims at understanding what will take place and include it in a public register Controller may usually begin the processing as soon as the form is presented - There are exception A lot of processing operations have been exempt from prior registration, however usually once they include a prior checking aspect the exemption will fall Prior checking Aims at checking whether the processing operation is compliant with applicable data protection and privacy laws Controller will have to wait for the DPA to issue its approval of the processing operation before commencing processing There are no exemptions from the prior checking obligation as they cover very specifically defined situations where the rights of the individuals are considered more at stake 17

Outsourcing: DPA Registration Requirements Current EU framework what have Member States implemented re registrations and prior checking? Types of obligation Generally exemption except in specific circumstances - Estonia - Italy - Germany Not too detailed general obligation to register and no general prior checking obligation - UK - Sweden - Slovenia Very detailed obligations re registration and prior checking - Spain - Portugal - France - Greece 18

Outsourcing: DPA Registration Requirements Current EU framework what have Member States implemented re registrations and prior checking? Duration of registration - Renewable - UK, Ireland - Non renewable - Portugal Cost of registration - No cost - Bulgaria, Cyprus, Czech Republic, Iceland - Fees payable - Austria, Belgium, Ireland, UK Sanctions for not complying - Administrative offences - Criminal offences 19

Outsourcing: Practical Considerations Key issues 1. Privacy Impact Assessment 2. Security measures 3. Due diligence 4. Employee considerations 5. Customer considerations 20

Outsourcing: Practical Considerations Privacy Impact Assessments What? An assessment of the impact of the proposed processing upon individuals personal data Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes When? At the earliest stage when a new system / activity is first proposed Not an afterthought a few weeks prior to roll out!! E.g. - Centralised HR system hosted outside the EU - Social media marketing providers - Use of third party software to provide targeted advertising - Cloud hosted solutions - Third party hosted CRM system Third party fulfilment services provider 21

Outsourcing: Practical Considerations Privacy Impact Assessments What personal data is being processed Which entities are legally responsible Which parties will determine purposes and means of data processing What are the data processing purposes What is the basis for data transfer to the service provider Is consent or notice required prior to transfer In which jurisdiction(s) does the data reside Is authorisation by the national DPA required for transfers What is the transfer solution (i.e. Model Clauses, Safe Harbor) 22

Outsourcing: Practical Considerations Security Measures IT infrastructure components (e.g. servers) physical location System and security administrator location Client-specific security processes Client-specific access controls by employee Data Protection security policies and processes in place (against access, loss and destruction) Employee contracts, non-disclosure agreements and checks External certification covering data protection and/or security Data breach incident response plan (roles, responsibilities and escalation paths) Business continuity planning / Disaster Recovery System Physical security and access Measures against third party access to sensitive data Network security, firewalls and perimeter defences Access-restricted client work locations 23

Outsourcing: Practical Considerations Due Diligence Ensure provider has in place - Appropriate security measures - Adequate policies, procedures and processes - Data transfer solutions - Appropriate contractual provisions - Proper understanding of legal obligations 24

Outsourcing: Practical Considerations Employee Considerations Fair processing information - employee announcement - staff handbook - Works councils Subject access requests will outsourcing provider assist? 25

Outsourcing: Practical Considerations Customer Considerations Fair processing information - website privacy statement - Clear, plain English - Subject access requests - But consider offline alternatives (and disability discrimination legislation) - DPO to deal with issues 26

The Data Protection Regulation Controllers, processors and producers Redefinitions of the obligations for the data controller, joint data controllers and the data processor; The data processor now has a direct liability for compliance which does not exist in the current regime. Introduction of producer creates automated data processing or filing systems for use by data controllers or processors Producers must ensure compliance with principles in design, set-up and operation of automatic processing or filing systems. The Regulation applies to both data controllers and data processors who have either legal entities in the EU, or process personal data of EU data subjects irrespective as to the location of the controller or processor (subject to household exemption). 27

The Data Protection Regulation Privacy Impact Assessments What? An assessment of the impact of the proposed processing upon individuals personal data Why? A pre-emptive exercise, which seeks to avoid problems arising from new processes When? At the earliest stage when a new system / activity is first proposed E.g. - Centralised HR system hosted outside the EU - Use of social media for marketing purposes - Use of cookies for targeted advertising - Cloud hosted solutions - Adoption of bring your own device policy - Remote working policy - Due diligence in company sale 28

The Data Protection Regulation Data breaches There are enhanced requirements for data security and specifically in Article 31 there is a mandatory breach notification procedure for all but small enterprises Data subjects need to be notified after the controller has where feasible within (24) 72 hours of a breach notified to the DPA. Softer position than leaked draft (mandatory 24 hours) No de-minimis limit for reports to DPA 29

The Data Protection Regulation Remedies and sanctions Data subjects can complain to a Supervisory Authority in any Member State Remedies will be available against Supervisory Authorities where they fail to act in a proper or timely manner on complaints Data subjects may take action against controllers or processors for breach of legislation and may seek damages Supervisory Authorities will have power to fine controllers or processors for contravention of the Regulation Fines for more serious breaches can be up to EUR 1,000,000 or 2% of the annual worldwide turnover of the business, with regular updating of absolute amount of fines for a regulation that should be in force for a certain time. 30

FURTHER INFORMATION For more information on our services, please contact: James Castro-Edwards Solicitor +44 (0)20 7427 6781 James.Castro-Edwards@speechlys.com Monica Salgado Advogada registered with the Portuguese Ordem dos Advogados Registered European Lawyer registered with the SRA +44(0)20 7427 6554 Monica.Salgado@speechlys.com 31