Data Protection in the Financial Services Sector Dealing with - - PowerPoint PPT Presentation

data protection in the financial services sector dealing
SMART_READER_LITE
LIVE PREVIEW

Data Protection in the Financial Services Sector Dealing with - - PowerPoint PPT Presentation

Jul 22, 2023 793 likes •922 views

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C. Data Protection in the Financial Services Sector Dealing with

slide-1
SLIDE 1

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

Data Protection in the Financial Services Sector – Dealing with Discovery and Regulatory Dealing with Discovery and Regulatory Investigations

Willi L William Long 18 November 2010

slide-2
SLIDE 2

EU Data Protection and Document Discovery Discovery

  • Approach to document discovery varies between Member States

particularly in civil law countries p y

  • November 2006: Article 29 Working Party expressed and adopted

its opinion on the SWIFT case - fundamental rights of citizens p g must be guaranteed

  • French

Blocking Statute prohibiting communication to foreign

  • authorities. Aerospatiale/ MAFF-Executive Life
  • Swiss Penal Code restricts gathering of evidence in Switzerland

f f d l d h h d l for use in foreign proceedings unless done through judicial assistance

slide-3
SLIDE 3

EU Data Protection and Document Discovery Discovery

  • Rules on privilege also vary between Member States. The Azko

Nobel (2007) case confirmed principles in relation to privilege in ( ) p p p g the context of EU Commission investigations

  • In February 2009, the Article 29 Data Protection Working Party

y , g y published Guidelines on pre-trial discovery for cross-border civil litigation (WP 158)

  • Requests for information may also be made through the Hague

Convention on taking of evidence abroad in civil and commercial matters – but not all Member States are parties while some have filed reservations for discovery in relation to foreign legal proceedings

slide-4
SLIDE 4

Article 29 Working Party Paper on Discovery Discovery

  • The Article 29

Data Protection Working Party Paper provides guidance to EU data controllers on data protection requirements guidance to EU data controllers on data protection requirements as applied to discovery in civil litigation

  • Data Retention
  • Legitimacy of Processing
  • Legitimacy of Processing

– Consent – Compliance with a Legal Obligation – Pursuit of a Legitimate Interest

  • Proportionality
  • Notice to data subjects and rights of access

rectification and

  • Notice to data subjects and rights of access, rectification and

erasure

  • Data Security and Controls over External Service Providers

T ansfe s to thi d co nt ies

  • Transfers to third countries
slide-5
SLIDE 5

Article 29 Working Party Paper on Discovery Discovery

  • Companies must consider the Guidelines in each phase of data

processing for litigation purposes processing for litigation purposes

  • Phase 1: Retention
  • Phase 2: Disclosure
  • Phase 3: Onward transfer
  • Phase 4: Secondary use
  • Personal

data should

  • nly

be kept for the period

  • f

time necessary for the purposes for which it is collected

  • Contrast with requirement to retain documents under local law

and regulatory requirements or possible future litigation

  • Specific or imminent litigation - EU Commission accept data can

be retained until conclusion of proceedings

slide-6
SLIDE 6

Article 29 Working Party Paper on Discovery Discovery

  • Processing of data for litigation purposes - justified when in the

legitimate interests of the data controller but provided rights of the individual are not overridden

  • Individuals must

be provided with fair processing information unless limited exceptions apply

  • A balancing test must be applied in considering the relevance of

the personal data to the litigation and the consequences for the individual

  • Must act in a proportionate and fair way
  • determining if the information is relevant to the case
  • assessing the extent to which personal data is included
  • considering whether the personal data can be produced in a

more anonymised or redacted form

  • perform filtering exercise locally
slide-7
SLIDE 7

Article 29 Working Paper on Discovery: Guidelines for an EU data production Guidelines for an EU data production

Steps to consider with EU discovery exercises

  • Consider

guidelines during each phase: retention, disclosure,

  • nward transfer, and secondary use
  • Provide clear and advance notice
  • Provide clear and advance notice
  • Inform data subjects of data protection rights such as rights of

access, rectification and erasure

  • Consider

grounds for legitimate processing; apply balance of Consider grounds for legitimate processing; apply balance of interests test

  • Consider

measures to minimise information collection and dissemination, specify security and confidentiality procedures

  • Devise specific security measures and controls over third party

service providers

slide-8
SLIDE 8

Article 29 Working Paper on Discovery: Guidelines for an EU data production Guidelines for an EU data production

Steps to consider with EU discovery exercises

  • Ensure active oversight role for data protection officers
  • Establish

pre-transfer data review and filtering procedures including review of documents in the EU

  • Adopt restrictive data retention policies consistent with applicable

law

  • Ensure data transfers are permitted under Article 25 and 26 of

the Data Protection Directive and local law requirements

  • Check position with local counsel in each relevant Member State

due to local law differences – for example need to make data protection filings with local DPA and consult with workers council

slide-9
SLIDE 9

Dealing with Cross-border Data Transfers

  • Articles 25 and 26 of the Data Protection Directive prohibit transfer of personal data

to countries outside EEA that do not ensure an adequate level of protection

  • Possible means for dealing with data transfers outside the EU include:
  • Possible means for dealing with data transfers outside the EU include:

– Consent – but consent must be informed and freely given – Model Contracts – EU’s standard clauses for the transfer

  • f personal data

between a data exporter and a data importer US S f H b US th t b ib t US S f H b S h d – US Safe Harbor – US company that subscribes to US Safe Harbor Scheme and data protection principles – Binding Corporate Rules – EU approved internal data protection rules which are binding on parties – Art 26(1)(d) – transfer necessary or legally required on important public interest – Art 26(1)(d) – transfer necessary or legally required on important public interest grounds or for establishment, exercise or defence of legal claims – Art 29 Working party have commented that where the transfer for litigation purposes is a single transfer of all relevant information then Article 26(1)(d) is a possible ground but other options should be considered – Hague Convention – compliance with a request under the Hague Convention does provide a formal basis for the transfer of personal data but some EU Member States have not signed the Convention or signed with reservations

slide-10
SLIDE 10

Comments/Questions

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

slide-11
SLIDE 11

Sidley Austin provides services to t th d f li t th

Banking & Financial Services Regulation John Casanova jcasanova@sidley.com William Long @

meet the needs of clients on three

  • continents. Our London Financial

Services Regulatory Practice represents a broad range of financial institutions and related businesses We act for

wlong@sidley.com

Sidley Austin LLP Woolgate Exchange 25 Basinghall Street London, EC2V 5HA U it d Ki d

and related businesses. We act for clients with extensive UK, European and international operations, as well as for clients based in the United States or elsewhere and looking to do business in

United Kingdom T: +44 (0) 20 7360 3600 F: +44 (0) 20 7626 7937 www.sidley.com

elsewhere and looking to do business in the UK and the EU.

BEIJING BRUSSELS CHICAGO DALLAS FRANKFURT GENEVA HONG KONG LONDON LOS ANGELES NEW YORK PALO ALTO SAN FRANCISCO SHANGHAI SINGAPORE SYDNEY TOKYO WASHINGTON, D.C.

Sidley Austin LLP, a Delaware limited liability partnership which operates at the firm’s offices other than Chicago, London, Hong Kong, Singapore and Sydney, is affiliated with other partnerships, including Sidley Austin LLP, an Illinois limited liability partnership (Chicago); Sidley Austin LLP, a separate Delaware limited liability partnership (London); Sidley Austin LLP, a separate Delaware limited liability partnership (Singapore); Sidley Austin, a New York general partnership (Hong Kong); Sidley Austin, a Delaware general partnership of registered foreign lawyers restricted to practicing foreign law (Sydney); and Sidley Austin Nishikawa Foreign Law Joint Enterprise (Tokyo). The affiliated partnerships are referred to herein collectively as Sidley Austin, Sidley, or the firm. Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results described herein do not guarantee a similar outcome.

4293352