EU Data Protection Compliance Trends - What US Companies Need to - - PowerPoint PPT Presentation

EU Data Protection Compliance Trends

• What US Companies

Need to Know

30 January 2013

2

Session Contents

• Why European data protection rules matter and an introduction

to the main privacy rules

• Transferring data outside of Europe – the Compliance Options
• Outsourcing
• A brief UK perspective on privacy compliance
• A French perspective on privacy compliance
• A German perspective on privacy compliance
• Concluding remarks

3

Your Speakers Today

Caroline Egan Birmingham, UK Stephanie Faber Paris, France Andreas Fillmann Frankfurt, Germany Ann La France London, UK

INTRODUCTORY OVERVIEW

5

Why Does EU Data Protection Law Matter

• Why European DP law matters to US companies
• Applies to European subsidiaries in their domestic processing of

personal data (even when US parent is Safe Harbor certified)

• Applies when they transfer/allow access to personal data from US or
• utside EEA.
• Our focus – on transfers of data outside Europe
• Though based on EU Directive – there are differences in

implementation in individual countries

• Applies to all types of personal data

– Employee – Customer – Supplier

6

Why Does EU Data Protection Law Matter

• Downsides of non-compliance?
• Fines and regulatory sanctions – substantial and increasing

– See table on next slide

• Reputational damage - name and shame policy of regulators
• Employee data - damaged employee relations
• Potential conflicts with US law - eg Sarbanes Oxley and

whistleblowing in France

7

Examples of Fines Imposed by EU DPAs

Country/DPA Date Company Fine imposed Reason UK (ICO) Jan 2013 Sony 250,000 GBP Failing to prevent personal data of Playstation users being hacked UK (ICO) Oct 2012 The Prudential 50,000 GBP Mixing up accounts of two customers UK (ICO) May 2012 NHS Trust 325,000 GBP Failure to prevent sensitive personal data being sold on internet auction site France (CNIL) March 2011 Google 100,000 EUR Collection of Wi-Fi and login/email data during its Street View operations; France (CNIL) July 2011 Association Lexeek 10,000 EUR and injunction Published legal cases online containing parties’ names Germany (Hamburg DPA) Hamburger Sparkasse 200,000 EUR Using neuromarketing techniques without customer consent Spain (AEPD) April 2007 Zeppelin Television 1,000,000 EUR Failure to protect personal data of 7000 applicants for Big Brother Netherlands (OPTA) Dec 2011 DollarRevenue 1,000,000 EUR Installing adware/spyware software on 22million computers

8

Why Does EU Data Protection Law Matter

• Existing law tough; new law tougher?
• Proposed new European Data Protection Regulation
• Harmonised stricter rules

– Regulation – direct effect – no scope to alter

• Much higher penalties

– Up to 2% of global turnover

• Mandatory data breach notification
• Requirement to appoint Data Protection Officer
• Territorial application - applies even if no European presence – if

market to Europe or monitor European citizens

9

Timescale for Implementation

• A long way to being finalised
• Earliest date for finalising Regulation 2014
• Implementation – 2018?

10

Overview of EU Data Protection Rules

• Key terms
• Personal data
• Data controller
• Data processor
• Processing
• Transfer outside EEA - including allowing access
• Sensitive personal data
• EEA – EU plus Norway, Iceland and Liechtenstein

especially as these terms not used in Safe Harbor

11

Overview of EU Data Protection Rules

• Data protection compliance principles
• Must have justification – consent or other permitted purpose
• Notice to individuals about usage of their data (privacy policy)
• Accurate and up to date
• Sufficient and not excessive for purpose
• Destroyed when no longer needed for purpose
• Compliance with individual's rights - eg providing information on

request

• Kept secure (and higher security required for sensitive data)
• Only transferred outside EEA if adequate protection

TRANSFERS OUTSIDE OF THE EEA

13

Compliance Options When Transferring Data Outside the EEA

• Approved country – Switzerland, Argentina, Australia, Canada,

Israel, Uruguay

• US Safe Harbor (some sectors excluded)
• EC approved Model Clauses
• Controller to Controller
• Controller to Processor
• Binding Corporate Rules - within multi-national groups
• NB: EU law treats group companies as separate third parties

14

Safe Harbor Advantages/Disadvantages

• Safe Harbor
• Geographical limitations

– Issues with onward transfers

• Some sectors excluded eg financial services, telecoms
• Check exact certification
• Lack of fit for pure processors
• Long term future?

15

EU Model Clauses - Advantages/Disadvantages

• EU standard model clauses
• Must be used unamended
• Jurisdictional issues – governing law of exporting country
• Notification/prior approval in many countries
• Service providers becoming more familiar with them
• Sub-contracting – further complications

16

EU Standard Model Clauses

• Complexity of contracting – an administrative nightmare!

Non-EU operations EU operations 1 2 3 4 5 6 7 8 9

13 9 10 11 12 14 15 16 5 1 2 3 4 6 7 8

17

Binding Corporate Rules - Advantages/Disadvantages

• Binding corporate rules
• Only apply within multi-national groups
• Favoured by many regulators
• Costly and time consuming
• Involves getting approval of regulators in all affected countries,

through lead regulator – up to a year

• Useful if a lot of data being transferred/accessed

18

Overview on Compliance Options

• In theory – straightforward
• In practice – tricky
• EU requirements – not business-friendly
• getting third parties to agree
• additional requirements of local regulators/national laws
• The UK position
• least prescriptive
• least red tape
• particular sensitivities

OUTSOURCING – OVERVIEW OF PRIVACY ISSUES

20

Outsourcing

• Nature of outsourcing
• Providing services to other group members
• External providers
• Examples

– Global HR databases – Global email hosting – Using external marketing companies – Cloud computing

» Data may be transferred to multiple jurisdictions

• Frequently involve sub-contracting

21

Outsourcing

• Practical issues
• You appointing service provider – who will access/use data from

Europe

• You as service provider

– to third parties or member of group – either to EU clients or US parent and its European affiliates

• Understanding who is data controller and who is data processor;

usually service provider is processor

• Virtually all obligations on data controller
• Considering privacy issues at the outset
• Increasing willingness of processors to address customer compliance

issues

22

Practical Issues (continued)

• If personal data comes to you first, before you appoint

processor/sub-processor

• Compliance for transfer to you
• Compliance for transfer to processor/sub-processor

23

Outsourcing

• Appointing a Processor
• Processor Agreement always needed - even if processor is in the

EEA, or recipient is Safe Harbor certified ("basic processor agreement")

• Due diligence - up front and ongoing
• Mandatory terms of basic processor agreement

– Only process on data controller's instructions – Take appropriate technical and organisational measures to keep data

secure, proportionate to amount and sensitivity of data

– Security - major priority of regulators, especially in UK

» Encryption in transit and when accessed from mobile devices » Possibly always encryption?

• Strongly advisable terms

– Notify data breaches within 24/48 hours – Obligation to take remedial measures if breach – Audit rights

• Often involve sub-processing

24

EU Processor Model Clauses 2010

• Not very business friendly
• Don't apply if initial processor is inside EEA
• Audit requirement compulsory
• Must identify in agreement security measures to be taken
• Appointing sub-processors
• Significant formalities
• Requires notification to and consent of controller

– Can give generic consent

» May be okay within groups » Risky if arm's length transaction

25

UK Hot Topics

• Data security
• Encryption
• Data breach reporting
• Not mandatory
• Aggravating factor in fines
• Power to fine
• Data breach –

– Liability for processors – Not having agreement in place – Not checking security measures

• Inaccurate data

A FRENCH PERSPECTIVE ON PRIVACY COMPLIANCE

27

• CNIL’s (French DPA) guidance on Cloud

(June 2012) :

• Similar to opinion of WP 29
• Also contains a list of contractual requirements

failing which data controller will not be compliant; as well

• as proposed clauses

Cloud Computing

28

• Cultural difference: no pre-trial discovery in

France

• Guidelines of the CNIL (cooperation through

Hague and data minimization)

• So called “French Blocking Statute” on

“business data”

Data for Litigation Disclosure

29

Employment Related Issues

• Whistle-blowing specific restrictions
• Works councils often have to be consulted prior to

implementation of processing and/or transfers

• Employee consent not deemed “freely” given
• Pre-employment vetting: CNIL Guidelines
• Employee monitoring
• Any other areas of particular concern to the CNIL (social security

number, ethnic origin, etc.)

30

Marketing

• Implementation of ePrivacy Directive
• Marketing by email, fax, telephone (automated calls and calls)
• Opt in or opt out
• Marketing for similar products and services
• Cookies
• Location data
• Data subjects rights:
• Fair information
• Right to object and/or prior consent
• Hot topics
• Issue of combination of data by Google and recommendations by WP

29 lead by CNIL (French DPA)

• Recommendations of Irish DPA to Facebook
• CNIL currently working on: smartphone apps, facial recognition…

A GERMAN PERSPECTIVE ON PRIVACY COMPLIANCE

32

Germany – Overview of Compliance Rules

• Data Protection Officer
• General duty to register a company with the data protection authority
• Notification is not necessary if the company has appointed its own

Data Protection Officer (more than 9 people are engaged with data processing)

– Proper use of data processing programs – Familiarize management and employees with data protection rules and

regulations

– Note: DPO can only dismissed only for cause

• Employee data
• Employee data can only be processed if necessary for the

administration of the employment relationship

• Works Council’s approval (if established) is required for personal data

transfer:

– Before/instead of obtaining the employees’ consent – When establishing a whistle blower hotline

33

Germany – Overview of Compliance Rules

• Data Transfer
• No exemption for data transfer/processing within company groups
• Within the EU/EEA: a permission for data transfer from a data

protection authority or a notification is not required

– In case of outsourcing direct marking activities a written agreement for the

processing of personal data is required which meets 10 conditions

– Companies using online marketing tools by outsourcing data collection and

processing services in Germany should enter into an agreement with the service provider as data controller and should collect data on their own website to be protected in case of insolvency of the service provider (recent high court decision).

• To third countries: admissible, if an adequate data protection level is

guaranteed, for example

– Approved country – EU Model Clauses (data protection authority may request inspection of the

Model Clause Agreement)

– BCR – With permission of the data protection authority

34

Germany – Overview of Compliance Rules

– Safe Harbor

» Düsseldorfer Kreis (informal association of the German data protection authorities for the private sector), April 2010: » A German data exporter needs to examine the data importer’s self-certification according to the Safe Harbor Agreement » Accordingly, the German data exporter has to obtain evidence showing how the US company fulfills its duties to provide information to the data subject, and has to be able to prove this check upon request of the DP authorities » A US company should declare that they are giving the information to the data subject

35

Germany – Overview of Compliance Rules

• Data Breach
• According to German Data Protection Act a data breach duty applies, if:

– Sensitive personal data. personal data subject to professional secrecy, personal

data related to criminal/administrative offences, personal data relating to bank or credit card accounts, certain telecommunication and online data are abused or lost and an unauthorized party(s) acquires knowledge;

– In case of telecommunications and online data there is a threat of interference

with the interest of the concerned individual(s); and

– Threat of significant harm for the individual

• DPO have to notify the data protection authority and the individuals without

delay:

– Must include description of the type of unlawful disclosure and recommendation

measures to limit the possible consequences

– Information to the individuals directly or via two newspapers publicly – Information to individuals has to observe various further issues (e.g. pending

criminal investigations)

• Internet use/Cookies
• Cookies should be used for statistical purposes only and not for

transmitting user data

• Website privacy rules should address the cookie aspect and the
• pportunity to object

CONCLUDING REMARKS

For questions regarding CLE credit, please contact:

Robin Hallagan robin.hallagan@squiresanders.com

QUESTIONS

39

Contact Us

Caroline Egan caroline.egan@squiresanders.com T: +44 (0)121 222 3386 Stephanie Faber stephanie.faber@squiresanders.com T: + 33 1 5383 7583 Andreas Fillmann andreas.fillmann@squiresanders.com T: +49 69 1739 2423 Ann La France ann.lafrance@squiresanders.com T: +44 (0)20 7655 1752

40

Worldwide Locations

• Cincinnati
• Cleveland
• Columbus
• Houston
• Los Angeles
• Miami
• New York
• Northern Virginia
• Palo Alto
• Phoenix
• San Francisco
• Tampa
• Washington DC
• West Palm Beach
• Bogotá+
• Buenos Aires+
• Caracas+
• La Paz+
• Lima+
• Panamá+
• Santiago+
• Santo Domingo
• Beirut+
• Berlin
• Birmingham
• Bratislava
• Brussels
• Bucharest+
• Budapest
• Frankfurt
• Kyiv
• Leeds
• London
• Madrid
• Manchester
• Moscow
• Paris
• Prague
• Riyadh
• Warsaw
• Beijing
• Hong Kong
• Perth
• Seoul
• Shanghai
• Singapore
• Sydney
• Tokyo

North America Latin America Europe & Middle East Asia Pacific

+ Independent Network Firm