the eu is coming to get you
play

The EU is coming to get you New risks for US businesses targeting - PowerPoint PPT Presentation

Oct 15, 2023 •149 likes •321 views

The EU is coming to get you New risks for US businesses targeting Europe and exploding some EU data privacy myths Stephen Groom BAA Chicago 7 November 2014 osborneclarke.com What is this deck about? Exploding four myths around US

  1. The EU is coming to get you New risks for US businesses targeting Europe and exploding some EU data privacy myths Stephen Groom BAA Chicago 7 November 2014

  2. osborneclarke.com What is this deck about? • Exploding four myths around US marketers' current exposure to EU data privacy law • Recent EU cases giving rise to new potential risks • Attacks on "safe harbor" on three fronts • More risks for US businesses around the corner 1

  3. osborneclarke.com Exploding some myths #1 • If our US head office is using a UK data processor to process personal data but this only relates to our US customers, EU data protection law cannot apply • Wrong • Data Protection Directive 95/46/EC ("DPD") is engaged if • the data controller is not established in the EU, but uses equipment in the EU to process personal data other than for transit purposes… • so there is no requirement that the personal data relates only to EU residents 2

  4. osborneclarke.com Exploding some myths #2 • Our US website hosted on a US server runs online promotions which UK residents can enter • So to avoid breaking EU laws on transferring personal data from the EU to the US we should sign up to safe harbor and include notice and consent provisions in the site privacy policy • Wrong • Under the UK Data Protection Act 1998 ("DPA"), no "transfer" of personal data is occurring here such as to engage EU personal data export controls 3

  5. osborneclarke.com Exploding some myths #3 • Our UK subsidiary is running a sweepstakes on its website on a UK server targeting residents of France, Germany and the UK, then transferring the entrant data to us at head office in NYC where we will select the winner • As we are all in the same group, the UK co doesn’t need to worry about complying with DPD personal data transfer rules • Wrong • Transfers of personal data between different legal persons, even if in the same group, will engage DPD data transfer rules 4

  6. osborneclarke.com Exploding some myths # 4 • In light of the answer in myth #3, to legitimise the transfer of personal data from the UK to the US, we should include consent wording in the UK site privacy policy and ensure the US co is certified under safe harbor • Wrong • Safe harbor and consent are alternative ways of compliantly exporting personal data from UK/EU to the US • Consent must be unambiguous, freely given, specific and informed, so consent unlikely to be achievable…. • so use either safe harbor or a data transfer agreement using EC-approved model terms 5

  7. osborneclarke.com ECJ: C-131/12 Google/ Gonzalez, 13 May 2014 ("Google Spain") The facts… • in 1998 a Spanish newspaper published the name of a Spanish national as part of a story about the auction of a property to cover social security debts. • When the individual's name was entered into Google Search in 2010, two links to the story appeared as search results. • The individual lodged a complaint against Google, in which he requested the removal or redaction of his personal data from these links. Eventually, the case was referred to the ECJ.

  8. osborneclarke.com Google Spain-what Google Inc said • Search engine activity is not "processing" of personal data because searches process all information on the internet without differentiation between what is and what is not "personal data" • A search engine is not a "data controller " because it has no knowledge of the data processing and has no control over it • Google Search is operated and managed by Google Inc in the US and claimants have not established that Google Spain carries out in Spain any activity directly linked to the alleged data processing.

  9. osborneclarke.com ECJ: C-131/12 Google/ Gonzalez, 13 May 2014 Important findings (1) • A search engine operator processes personal data within the meaning of Art. 2 lit. b of the DPD by – systematically searching the internet for (personal) information – organising the data within the framework of its indexing programmes, – storing it on its servers and – making it available to its users in the form of lists of search results • search engine operators are data controllers, because they facilitate user's access to information, enabling them to establish a detailed profile on a data subject.

  10. osborneclarke.com ECJ: C-131/12 Google/ Gonzalez, 13 May 2014 Important findings (2) • Even if personal data is not processed within the EU, the DPD may still apply if the processing is deemed to have been processed "in the context of the activities" of an EU-based establishment of the controller • It is sufficient in this respect, if the activities of the search engine operator and its EU subsidiary are "inextricably linked". • The advertising and promotion activities of the subsidiary allow the search engine to operate and, vice versa, the existence of the search engine allows the advertising and promotion activities to be carried out. • Therefore the processing of Gonzalez' personal data carried out by Google Inc was carried out "in the context" of the activities of Google Spain and… • as data controller Google Inc was obliged to comply with the DPD

  11. osborneclarke.com ECJ: C-131/12 Google/ Gonzalez, 13 May 2014 key takeaways aside from RTBF • For the DPD to be engaged it is not necessary for processing of personal data to occur within the EU • The processing just has to occur "in the context" of activities of a business of the controller established in the EU • The ECJ judgment has opened the door to a much more liberal interpretation of "in the context" • The key question is whether on the facts there is an "inextricable link" between the US and EU entities such that their relevant businesses are mutually supportive. • Application to other service providers (e.g. social networks, data broker, online advertising networks)?

  12. osborneclarke.com Vidal-Hall & others v Google Inc. UK High Court Ref: [2014]EWHC 13 (QB) The facts … • Three English iPad users sued Google Inc in England for breach of the DPA and misuse of private information arising from Google's circumvention of Apple's "do not track" settings • In the US numerous disputes arose from this circumvention and in 2012 Google paid a record USD 22.5m to the FTC and in 2013 USD 17m to AGs in 37 states • The UK claimants argued that Google's tracking of their online activity without consent and use of it to serve online ads was a misuse of their personal data which also breached the DPA and caused damage • In the form of distress and anxiety resulting from other people using the device seeing ads based on the claimants' online activity 11

  13. osborneclarke.com Google's appeal against leave to serve English proceedings on them in US How the court decided on Google's points Google's submission Tugendhat J's finding 1. Claim not in tort so rules say there 1. "Misuse of private information" is a can be no service in US tort 2. Claim not for pecuniary damage 2. Alleged damage is distress and sustained in England anxiety occurring in England and suffices for these purposes 3. Cookie-derived information from online activity is not "private 3. Google's submission "surprising"- information" or "personal data" claimant's position clearly arguable 4. All documents and evidence 4. Evidence largely electronic so use relevant to Google's conduct and in England will not be problematic tracking were in California, so and real focus likely to be on England not the most appropriate damage suffered in England and forum complex English law issues, so England the best forum 12

  14. osborneclarke.com The High Court's decision Key takeaways • The judgment may be appealed, but opens up new grounds on which US businesses may be exposed to privacy-based litigation by UK/EU residents • even if the US entity has no nexus with an EU business and might think following Google Spain that it is therefore not exposed as there is no "processing in the context of the activities of an establishment of the controller" in the EU • The judgment also opens up a new potential EU "do not track" battlefront for US businesses involved in OBA if behavioural data is regarded as "personal data" and the "distress and anxiety caused by third parties viewing behavioural ads" line of attack is sustainable. 13

  15. osborneclarke.com Safe harbor under fire on three fronts 1. November 2013 In response to the "Snowden/NSA" revelations, the European Commission published 13 recommendations for improving safe harbor 2. June 2014 Irish High Court case [2014] IEHC 310 Maximilian Schrems vs Irish Data Protection Commissioner [and Facebook] Hogan J refers to the ECJ the question of whether the safe harbor regime introduced in 2000 should be re-evaluated in light of the 2009 EU Charter of Fundamental Rights (Article 8 on Protection of personal data) 3. August 2014 Center for Digital Democracy files complaint with the FTC and calls for 30 safe harbor-certified companies to be investigated 14

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

T OPI C T HE COMING OF DE MOCRACY T O SOUT H AF RICA AND COMING T O T E RMS WIT H T

T OPI C T HE COMING OF DE MOCRACY T O SOUT H AF RICA AND COMING T O T E RMS WIT H T

T OPI C T HE COMING OF DE MOCRACY T O SOUT H AF RICA AND COMING T O T E RMS WIT H T HE PAST These slides give all the illustrations from Topic 5 of the Gr 12 History book, and they Ho w did So uth Afric a give them in colour

1.03k views • 60 slides
The he Coming Coming L Lamb mb : Johns Apocalyptic Introduction of Christ and its

The he Coming Coming L Lamb mb : Johns Apocalyptic Introduction of Christ and its

The he Coming Coming L Lamb mb : Johns Apocalyptic Introduction of Christ and its Eschatological Implications Jeffrey R. Dickson PhD What if John used a word 29 times in Revelation for Christ? What if this proved to be more than double

501 views • 17 slides
Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner?

Guess Whos Coming to Dinner? Luke 7:36-50 (Psalm 23) Guess Whos Coming to Dinner? HOSPITALITY Jesus the Lover and Host Passover The Lords Supper (Eucharist) The Marriage Feast of the Lamb Jesus the Stranger and Guest

274 views • 10 slides
Senior Parent Meeting Friday, March 8, 2019 8:30 Whats coming up? Senior Packet - coming out

Senior Parent Meeting Friday, March 8, 2019 8:30 Whats coming up? Senior Packet - coming out

McLean High School Senior Parent Meeting Friday, March 8, 2019 8:30 Whats coming up? Senior Packet - coming out in mid March Highlander Internship Program (HIP) Senior Dues/Obligations End of Year Events Graduation! What is HIP?

461 views • 13 slides
Certification is Coming! What you need to know about ALTA Best Practices Implementation and

Certification is Coming! What you need to know about ALTA Best Practices Implementation and

Certification is Coming! What you need to know about ALTA Best Practices Implementation and Certification By Eugene McCullough Mike Shamblin Matthew Rekers Certification is Coming! Prepared for PYAs External Webinar What you need

280 views • 8 slides
About this class Point Estimators The next two lectures are really coming from Lets say we

About this class Point Estimators The next two lectures are really coming from Lets say we

About this class Point Estimators The next two lectures are really coming from Lets say we have a stream of values all coming a statistics perspective, but were going to dis- from the same population (no changing with cover how useful it

316 views • 10 slides
Coming Soon to a Political Theater Near You Death By a 1,000 Cuts (When Ethics, Elections, and

Coming Soon to a Political Theater Near You Death By a 1,000 Cuts (When Ethics, Elections, and

Coming Soon to a Political Theater Near You Death By a 1,000 Cuts (When Ethics, Elections, and Other Complaints Just Keep Coming) Florida Association of County Attorneys 2016 Continuing Legal Education Program Al Hadeed, County Attorney

720 views • 22 slides
Welcome Thank you for coming. Introduce yourself and tell us why you are here. What you

Welcome Thank you for coming. Introduce yourself and tell us why you are here. What you

I NTERNATIONAL C HILD P ASSENGER S AFETY A WARENESS C LASS April 2020 1 Welcome Thank you for coming. Introduce yourself and tell us why you are here. What you learn today will prepare you to: Explain how car seats and seat belts

1.07k views • 68 slides
Georgia DOT: Heres Whats Coming (Ill get to Moses & Elnora) A presentation to:

Georgia DOT: Heres Whats Coming (Ill get to Moses & Elnora) A presentation to:

Georgia DOT: Heres Whats Coming (Ill get to Moses & Elnora) A presentation to: ITS/Georgia At its annual meeting September 29, 2015 Jekyll Island, GA Whats Coming With . . . OTO Support Contracts OTO Program Management

328 views • 9 slides
GSAS-II: WHAT DOES IT DO? WHAT IS NEW? WHAT IS COMING AND WHAT IS NOT.

GSAS-II: WHAT DOES IT DO? WHAT IS NEW? WHAT IS COMING AND WHAT IS NOT.

5/17/17 GSAS-II: WHAT DOES IT DO? WHAT IS NEW? WHAT IS COMING AND WHAT IS NOT. drhgfdjhngngfmhgmghmghjmghfmf ROBERT B. VON DREELE BRIAN H. TOBY FOR DIFFRACTION ANALYSIS, GSAS & EXPGUI Wide Range of Fields Web of Science Category %

269 views • 6 slides
THE MISSING Baby y Bo omers s I Age in 2 01 8 9 8 -7 8 Born 1 9 4 3 -1 9 6 0 Coming of Age 1

THE MISSING Baby y Bo omers s I Age in 2 01 8 9 8 -7 8 Born 1 9 4 3 -1 9 6 0 Coming of Age 1

19/07/2019 Definitions Si Sile lent G t Ge n e n Born 1 9 2 0 -4 0 s Coming of Age 1 9 4 0 -6 0 s THE MISSING Baby y Bo omers s I Age in 2 01 8 9 8 -7 8 Born 1 9 4 3 -1 9 6 0 Coming of Age 1 9 61 -7 8 Age in 2 01 8 7 5 -57

310 views • 3 slides
Cosmology at the University of Cape Town http:/ /cosmology.uct.ac.za The coming of age of

Cosmology at the University of Cape Town http:/ /cosmology.uct.ac.za The coming of age of

Cosmology at the University of Cape Town http:/ /cosmology.uct.ac.za The coming of age of Cosmology The last five years have seen the coming of age of Cosmology, a mature branch of science based on the hot Big Bang theory and the Inflationary

321 views • 30 slides
M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A

M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A

M E S O S H T T P A P I @ v i n o d k o n e @ i j i m e n e Mesos 1.0 IS COMING M E S O S A P I S Scheduler API Executor API Internal API S l a v e S c h e d u l e r M a s t e r E x e c u t o r Operator API D E P E N D E N C E O N

481 views • 34 slides
The Coming Wave The Coming Wave Dayton Joining The Houston Metro Conversation Hello! Hello!

The Coming Wave The Coming Wave Dayton Joining The Houston Metro Conversation Hello! Hello!

The Coming Wave The Coming Wave Dayton Joining The Houston Metro Conversation Hello! Hello! Theo Melancon Theo Melancon City Manager - Dayton citymanager@daytontx.org Embrace the Embrace the Challenge Challenge Victorious warriors

809 views • 21 slides
Digital Transformation & The Anywhere Clinical Desktop DIGITAL CHANGE IS COMING eHealth

Digital Transformation & The Anywhere Clinical Desktop DIGITAL CHANGE IS COMING eHealth

Digital Transformation & The Anywhere Clinical Desktop DIGITAL CHANGE IS COMING eHealth records coming to emergency departments in NSW BETTER INFORMED = BETTER OUTCOMES 6 AGENDA Welcome and introductions Perspectives from the

630 views • 35 slides
Welcome - Great to see you all - thanks for coming Only have 10 mins so very

Welcome - Great to see you all - thanks for coming Only have 10 mins so very

Welcome - Great to see you all - thanks for coming Only have 10 mins so very quickthis will only be an overview of projects, please see blog for more details & happy to discuss in more detail later (get in contact w me) All

499 views • 27 slides
General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR

General Data Protec-on Regula-on Based on the Pinsent Mason Paper New Features of the GDPR Accountability measures: GDPR requires compliance and evidence of compliance: documented policies and procedures, records of consents etc.

355 views • 9 slides
Privacy Policy This privacy policy sets out how the Talking Slides Ltd websites use and protect

Privacy Policy This privacy policy sets out how the Talking Slides Ltd websites use and protect

Privacy Policy This privacy policy sets out how the Talking Slides Ltd websites use and protect any information that you provide when you use this website. Talking Slides Ltd is committed to ensuring that your privacy is protected. Should we ask

164 views • 4 slides
The Data Protection Landscape Before and aft fter GDPR: General Data Protection Regulation Data

The Data Protection Landscape Before and aft fter GDPR: General Data Protection Regulation Data

The Data Protection Landscape Before and aft fter GDPR: General Data Protection Regulation Data Protection regulations across Europe Current regulations & guidance European Directives 95/46/EC (Data Protection) and 2002/58/EC

440 views • 19 slides
The GDPR and the Data Protection Act 2018 Robin Hopkins Robin Hopkins 4 October 2017 GDPR: an

The GDPR and the Data Protection Act 2018 Robin Hopkins Robin Hopkins 4 October 2017 GDPR: an

The new data protection regime: The GDPR and the Data Protection Act 2018 Robin Hopkins Robin Hopkins 4 October 2017 GDPR: an introduction The problem: Processing of personal data ramps up with technology 1990s legislation

379 views • 17 slides
Protecting patient confidentiality in research: the Scottish landscape Janet Murray Caldicott

Protecting patient confidentiality in research: the Scottish landscape Janet Murray Caldicott

Protecting patient confidentiality in research: the Scottish landscape Janet Murray Caldicott Guardian ISD Outline National data and SHIP Information governance The Scottish structures Legal NHS Scotland policy

327 views • 17 slides
Introduction to Privacy Technologies Claudia Diaz KU Leuven COSIC Summer School on real-world

Introduction to Privacy Technologies Claudia Diaz KU Leuven COSIC Summer School on real-world

Introduction to Privacy Technologies Claudia Diaz KU Leuven COSIC Summer School on real-world crypto and privacy June 2017 Claudia Diaz (KU Leuven) 1 Overview What is privacy? (non-technical definitions) What are the privacy

794 views • 36 slides
Supporting Better Care Fund resubmissions Risk Stratification and information governance Webinar

Supporting Better Care Fund resubmissions Risk Stratification and information governance Webinar

Supporting Better Care Fund resubmissions Risk Stratification and information governance Webinar 28 August 2014 CONFIDENTIAL AND PROPRIETARY Overview of webinars Several webinars will be held across 3 topics over the next 3 weeks; Todays

905 views • 43 slides
Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR

Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR

Privacy & Data Protection Laws Overview and History Introduction to Privacy and the GDPR Simone Fischer-Hbner CC-BY-4.0 Privacy Legislation - History 1950 Art. 8 ECHR: Everyone has the right to respect for his private and family

413 views • 4 slides

More recommend