WELCOME TO OUR WEBINAR Safe Harbor Invalidation Next Steps: EU - - PowerPoint PPT Presentation

Safe Harbor Invalidation Next Steps:

EU Model Clauses – Do's and Don’ts

If you cannot hear us speaking, please make sure you have called into the teleconference number on your invite information.

• US participants: 1 800 909 4756
• Outside the US: +1 647 722 9108 or +44 2033000090
• The audio portion is available via conference call. It is not broadcast through your computer.

*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

Monday, November 30, 2015 | 12:00 p.m. EST

WELCOME TO OUR WEBINAR

CURRENTLY SPEAKING

2

Welcome

• You are on mute
• A link to a recording of the webinar will be made available

Today's speakers

November 30, 2015

Carol Umhoefer Partner, DLA Piper Paris Thomas Jansen Partner, DLA Piper Munich

CURRENTLY SPEAKING

firstname.lastname@dlapiper.com or dataprivacy@dlapiper.com

Diego Ramos Partner, DLA Piper Madrid

Safe Harbor Invalidation Next Steps: EU Model Clauses 2

Recap: Why We're Here

ECJ Safe Harbor Decision and Aftermath 1

• On October 6, 2015, the European Court of Justice declared the

EU-US Safe Harbor program invalid

• The transfer of personal data to the US on the basis of Safe

Harbor was prohibited with immediate effect

• All companies that transfer personal data based on Safe Harbor –
• r use processors that transmit personal data to the US on the

basis of Safe Harbor – must immediately consider and implement alternative transfer mechanisms

• On October 16, 2015, the Article 29 Working Party announced a

grace period for enforcement until January 31, 2016. In the meantime, model clauses and binding corporate rules are considered valid transfer mechanisms

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 4

ECJ Safe Harbor Decision and Aftermath 2

• On October 14, 2015, the Independent Centre for

Privacy Protection of the Federal State Schleswig-Holstein (“ULD”), one of 17 Data Protection Authorities (DPAs) in Germany, published its position paper on the ECJ Safe Harbor decision.

• On October 26, 2015, German Federal Data

Protection Officer and the Data Protection Authorities (DPAs) of the German Federal States (together “Datenschutzkonferenz” – DSK) issued a joint statement questioning the admissibility of data transfers to the US based on model clauses

• r BCRs and stating that they will not approve

new transfers based on binding corporate rules or data export agreements.

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 5

CURRENTLY SPEAKING CURRENTLY SPEAKING

Thomas Jansen Partner, DLA Piper Munich

ECJ Safe Harbor Decision and Aftermath 3

• On November 6, 2015, the European Commission issued a

communication on transfers from the EU to the US, including a reaffirmation on the conditions for using model clauses:

• Article 29 Working Party has stated that it will continue to analyze

the impact of the Schrems decision on model clauses

• Transfers to third countries which have not been found to ensure

an adequate level of protections are permissible if the controller adduces appropriate safeguards by means of contractual clauses binding on the exporter and importer of the data

• Parties may supplement model clauses with non-contradictory

terms

• Model clauses are both more limited (applying to specific data

flows) and more broad (not limited to a specific country)

• National authorities are in principle under the obligation to accept

model clauses

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 6

Risks of Not Acting

• Breach of contracts and exposure to damages

and/or triggering of termination rights

• User/customer/employee complaints made with

the controller (or processor)

• User/customer/employee complaints to the

DPA

• Orders and fines by DPAs (esp. Spain,

Germany)

• Potential interruption of business in Europe
• Potential loss of business in Europe

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 7

CURRENTLY SPEAKING CURRENTLY SPEAKING

Diego Ramos Partner, DLA Piper Madrid

Alternatives to Safe Harbor

• Consent of data subject (legally uncertain except for one-
• ff transfers; often problematic in practice)
• Transfers to 'white-listed' countries: Andorra,

Argentina, Australia (PNR data only), Canada (some types of data), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay

• Binding Corporate Rules
• Ad hoc agreements
• European Commission approved 'model clauses'

(standard contractual clauses)

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 8

Using the Model Clauses

Model Clauses Pros and Cons

Cons

• No flexibility on essential

terms

• May also come under

scrutiny of the DPAs in the near future

• Do not address all transfer

patterns

• Additional legal basis (e.g.,

consent) may be required in some EU Member States

• Acceptance/confirmation/

approval procedure in some EU Member States

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 10

Pros

• Quick and efficient
• Standard template
• May be used in relation to

third parties which are not members of the group

• Low cost

Selecting Model Clauses

• Model clauses for the transfer of personal data to controllers

established in third countries approved by Commission Decisions in 2001 and 2004

• Liability: Joint and several (2001); exporter liability in the first

instance, otherwise importer liability (2004)

• Model clauses for the transfer of personal data to processors

established in third countries approved by Commission Decision in 2002; now superseded by Commission Decision of 2010

• In March 2014, G29 published model clauses for the transfer of

personal data from an EU processor to a non-EU sub-processor, but they have not been approved by the European Commission

• Currently, model clauses only apply when the "exporter"

(transferor) is a controller established in the EU

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 11

Key Provisions and Hidden Risks

• Third-party beneficiary clause stating that data subject has rights

under the clauses

• Data exporter obligations to comply with data protection law
• Data importer (controller or processor) accepts jurisdiction where

exporter established

• Data importer (controller) submits to audits by exporter; data

importer (processor) submits to audits by exporter or DPA; subprocessor submits to audits by DPA

• Processor subcontracting: Subject to prior approval by the data

exporter

• Need details of transfers: The nature and extent of data to be

transferred

• Need to specify personal data security measures
• Future-proofing contractual arrangements

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 12

Supplementing Model Clauses

• National authorities are in principle under the obligation to accept

model clauses

• Generally - the model clauses must be unchanged, i.e., they must

not be altered

• Alterations will trigger additional requirements, principally

authorization by data protection authorities

• Even unaltered model clauses may need approval by the data

protection authority in some countries (Belgium, France, Spain …)

• Some countries (Germany, Italy, Poland, Spain …) nonetheless

require additional clauses

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 13

Focus on Model Clauses in Germany

• German Federal Data Protection Officer and DPAs of the German

Federal States (together “Datenschutzkonferenz” – DSK) issued position paper questioning validity of all methods of data transfer to US in light of ECJ decision.

• However, EU Model Clauses currently remain a valid method of data

transfer to the US and third countries. No authorization is required.

• National DPAs still have authority to prohibit transfers based on EU Model

Clauses and impose fines

• In such case, an affected company should appeal the DPA decision and fine to

a German court

• The consent of the data subject also remains a valid basis for data

transfer, provided it is transparent, freely given, and conforms to the conditions set forth by the DPAs

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 14

Focus on Model Clauses in Spain

• Transfers based on model clauses – even identical model clauses – are not

legal per se. Unless valid data subject consent is obtained, transfer pursuant to model clauses requires an export permit from the Spanish data protection authority (AEPD).

• Applications for seeking export permits can include model clauses-based

agreements but also any other set of clauses that meets the Spanish data protection authority's concerns.

• Typical additional requirements sought by AEPD, on top of adequate

agreements between the parties, include detailed description of security measures to be applied, additional disclosures on staff management and even face-to-face visits of AEPD investigators with the data importer abroad.

• Entire authorization procedure may take 5/6 months.
• Schrems-related enforcement is expected to start February 2016.

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 15

Other Issues

• Updating privacy notices (policies, statements) that refer to

Safe Harbor

• Updating contracts that require adhesion to Safe Harbor
• Adapting Safe Harbor annual re-certification to model clause

audit requirements

• Consulting or obtaining approval from works councils / trade

unions

• Updating registrations with data protection authorities

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 16

UPDATES

17 November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses

Subscribe to our Privacy Matters blog for regular updates http://blogs.dlapiper.com/privacymatters/ Access our Data Protection Laws of the World Handbook at www.dlapiperdataprotection.com

QUESTIONS

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 18

dataprivacy@dlapiper.com www.dlapiperdataprotection.com