Upload
aaron-jensen
View
212
Download
0
Embed Size (px)
Citation preview
EU Personal Data Transfers:The Perspective of a Friendly U.S. Harborite
And AMCHAM EU Member
Christopher FosterAssistant General Counsel, Data Privacy
October 16, 2007
2 HONEYWELL - CONFIDENTIAL #222605
Department of Commerce, Inc.Jonathan Faull is an employee of DOC, Inc.Representatives from each EU country have produced videos for us
Department of Commerce, Inc. – Video Education Program
3 HONEYWELL - CONFIDENTIAL #222605
Department of Commerce, Inc. – Video Education Program
Department of Commerce, Inc.Jonathan Faull is an employee of DOC, Inc.Representatives from each EU country have produced videos for us
Sensitive personal data? Analysis in each country. Consent required? Analysis in each country. DPA Notifications required? Analysis in each country. Standard contractual clauses?
4 HONEYWELL - CONFIDENTIAL #222605
Lisa Parlato LeDonneChief Privacy Officer
Chief Labor & Employment Counsel
VP & Deputy General Counsel
Chris FosterAssistant General Counsel –
Data Privacy
Director HR -- CPG GermanyPrivacy Officer – EMEA
Data Privacy Function Members
Director HR, Canada Regional Privacy Officer – Canada & Latin America
GC and AGCHoneywell APAC
Regional Privacy Officer – Asia-Pacific
National Privacy Officers as Required
TBDRegional Privacy Officer –
Latin America
Senior IT AuditorData Privacy
5 HONEYWELL - CONFIDENTIAL #222605
Data Privacy Team Members
Director, IT CISO Aerospace CISO Corporate Director and CISO/ACS Director & CISO-SM & TS
Director - Online Communications
IT Manager, HRIT Data Management
TBDIT
VP-Enterprise Infrastructure Consolidation
Privacy Liaisons
Director Employee and Labor Relations COE EMEA
Lead HRISAerospace
Director ITTurbo Technologies
Labor COEDirector HR, SM
Diversity Director Director, Aerospace Customer Portal
Senior IT AuditData Privacy
TS China HR Director Head HR – Talent Engagement, HTS
DirectorCorporate Learning
GTS, Global Operations Leader
Director, ProcurementHR Srvc, and Solutions
Director HRLaw
ManagerCommunications
Vice President HR Data Administration
Asst. General CounselBenefits
6 HONEYWELL - CONFIDENTIAL #222605
Data Privacy Team Members
IT Aerospace IT Transportation Systems IT Specialty Materials IT ACS
Other Interested Persons
ManagerIntegrity and Compliance
ManagerProgram IT
Aerospace EMEA Asst. General CounselBenefits
Corporate ManagerIT
Vice PresidentGlobal Security
VP GC EMEAVP HR EMEA
7 HONEYWELL - CONFIDENTIAL #222605
ASSISTANT GENERAL COUNSEL – DATA PRIVACY• Responsible for:
– driving global privacy compliance, including certification to Safe Harbor Agreement– conducting privacy reviews of projects and drafting notices and contracts– developing and implementing privacy guidelines, operating procedures and training– maintaining data access/privacy inquiry and internal audit mechanisms– coordinating with Regional Privacy Officers
NATIONAL PRIVACY OFFICERS• Part-time roles focused on local support keeping the Regional Privacy Officers informed and escalating issues as necessary• Address local issues/complaints• Assist with Works Council communications/concerns• Responsible for local training rollout• Meet quarterly to review significant initiatives and to analyze risk assessment and participate in remediation efforts
REGIONAL PRIVACY OFFICERS• Part-time roles focused on regional support Report to Assistant General Counsel – Data Privacy and coordinate regional issues• Assist with Works Council communications/concerns• Liaison between Assistant General Counsel – Data Privacy and national resources escalating issues to the Data Privacy Function as necessary• Meet quarterly to review significant initiatives and analyze risk assessment and participate in remediation efforts
CHIEF PRIVACY OFFICER (CPO)• Responsible for overall data privacy compliance strategy and implementation• Leading quarterly meetings of DPF Team
Data Privacy Team Roles
PRIVACY LIAISONS• Responsible to report to the Function any security breaches or other significant privacy matters• Meet quarterly to review significant initiatives and to analyze risk assessment and participate in remediation efforts• Report back to their organizations on Privacy Function initiatives/developments
HIPAA OFFICER• Responsible to HIPAA compliance• Participates in quarterly Privacy Liaison meetings and provides updated on HIPAA law
OTHER INTERESTED PERSONS• Optionally participate in quarterly meetings and help with compliance efforts and communication within their respective organizations
8 HONEYWELL - CONFIDENTIAL #222605
DPF Compliance Program Overview
Current compliance approach – “Safe Harbor Plus” Local compliance approach focused on HR data Safe Harbor principles for data transferred to U.S. Model Contracts for data sent from EMEA to non-U.S. countries Attention on U.S. SSNs and other sensitive identification data
- Technical remedies include laptop encryption and extrusion detection
- Swift investigation and response required for any potential and actual data security breaches involving SID
- Has motivated many initiatives to reduce the company’s risk of allowing unauthorized access to SID
Emerging Compliance Approach – Global Use Binding Corporate Rules to treat all personal data, including customer
and supplier personal data Interim step of one-Company Policy guided by privacy principles Expand global focus on security for most sensitive personal data
9 HONEYWELL - CONFIDENTIAL #222605
AMCHAM EU Position on Intra-EU Data Flows
General assessment
Flexible mechanisms for international data transfers are key for companies operating on both sides of the Atlantic.
Directive needs to be implemented consistently in all 27 EU Member States
Too often, 27 different compliance regimes
Binding Corporate Rules
BCRs provide an excellent new mechanism for companies to transfer data to non-EEA countries. The benefit is a unified, global company standard, tailored to a company’s unique culture or business compliance processes.
More DPA resources should be devoted to reviewing BCRs
Mutual recognition of a lead DPA’s approval by other DPAs
Clear indication of what each DPA requires to approve a set of BCRs
10 HONEYWELL - CONFIDENTIAL #222605
AMCHAM EU Position on Intra-EU Data Flows
Standard Contractual ClausesAlternative Standard Contractual Clauses are a valuable means to legitimize data transfer outside the EEA. However, a number of practical difficulties remain in the application of the clauses.
DPAs should support multi party contracts
Consistent standards for notification and approval
WP 29 should prepare a report on companies’ obligation to file SCCs
EU Member States should apply uniform procedural requirements when using the clauses
Onward transfer to a data processor should be allowed.
Consent
Consent is a useful tool for transferring some personal data to third countries, in particular relating to employee data for specific applications. Adequate prior information needs to be provided.
Consent by employees should be acceptable for specific applications
Consent by employees should also be acceptable for less confidential data
Countries’ legal requirements should be limited to the Directive’s demands
Safe HarborThe Safe Harbor Agreement is a success, as it provides a flexible and well-structured process to manage the free flow of information between signatories of the agreement.
Safe Harbor should be extended to sectors currently excluded.