45
Preparing for the EU General Data Protection Regulation David Bender GTC Law Group Adjunct Professor University of Houston Law Center Fellow, Ponemon Institute

Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

  • Upload
    others

  • View
    1

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Prep

arin

g fo

r the

EU

Gen

eral

D

ata

Prot

ectio

n R

egul

atio

n

Dav

id B

ende

rG

TC L

aw G

roup

Adj

unct

Pro

fess

orU

nive

rsity

of H

oust

on L

aw C

ente

rFe

llow,

Pon

emon

Inst

itute

Page 2: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

GD

PR G

enes

is●

1973

– 1

st se

t of F

air I

nfor

mat

ion

Prac

tices

(“FI

Ps”)

–U

S D

ep’t

of H

EW●

1980

– O

ECD

Gui

delin

es (r

evise

d 20

13),

base

d on

HEW

FIP

s●

1995

– E

U D

ata

Prot

ectio

n D

irect

ive

(sou

rce

ofcu

rrent

EU

DP

law

), ba

sed

on O

ECD

Gui

delin

es.

●M

ay 2

5, 2

018

– En

try in

to fo

rce

of G

ener

al D

ata

Prot

ectio

n Re

gula

tion

(“G

DPR

”), b

ased

on

Dire

ctiv

e.

2

Page 3: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Goa

ls o

f the

Dire

ctiv

e●

Prot

ect f

unda

men

tal d

ata

prot

ectio

n rig

hts

of E

U re

side

nts.

●Fa

cilit

ate

mov

emen

t of p

erso

nal d

ata

with

inEU

.●

Har

mon

ize

data

pro

tect

ion

law

s am

ong

EUM

embe

r Sta

tes.

3

Page 4: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

EU’s

Ow

n Sc

orec

ard

onA

chie

ving

Dire

ctiv

e’s G

oals

●Pr

otec

ting

pers

onal

righ

ts -

impe

rfect

ly.

●Fa

cilit

atin

g da

ta m

ovem

ent w

ithin

EU –

OK

.●

Har

mon

ize

law

s – n

ot w

ell.

4

Page 5: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

EU P

ropo

sed

Solu

tion

●A

“re

gula

tion”

:●

W

ith a

fram

ewor

k si

mila

r to

that

of t

heD

irect

ive.

Tha

t cur

es th

e te

chno

logi

cal o

bsol

esce

nce

of th

e D

irect

ive.

And

als

o im

pose

s add

ition

al re

stric

tions

on

the

proc

essi

ng o

f per

sona

l dat

a th

at th

e EU

belie

ves a

re a

ppro

pria

te.

5

Page 6: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

So

me

Thin

gs W

on’t

Cha

nge

Muc

h●

We’

ll st

ill h

ave:

●Pr

otec

tion

for a

ll da

ta fr

om w

hich

indi

vidu

als

(“da

ta su

bjec

ts”)

are

iden

tified

or i

dent

ifiab

le;

●A

dis

tinct

ion

betw

een

cont

rolle

rs a

nd p

roce

ssor

s;●

A v

ery

broa

d de

finiti

on o

f “pr

oces

sing

”;●

Nee

d fo

r a “

lega

l bas

is”

whe

neve

r you

pro

cess

pers

onal

dat

a;

6

Page 7: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Not

Muc

h C

hang

e H

ere

●N

eed

for a

dequ

acy

prin

cipl

es w

hene

ver y

oupr

oces

s per

sona

l dat

a;●

Rig

id e

xpor

t (fr

om th

e EU

) res

trict

ions

;●

A re

quire

d in

depe

nden

t gov

ernm

enta

lsu

perv

isor

y au

thor

ity in

eac

h M

embe

r Sta

te;

and

●A

n EU

ent

ity c

ompr

ised

of t

he h

eads

of e

ach

Mem

ber S

tate

supe

rvis

ory

body

.

7

Page 8: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

But L

ook

for S

igni

fican

t Cha

nges

Her

e●

Ever

y go

vern

men

tal a

genc

y an

d m

any

busin

esse

s mus

t app

oint

a D

ata

Prot

ectio

nO

ffice

r (“D

PO”)

.●

Requ

irem

ent t

o co

nduc

t “pr

ivac

y im

pact

asse

ssm

ents”

for a

ny ty

pe o

f pro

cess

ing

likel

y to

resu

lt in

“hi

gh ri

sk to

the

right

s and

freed

oms”

of i

ndiv

idua

ls.

8

Page 9: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

M

ore

Maj

or C

hang

es●

On

requ

est,

com

pani

es m

ust m

ake

indi

vidu

al’s

data

ava

ilabl

e, in

app

ropr

iate

form

at, a

nd tr

ansf

er to

succ

esso

r ven

dor.

●M

ore

requ

ired

notifi

catio

ns to

indi

vidu

als

abou

t the

ir da

ta p

rote

ctio

n rig

hts.

9

Page 10: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Yet M

ore

Cha

nges

●M

ore

prot

ectiv

e tre

atm

ent f

or d

ata

of c

hild

ren.

●M

ore

exte

nsiv

e do

cum

enta

tion

requ

irem

ents

.●

Req

uire

men

t to

impo

se “

priv

acy

by d

esig

n.”

●R

equi

red

notifi

catio

n of

dat

a se

curit

y br

each

es to

gove

rnm

ent a

nd a

ffect

ed in

divi

dual

s.

10

Page 11: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

O

ne M

ore

Big

Chan

ge●

Max

imum

pen

altie

s, de

signe

d w

ith G

oogl

e,Fa

cebo

ok, a

nd A

pple

in m

ind,

com

prise

the

grea

ter o

f:●€

20 m

illio

n; o

r●

4% o

f a c

ompa

ny’s

annu

al w

orld

wid

e re

venu

e.●

This

is pe

r vio

latio

n.

11

Page 12: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Ju

risdi

ctio

nal P

rovi

sion

●A

ny e

ntity

– w

heth

er o

r not

it h

as a

pre

senc

e in

the

EU --

whi

ch e

ngag

es in

pro

cess

ing

ofpe

rson

al d

ata

of in

divi

dual

s in

the

EU th

atre

late

s to

the

follo

win

g, is

subj

ect t

o th

eG

DPR

:●

Offe

ring

good

s or s

ervi

ces t

o pe

rson

s in

the

EU; o

r●

Mon

itorin

g th

e be

havi

or o

f per

sons

in th

e EU

.

12

Page 13: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Nee

d to

Prio

ritiz

e –

One

Sug

geste

d Ti

mel

ine

●A

SAP

●3

- 6 m

onth

s●

By M

ay 2

5, 2

018

●O

ngoi

ng

13

Page 14: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

A

s Soo

n as

Pos

sible

●D

eter

min

e w

heth

er y

ou a

re re

quire

d to

appo

int a

DPO

.●

If yo

u’re

not

sure

, sho

uld

you

appo

int?

●If

you’

re n

ot re

quire

d, sh

ould

you

app

oint

?●

If yo

u ap

poin

t a D

PO, d

eter

min

e w

here

the

DPO

fits

in y

our o

rgan

izat

ion.

14

Page 15: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

A

SAP

-- D

PO●

Shou

ld th

e D

PO b

e:●

In-h

ouse

or v

endo

r?●

Full-

time

or p

art-t

ime

DPO

?●

Excl

usiv

e to

you

r ent

ity, o

r sha

red?

●D

ecid

e ho

w to

supp

ort t

he D

PO –

infra

struc

ture

, sta

ff, b

udge

t

15

Page 16: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

ASA

P (c

ontin

ued)

●En

list t

op m

anag

emen

t sup

port

●Is

Boa

rd c

omm

ittee

app

ropr

iate

?●

Con

stru

ct d

ata

flow

map

for a

llpe

rson

al d

ata

of w

hich

you

hav

epo

sses

sion

.●

Iden

tify

the

lega

l bas

is fo

r eac

hpr

oces

sing

act

ivity

.

16

Page 17: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

With

in N

ext 3

– 6

Mon

ths

●Pr

iorit

ize

base

d on

you

r dat

a m

ap.

●Id

entif

y th

ose

activ

ities

requ

iring

priv

acy

impa

ct a

sses

smen

ts.

●W

here

app

ropr

iate

, mod

ify y

our s

yste

ms,

and

requ

ire y

our p

roce

ssor

s to

mod

ifyth

eirs

, to

acco

mm

odat

e da

ta p

orta

bilit

yob

ligat

ions

.

17

Page 18: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

W/i

Nex

t 3-6

Mos

. (co

ntin

ued)

●If

you

use

fully

aut

omat

ed m

eans

to m

ake

deci

sion

s tha

t sig

nific

antly

affe

ct in

divi

dual

s,co

nsid

er in

trodu

cing

a h

uman

into

the

proc

ess

or, i

f app

ropr

iate

, cha

ngin

g th

e le

gal b

asis

for

proc

essi

ng.

●C

onfir

m e

xist

ence

of a

ppro

pria

te in

sura

nce

cove

rage

, add

ing

or m

odify

ing

polic

ies a

sne

cess

ary.

18

Page 19: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Mor

e 3

– 6

Mon

ths

●Pr

epar

e or

upd

ate

an in

cide

nt re

spon

se p

lan

to h

andl

e da

ta se

curit

y br

each

es, i

nclu

ding

any

notifi

catio

n ob

ligat

ions

.●

Con

side

r whe

ther

to re

nder

dat

a un

inte

lligi

ble

to u

naut

horiz

ed p

erso

ns.

●Ve

rify

that

ade

quat

e se

curit

y ha

s bee

nim

plem

ente

d.

19

Page 20: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Yet M

ore

3-6

Mon

ths

●R

evie

w p

rivac

y po

licie

s to

ensu

re c

ompl

ianc

ew

ith e

xten

sive

GD

PR re

quire

men

ts to

not

ify d

ata

subj

ects

.●

Upd

ate

cons

ent m

echa

nism

s as n

eces

sary

, and

esta

blis

h sy

stem

s to

docu

men

t affi

rmat

ive

cons

ent.

●If

app

licab

le, c

onsi

der m

etho

ds fo

r col

lect

ing

and

docu

men

ting

verifi

able

par

enta

l con

sent

toco

llect

ion

of p

erso

nal d

ata

from

chi

ldre

n.

20

Page 21: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

And

Eve

n M

ore

3 –

6 M

onth

s●

Mon

itor l

itiga

tion

and

regu

lato

ryac

tivity

cha

lleng

ing

vario

us c

ross

-bo

rder

tran

sfer

met

hods

, so

as to

be

inpo

sitio

n to

use

arg

uabl

y va

lid m

etho

ds.

●C

onsi

der w

heth

er y

ou w

ould

ben

efit f

rom

Priv

acy

Shie

ld.

21

Page 22: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Last

PPT

on

3 –

6 M

onth

s●

Con

side

r con

duct

ing

appr

opria

te d

ilige

nce

on p

roce

ssor

s and

oth

er v

endo

rs to

ass

ess

prep

ared

ness

for G

DPR

obl

igat

ions

.●

Ensu

re th

at e

xist

ing

and

futu

re p

roce

ssor

agre

emen

ts c

onta

in a

ll pr

ovis

ions

man

date

dby

GD

PR.

22

Page 23: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

By

May

25,

201

8●

Cre

ate

train

ing

plan

to e

nsur

e th

at re

leva

ntm

embe

rs o

f you

r org

aniz

atio

n ha

ve b

een

train

ed in

GD

PR c

ompl

ianc

e.●E.g.

, HR

, IT,

Sec

urity

, Com

plia

nce.

●En

sure

that

team

mem

bers

inte

rfac

ing

with

cust

omer

s rec

ogni

ze G

DPR

-em

pow

ered

requ

ests

(e.g

., fo

r acc

ess,

for r

ectifi

catio

n, to

with

draw

con

sent

) and

und

erst

and

how

toha

ndle

them

.

23

Page 24: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

By

May

25,

201

8 (c

ontin

ued)

●Pr

epar

e yo

ur sy

stem

s to

impl

emen

t the

se re

ques

ts.

●Pe

rfor

m th

e im

pact

ass

essm

ents

you

iden

tified

as

nece

ssar

y.●

Det

erm

ine

whe

ther

pse

udon

ymiz

atio

n of

fers

adva

ntag

es.

●If

you

hav

e es

tabl

ishm

ents

in m

ore

than

one

Mem

ber

Stat

e, d

eter

min

e w

hich

DPA

will

be

your

lead

DPA

,an

d m

onito

r its

act

ions

, adv

ice,

and

trai

ning

.

24

Page 25: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

O

ngoi

ng●

Cond

uct a

nnua

l dat

a pr

otec

tion

audi

ts of

inte

rnal

and

ven

dor p

roce

dure

s to

ensu

reG

DPR

com

plia

nce.

●Im

plem

ent “

priv

acy

by d

esig

n.”

●Co

nsid

er p

artic

ipat

ing

in c

reat

ion

of, a

ndsu

bscr

ibin

g to

, Cod

es o

f Con

duct

and

Certi

ficat

ions

.

25

Page 26: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

M

ore

Ong

oing

●Id

entif

y M

embe

r Sta

tes w

here

you

are

subj

ect t

o th

e la

w, a

nd fo

llow

thei

r effo

rts to

dero

gate

or c

usto

miz

e th

eir d

ata

prot

ectio

nla

w u

nder

the

num

erou

s exc

eptio

nspe

rmitt

ed b

y th

e G

DPR

.●

Mon

itor t

he p

ropo

sed

repl

acem

ent o

f the

e-

Priv

acy

Dire

ctiv

e if

rele

vant

to y

our

orga

niza

tion.

26

Page 27: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Ye

t Mor

e O

ngoi

ng●

Doc

umen

t any

reas

ons f

or n

ot fo

llow

ing

your

DPO

’sad

vice

.●

Mai

ntai

n w

ritte

n re

cord

s of a

ll pr

oces

sing

if re

quire

d.●

Upd

ate

your

inci

dent

resp

onse

pla

n an

d co

nduc

tbr

each

sim

ulat

ions

(at l

east

tabl

etop

) to

test

itsef

ficac

y.●

Mon

itor m

odifi

catio

ns to

you

r bus

ines

s pra

ctic

es o

rstr

uctu

re th

at m

ay im

pact

you

r ong

oing

com

plia

nce.

27

Page 28: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

A R

elat

ed M

atte

r –

Cro

ss-B

orde

r Per

sona

l Dat

a Tr

ansf

er●

Bot

h th

e D

irect

ive

and

GD

PR h

ave

prov

isio

nsre

stric

ting

cros

s-bo

rder

tran

sfer

(“X

BT”

).●

And

the

two

sets

of r

estri

ctio

ns a

re si

mila

r.●

Why

are

the

XB

T re

stric

tions

so im

porta

nt?

●B

ecau

se if

US

impo

rters

can

’t ge

t the

ir ha

nds o

nth

e pe

rson

al d

ata

of E

U re

side

nts,

for t

heir

purp

oses

it d

oesn

’t m

atte

r wha

t the

GD

PR st

ates

.

28

Page 29: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

XB

T

●U

nder

bot

h th

e D

irect

ive

and

GD

PR, f

orla

wfu

l tra

nsfe

r, yo

u ne

ed “

adeq

uacy

”of

tran

sfer

ee la

w, c

onse

nt, o

r one

of

seve

ral “

nece

ssiti

es.”

●Th

e U

S w

as d

eem

ed n

ot to

hav

e“a

dequ

ate”

dat

a pr

otec

tion

law

s.

29

Page 30: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

XB

T (c

ont.)

●In

200

0, U

S an

d EU

neg

otia

ted

a “S

afe

Har

bor”

fram

ewor

k:●

Expo

rt w

as p

erm

itted

to U

S co

mpa

nies

agre

eing

to S

afe

Har

bor p

rinci

ples

●Th

e Sa

fe H

arbo

r pro

gram

func

tione

dre

ason

ably

wel

l for

a d

ecad

e an

d a

half.

30

Page 31: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Th

e D

eath

of S

afe

Har

bor

●In

Oct

ober

201

5, th

e EU

’s hi

ghes

t cou

rt(E

urop

ean

Cour

t of J

ustic

e –

“ECJ

”) ru

led

that

the

EU ru

ling

appr

ovin

g Sa

fe H

arbo

r was

inva

lid, t

hus

strik

ing

dow

n th

e pr

ogra

m.

●O

ne m

ain

thru

st of

the

Safe

Har

bor d

ecisi

on w

asth

at U

S na

tiona

l sec

urity

surv

eilla

nce

viol

ated

the

fund

amen

tal r

ight

s of E

U re

siden

ts.

31

Page 32: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

ECJ S

afe

Har

bor D

ecisi

on -

IMH

O●

In it

s dec

ision

, the

ECJ

:●

Wen

t on

a fro

lic a

nd d

etou

r to

reac

h an

issu

ew

ell b

eyon

d th

e na

rrow

poi

nt o

f law

that

was

pre

sent

ed to

it;

●Re

lied

on a

flaw

ed a

nd in

corre

ct lo

wer

cou

rtfin

ding

abo

ut U

S na

tiona

l sec

urity

surv

eilla

nce;

32

Page 33: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Safe

Har

bor D

ecis

ion

(con

t.)●

Faile

d to

reco

gniz

e m

ajor

cha

nges

mad

e, a

fter

that

low

er c

ourt

opin

ion,

as t

o pr

ivac

ypr

otec

tions

atte

ndan

t to

US

natio

nal s

ecur

itysu

rvei

llanc

e;●

Faile

d ev

en to

men

tion

any

bala

ncin

g of

priv

acy

inte

rest

s aga

inst

secu

rity

inte

rest

s, ev

enth

ough

EU

law

cal

ls fo

r suc

h a

bala

ncin

g; a

nd

33

Page 34: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Safe

Har

bor D

ecis

ion

(con

t.)●

Blit

hely

and

hyp

ocrit

ical

ly ig

nore

d th

ees

tabl

ishe

d fa

ct th

at th

e pr

ivac

ypr

otec

tions

em

bodi

ed in

US

natio

nal

secu

rity

law

in g

ener

al e

xcee

d th

ose

ofm

ost o

ther

cou

ntrie

s, in

clud

ing

mos

t EU

Mem

ber S

tate

s.

34

Page 35: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

The

Afte

rmat

h●

Sinc

e Sa

fe H

arbo

r was

inva

lidat

ed, c

ompa

nies

have

bee

n sc

urry

ing

arou

nd lo

okin

g fo

r som

e“s

afe”

mea

ns o

f exp

ort.

●B

ut th

ere

is a

n in

here

nt p

robl

em:

●th

e EC

J did

not

just

find

a fl

aw in

the

Safe

Har

bor m

echa

nism

for e

xpor

ting

the

data

;●

rath

er, i

t als

o fo

und

faul

t with

the

way

that

dat

aw

as tr

eate

d af

ter i

t rea

ched

the

US.

35

Page 36: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Afte

rmat

h (c

ontin

ued)

●Th

at la

tter p

erce

ived

defi

cien

cy w

ill se

emin

gly

exis

t no

mat

ter w

hat m

eans

are

use

d to

exp

ort

the

data

.●

“Priv

acy

Shie

ld,”

a su

cces

sor t

o Sa

fe H

arbo

r,de

bute

d on

Aug

ust 1

, 201

6.●

Priv

acy

Shie

ld is

alre

ady

the

subj

ect o

flit

igat

ion

seek

ing

to in

valid

ate

it, a

s are

“sta

ndar

d co

ntra

ctua

l cla

uses

,” a

noth

er p

opul

arex

port

vehi

cle.

36

Page 37: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

How

Can

the

EU G

et O

utof

this

Conu

ndru

m?

●Th

e EC

J’s S

afe

Har

bor d

ecisi

on is

from

the

EU’s

high

est c

ourt,

and

is b

ased

on

the

EUCh

arte

r, an

instr

umen

t with

con

stitu

tion-

like

statu

re.

●Th

e de

cisio

n ca

nnot

be

reve

rsed

with

legi

slatio

n or

by

anot

her c

ourt.

●O

nly

the

ECJ c

an c

hang

e it.

37

Page 38: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Som

e Po

ssib

ilitie

s●

The

ECJ h

as p

aint

ed it

self

into

a c

orne

r.●

It co

uld,

if it

wis

hed,

neu

traliz

e its

Saf

e H

arbo

rde

cisi

on b

y:●

deno

min

atin

g m

ost o

f it a

s dictum

, bec

ause

infa

ct it

wen

t wel

l bey

ond

the

issu

e pr

esen

ted

toit;

●di

scus

sing

a b

alan

cing

of n

atio

nal s

ecur

ityag

ains

t priv

acy

and

on th

at b

asis

, ove

rrul

ing

the

deci

sion

; and

/or

38

Page 39: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Mor

e Po

ssib

ilitie

s●

on a

n ap

prop

riate

low

er c

ourt

reco

rd:

●re

vers

ing

the

initi

al lo

wer

cou

rt fin

ding

on

US

surv

eilla

nce;

●re

cogn

izin

g su

bseq

uent

cha

nges

in U

S la

w; a

nd/o

r●

findi

ng th

at U

S na

tiona

l sec

urity

surv

eilla

nce

law

ism

ore

priv

acy-

prot

ectiv

e th

an is

the

law

in m

ost

Mem

ber S

tate

s.●

But

few

are

pre

dict

ing

the

ECJ w

ill d

o th

at.

39

Page 40: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Som

e U

nfor

tuna

te E

xam

ples

in th

eA

pplic

atio

n of

EU

Dat

a Pr

otec

tion

Law

●B

elgi

an d

ata

rete

ntio

n re

stric

tions

may

caus

e de

letio

n of

Par

is a

ttack

s pho

ne d

ata.

●G

erm

an u

se o

f red

acte

d ph

oto

inpu

blic

izin

g su

spec

t in

Paris

atta

cks.

●A

ndre

as L

ubitz

inci

dent

.

40

Page 41: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Th

e Fu

ture

●Th

e G

DPR

com

prise

s an

atte

mpt

at a

gra

ndsc

hem

e fo

r ach

ievi

ng im

prov

ed d

ata

prot

ectio

n.●

One

thin

g th

at se

ems q

uite

like

ly: i

n th

ene

ar te

rm, t

he D

PAs w

ill b

e in

unda

ted

with

wor

k an

d ab

le to

enf

orce

the

law

aga

inst

only

a sm

all p

erce

ntag

e of

vio

lato

rs.

41

Page 42: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Mor

e Fu

ture

●W

ill th

e G

DPR

wor

k to

enh

ance

sign

ifica

ntly

the

priv

acy

and

secu

rity

ofEU

per

sona

l dat

a?●

The

first

inkl

ing

of w

heth

er it

wor

ks m

ayoc

cur i

n th

e da

ta se

curit

y ar

ea, a

nd m

aybe

com

e m

anife

st in

201

9.

42

Page 43: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Th

e Fu

ture

●By

that

tim

e, w

e w

ill e

ither

see

EUne

wsp

aper

s run

ning

innu

mer

able

dat

ase

curit

y br

each

arti

cles

…●

Or w

e w

on’t.

●It

will

be

inte

resti

ng to

see

whi

ch tu

rns

out t

o be

the

case

.

43

Page 44: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

W

hat S

houl

d Y

OU

Do?

●K

eep

your

hea

d do

wn.

●D

PAs w

ill b

e ov

erw

helm

ed w

ith w

ork

and

targ

ets.

●D

on’t

unne

cess

arily

attr

act t

heir

atte

ntio

n.●

Rem

embe

r the

stor

y ab

out t

he tw

oca

mpe

rs a

nd th

e be

ar.

44

Page 45: Lawyers + Strategists - r roup or r e ongtclawgroup.com/wp-content/uploads/2017/04/GTC-European... · 2017. 4. 6. · Title: D Bender- GTC Conf 4.6.17 GDPR Cl.pptx Created Date: 4/4/2017

Wha

t to

Do

(con

tinue

d)●

Follo

w p

ertin

ent D

PA in

terp

reta

tions

of

appl

icab

le la

w.●

Mak

e an

hon

est e

ffort

to c

ompl

y w

ith w

hat

you

unde

rsta

nd to

be

the

perti

nent

law.

●D

ocum

ent y

our e

fforts

.●

And

if y

ou a

re a

bel

ieve

r, pr

ay.

45