Upload
winston-strawn-llp
View
228
Download
0
Embed Size (px)
Citation preview
EU-US Privacy Shield: Should You Sign Up?
Our Presenters
Rob Newman
Partner
Winston & Strawn LLP
Ryan Martin
Associate
Winston & Strawn LLP
Liisa Thomas
Partner
Chair, Privacy and Data Security Practice
Winston & Strawn LLP
2
1. What Is It And How Is It Different?
2. How Does It Work?a. Steps to Take Before You Apply
b. The Application Process
c. After You Are In
3. What If You Are On the Fence?
Agenda
3
Any time data flows from EU to US
• US-based multinationals with EU presence
• US companies that do business with EU companies
• US companies that do business in the EU
Why Do We Need This Again?
Data transfers
4
EU Data Transfer Restrictions, Unless:
Consent
Binding Corporate Rules
Model Clauses
Decision of Adequacy
5
Decision of AdequacyEntire Country • Andorra
• Argentina
• Canada
• Faeroe Islands
• Guernsey
• Israel
• Isle of Man
• Jersey
• New Zealand
• Switzerland
• Uruguay
Safe Harbor • For US
companies
• ECJ decision ruled no longer adequate Oct. 2015
• Renewals will stop Oct. 31, 2016
Privacy Shield • Replaces Safe
Harbor
• Started accepting applications Aug. 1, 2016
6
Shield may still make sense:
Hey, What About(esp. if lots of UK transfers)?
7
What If I’m In Safe Harbor Now?
New applications stopped Aug. 1
DoC will maintain list (indefinitely?)
• Will accept renewals until Oct. 31
• Consider it!
US‐Swiss Safe Harbor Framework continues
8
Privacy Shield vs. Safe HarborSafe Harbor Privacy Shield
Principles mirror EU directive
Heightened scrutiny and examination by DoC
Mandatory arbitration
Specific provisions to include in privacy policy
Contracts for onward transfers
Specific provisions for how to handle mergers
Enforced by FTC
Participant list maintained online by DoC
Specific exit procedures
Will cease to exist after Oct. 2016
9
Privacy Shield vs. Model Clauses
Model Clauses Privacy Shield
Internal training and review requirements
DoC and FTC scrutiny and clear enforcement procedure
Mandatory arbitration
Again modeled off of EU Directive
Specific to data set described as being transferred
Registration required with some DPAs
Can tailor easily to one data transfer set
10
Privacy Shield vs. Consent
Consent Privacy Shield
Works only if have direct relationship with individual
Criticized by some DPAs as inadequate, especially in HR context
Requires specific language whencommunicating data practices
11
Privacy Shield vs. BCRs
BCRs Privacy Shield
Applies only to intra‐company transfers
Must be approved by DPA
Application process can take several years
Would need supporting procedures to implement and effectuate
Core principles adhere to the EU Data Privacy Directive
Application to a US regulatory body
12
There are Principles, But What Do They Really Mean?!
Notice
Choice
Accountability & Onward Transfer
SecurityData Integrity & Purpose Limitation
Access
Recourse, Enforcement, & Liability
13
1. What Is It And How Is It Different?
2. How Does It Work?a. Steps to Take Before You Apply
b. The Application Process
c. After You Are In
3. What If You Are On the Fence?
Agenda
14
Getting to the Shield
Understand Shield obligations
Providing opt‐out (or opt‐in)
Give access
Handle complaints
Contract with third‐parties
Secure information
Retention/storage concerns
Notice
Assess differences from US law
Some obligations don’t exist under current law
Some may merely be best practices
Some may exist only under “specialty” laws (COPPA, HIPAA, GLB, etc.)
Conduct diligence
What you have
With whom you share
Contractual provisions
How you give choices
How you respond to questions/complaints
Develop playbook
Develop systems to address requirements
Ensure ongoing compliance
Develop policies/procedures
Educate employees
Discipline
15
Provide Choice – Opt-Out
If disclose to third‐parties
If use will be materially different from why collected
If use will be materially different from what they subsequently authorized
From marketing (let them do this at any time)
16
Provide Choice – Opt-In for Sensitive
Examples• Medical condition
• Race/ethnic origin
• Political opinion, religious beliefs
• Information about sex life
Some exceptions to getting consent
• Necessary to person’s vital interest
• To establish legal claim
• To provide medical care/diagnosis
• Needed to “carry out obligation” in employment law
• Related to information person made “manifestly” public
Why would this come up
• Not just health care providers!
• Conducting a survey
• HR (some exceptions we’ll discuss)
17
How Does This Differ From US Law?
US
Marketing opt‐outs narrow (CAN‐SPAM, TCPA, etc.)
Email opt‐out can be provided only
at time of sending message
Shield
Opt‐out of marketing
regardless of type of delivery
Let people exercise
marketing opt‐out anytime
18
Determine with which third-parties information is shared
Assess types of marketing (email, direct, etc.)
Audit and see if collecting sensitive information
Have mechanism for marketing opt-out (anytime)
Develop opt-out tracking for sharing and marketing
Getting Prepared: Diligence Checklist
19
*Can limit number of times, if it is too expensive, if someone else’s rights would be violated, etc.
Give People Access to Information
Tell people if collected
Tell people what
collectedIf shared
Respond in timely manner
(can verify identity)
Respond about info
you currently have
Exceptions*
20
1. Confirm if processing
2. Say what is being processed (categories)
3. To whom it is being given
4. Copy of the information (to make sure it is correct)
5. Give them ability to correct
The Response to Access Request
21
How Does This Differ From US Law?
US
No general requirements
Some sector‐specific (FCRA)
Some based on type of activity (Shine the Light)
Shield
General access requirement
22
Track what is collected
Develop system to accept/respond to access requests
Develop response mechanism (content, process)
Decide what exceptions you will use (number of times, cost, etc.)
Getting Prepared: Diligence Checklist
23
Address Complaint Handling
Create process to accept and respond to complaints
Select ADRprovider (ex: JAMS, BBB, or DPA panel)
Be prepared!
24
How Does This Differ From US Law?
US
Best practice
Common practice
UDAPexposure
Shield
Required
25
Vet and select different ADR providers
Put together process to handle complaints
Test the process
Getting Prepared: Diligence Checklist
26
Sharing Information with Vendors (Processors)
Only give to them for limited/specific purpose
Make sure they give level of protection required in Principles
Make sure they use information consistent with your obligations under Principles
Require them to notify you if they can’t live up to the Principles
• You act only on our instructions
• You give appropriate safeguards
• You will help us respond to people who exercise rights under Principles
Have a contract in place that says:
• Stop them from further processing
• Give summary of contract or copy of relevant privacy provisions to DoC if DoC asks
If they notify you they can’t live up to Principles, then:
27
Sharing Information with Business Partners (Other Data Controllers)
Notify people in privacy policy that are sharing with these third‐parties
•Clear, conspicuous, and readily available
Give people choice about this sharing
•That will process only for limited purposes, only purposes consistent with granted consent from individual
•Give same level of protections as in the Principles
•Notify if can’t give same level of protection anymore
•If so, then they have to also promise not to process anymore or “take other reasonable and appropriate steps”
Have a contract in place with the third‐party
•Contract just has to say that will give same level of protection
•BUT, do have to have available “an equivalent mechanism”
Other party doesn’t have to be a Shield participant or have independent recourse mechanism
•Don’t always need a contract
•Could transfer using another mechanism (BCR, intra‐group agreements)
•Make sure information is protected
•If no contract, Shield company “remains responsible for compliance with the Principles”
What if part of same corporate family and both controllers?
28
How Does This Differ From US Law?
US
Typically tied to sharing of certain information (MA)
Common practice
In regulated industries may be
required or expected
Shield
Contract required
29
Identify third-party vendors and partners (hard!)
Develop standard contractual language for each
Have guidelines/policy/playbook for how and when to provide personal information to third-parties
Regularly audit third-parties for compliance
Create mechanism to address if they aren’t living up to contract
Train and educate employees about obligations
Getting Prepared: Diligence Checklist
30
Security
Reasonable and appropriate measures
Encrypt data in motion
Encrypt data accessible through Internet
Firewalls
Password protocols
Access rights protocols
To protect information from:
Loss
Misuse
Unauthorized access
Unauthorized disclosure
Unauthorized alteration
Unauthorized destruction
31
How Does This Differ From US Law?
USRequired by some states (MA, NV, CA))
Common practice
In regulated industries may be required
Shield
Securityrequired
32
Assess current practices
Remediate gaps
Ensure ongoing updates
Assign sufficient personnel and budget
Getting Prepared: Diligence Checklist
33
Retention and Storage Concerns
Use consistent with notice
Keep only as long as you need for
purposes for which provided
Destroy after you don’t need (or
return)
Make sure information is
reliable
Modify/delete if told by person of
an error
Update if get a “returned to sender”
35
How Does This Differ From US Law?
US
Failure to take steps might expose company to UDAP if something
goes wrong
Some sector or state level requirements may exist (COPPA)
Shield
Required
36
Develop mechanism (internal privacy policy, for example) to understand and adhere to external privacy policy
Assess and update document retention policy if necessary
Determine how will update information/ensure reliable
Getting Prepared: Diligence Checklist
37
1. That you participate in Shield
Watch out! You need to be listed!!
2. What PII you collect
3. That you adhere to Shield
4. Purposes for collecting
5. To whom you disclose and why
6. How to contact you
7. About access rights
8. Rights regarding choice
9. About Shield enforcement mechanisms
Provide Notice
38
How Does This Differ From US Law?
US
State requirements
(CA, DE) but not as detailed
Sector‐specific requirements (HIPAA, GLB)
Shield
Required
39
Review current policy
Determine if gaps
Update
Ensure new language is accurate
Getting Prepared: Diligence Checklist
40
Special Considerations for HR Data
• Need to give opt‐out
Notice
• “In context of making employment decisions”
• For operational needs (booking flights, etc.) as long as originally gave notice
Notice/choice exception
• Use reasonable efforts
Accommodate privacy preferences
41
• Explain that the personal data may be used in future medical or pharmaceutical research activities that are unanticipated
• Special treatment for:
• Clinical studies
• Providing information to regulators or other researchers
• Blind studies
• Product safety monitoring
• Key-coded data
Special Considerations for Pharma Data
42
* As long as not combined with non-public record information
Special Considerations for Publicly Available Information
Apply These Shield Principles:
Security
Data Integrity
Purpose Limitation
Recourse/Enforcement
Don’t Need to Apply* These Principles:
Notice
Choice
Accountability re Onward Transfer
Access
43
1. What Is It And Why Would We Join?
2. How Does It Work?a. Steps to Take Before You Apply
b. The Application Process
c. After You Are In
3. What If You Are On the Fence?
Agenda
44
Verify Compliance
45
Self-Verification
Validate
•Privacy policy is correct
• Prominently displayed
• Implemented
•Accessible
•Conforms to Principles
• People know what to do if they have a complaint
Training
• Train employees on how to implement
• Discipline if fail to comply
Review
• Objectively review “periodically” that are in compliance with Principles
46
• They check if:
Third-Party Verification
If all in order, you get their okay
Individuals are told
about how to complain
You are complying with your policy
Policy conforms to Principles
47
Contact details
Self-Certify with DoC
Organization info Selected dispute mechanism
Verification method Description of activities/policy
Payment!
48
How Payment is Calculated
Annual Corporate Revenue Annual Fee
$0 to $5 million $250
Over $5 million to $25 million $650
Over $25 million to $500 million $1,000
Over $500 to $5 billion $2,500
Over $5 billion $3,250
49
• Must also…
Self-Certification for HR Data
Tell DoCGive copy of HR Policy
Say how employees can see HR
Policy
Make sure FTC or DOT has
jurisdiction**
**Supplemental Principles, 6: “may [use Shield for HR] where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information.”
50
1. What Is It And How Is It Different?
2. How Does It Work?a. Steps to Take Before You Apply
b. The Application Process
c. After You Are In
3. What If You Are On the Fence?
Agenda
51
Complaint-Handling Process
Let people bring issue to you
• 45 days to respond
Let people bring issue to you
• 45 days to respond
Independent Recourse Mechanism
• ADR based in EU or US* or
• DPA Panel
• Except HR data, cooperate with DPA
• They will look into unless frivolous
• *BBB, TRUSTe, AAA, JAMS, DMA
Independent Recourse Mechanism
• ADR based in EU or US* or
• DPA Panel
• Except HR data, cooperate with DPA
• They will look into unless frivolous
• *BBB, TRUSTe, AAA, JAMS, DMA
Arbitration Panel
• Based in the US
• Paid for by fees when you sign up
Arbitration Panel
• Based in the US
• Paid for by fees when you sign up
52
Record-Keeping
Keep records of how implemented Shield privacy practices
• Show if asked in context of an investigation on compliance
Respond promptly if DoC asks about Shield participation
Make verification (self‐assessment or third‐party assessment) available if individual asks
53
Maintain Shield Status – Recertify Annually
54
• Self-Verification: Corporate officer has to sign once a year confirming compliance
• Third-party verification: Statement made once a year that are compliant, signed by reviewer or corporate officer
Verify Ongoing Compliance
55
Remember: Self-Verification
Validate
•Privacy policy is correct
• Prominently displayed
• Implemented
•Accessible
•Conforms to Principles
• People know what to do if they have a complaint
Training
• Train employees on how to implement
• Discipline if fail to comply
Review
• Objectively review “periodically” that are in compliance with Principles
56
• They check if:
Remember: Third-Party Verification
If all in order, you get their okay
Individuals are told
about how to complain
You are complying with your policy
Policy conforms to Principles
57
Exiting the Shield
Merger?
Tell DoC in advanceExplain if still in Shield or other mechanism (or else
delete)
Remove references to Shield from Privacy Policy
Don’t otherwise imply participation
If keeping the data
Affirm the above annually to DoC If don’t, then need to delete
What do to with information collected under the Shield
Apply the Principles or apply “adequate” protection another way
Delete data
58
• FTC argues that representing to consumers that an expired Safe Harbor certification is current is a deceptive trade practice
• More than a dozen cases brought
• The FTC generally did not look at whether or not the companies were, in fact, adhering to the Safe Harbor Principles
Safe Harbor Enforcement: A Vision of the Future?
59
1. What Is It And Why Would We Join?
2. How Does It Work?a. Steps to Take Before You Apply
b. The Application Process
c. After You Are In
3. What If You Are On the Fence?
Agenda
60
• US-based multinationals with EU presence
• US companies that do business with EU companies
• US companies that do business in the EU
• But keep in mind…
Do You Have Data Flowing from EU to US?
Data transfers
61
Will Still Need One of These:
Consent
Binding Corporate Rules
Model Clauses
Privacy Shield
62
Pro
san
d C
on
s o
f th
e S
hie
ld
Cons
Significant diligence needed
Need to potentially create new
policies/procedures
Requires internal training and
mechanism to make sure don’t forget
obligations
Publicly stated commitments can raise risks (UDAP)
Will be revisited annually, so may change form
Pros
Forces diligence and policies (UDAP may be exposure lowered)
More streamlined than BCR
Less expensive and less time to approval
than BCRs
One‐stop shop to show EU partners
compliance
63
Thank You.
Rob Newman
Partner
Winston & Strawn LLP
Ryan Martin
Associate
Winston & Strawn LLP
Liisa Thomas
Partner
Chair, Privacy and Data Security Practice
Winston & Strawn LLP
65