Upload
sarah-fletcher
View
100
Download
0
Embed Size (px)
Citation preview
International Privacy: New Safe Harbor Requirements
Presented by Kevin Haley Brann & Isaacson
Outline• Background on European Developments
• Recent changes
• The legal landscape
• Practical takeaways
Background: the EU process• European Union Governance
▫ The EU issues “directives”
setting goals that all EU member states must achieve
▫ However, individual nations decide how to achieve them, through their own legislative process
▫ Thus, these goals can be implemented very differently from country to country – some might fail to implement altogether (“cookie directive”)
Background: EU privacy law• EU Data Protection
Directive (1998) ▫ Prohibits transfer of personal
data to non-EU countries that do not meet EU “adequacy” standards for privacy protection
• US/EU “Safe Harbor
Framework”: standard procedures whereby personal data could be transferred to the US
Background: safe harborComponents of the Safe Harbor Framework:
• Notice: must notify individuals about purpose of data collection
• Choice: must give individuals the choice of whether their personal information will be disclosed
• Onward Transfer: if transferring information to a third party, must follow the Notice and Choice principles
• Access: individuals must have access to their personal information, which can be amended, corrected or deleted
• Security: must take reasonable precautions to protect personal information
• Data Integrity: information collected must be relevant for the purposes for which it is to be used
• Enforcement: must be a readily available independent mechanism for resolving disputes.
Source: http://www.export.gov/safeharbor/eu/eg_main_018476.asp
Background: safe harbor (cont.)• The “Safe Harbor Decision” (2000)
▫ Decided that by meeting the
requirements of the Safe Harbor Framework, US companies adequately protected EU citizens’ data ▫ Allowed free flow of personal
information between all 28 EU countries and US companies in compliance with the Scheme
Recent Changes: Facebook lawsuit
• “Europe v. Facebook Lawsuit” ▫ Maximillian Schrems: Austrian
privacy activist ▫ Brought challenge to Safe Harbor
Decision in European court ▫ Based on US companies’ sharing
personal data with the US government
VS.
Recent Changes: safe harbor invalid
• European Court of Justice declares Safe Harbor Decision invalid (October 6, 2015)
• Cites Edward Snowden, finding that under the
framework agreement, the U.S. does not ensure adequate protection of fundamental privacy rights
• Companies can no longerrely on the Safe Harborcertification
Major Changes: uncertainty
• Extremely broad ruling: ▫ Unclear how US companies can meet EU privacy requirements ▫ Threatens suspending all transfer of data to non-EU countries that violate EU privacy
rights
• Uncertainty: ▫ Provides little to no guidance on compliance going forward
▫ Unclear what data transfer mechanisms are “adequate”
▫ Unclear what rules now apply to the ~4,400 companies operating under the Safe Harbor framework standards
Continuing Developments
• German data privacy authority (Schleswig-Holstein) issues position paper (10/14): ▫ Argues that after this decision, there is
effectively no mechanism for lawful transfer of data to the US
• EU working group issues statement
(10/19): ▫ “EU Model Contractual Clauses” and
“Binding Corporate Rules” can still be used to lawfully transfer data from the EU to the US
The Legal Landscape• Now, EU countries’
national authorities examine whether or not US companies are in compliance with EU directives
• Some countries might be friendlier than others
The Legal Landscape: reactions
Penny Pritzker, US Commerce Secretary: this ruling “puts at risk the thriving trans-Atlantic digital economy”
Facebook: “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor”
Differing Reactions on Impact to US Business
The Legal Landscape: enforcement• So, will the decision actually change much?
▫ What are most companies currently doing? (not much)
▫ What enforcement mechanisms exist?
▫ Who determines who is breaking the law?
▫ What can they do about it?
Enforcement: Russia• New Russian Law:
▫ Any data about Russians
must be stored in Russia ▫ An attempt at actual
enforcement? ▫ How does this compare
to the EU approach?
Enforcement:
• Who is the target of this decision?
• Does the EU’s concern with NSA information collection really have a connection to most US business?
• Is it just Facebook, Google, and Amazon?
Practical Steps: Options• Wait and see
• If you have them, maintain Safe Harbor practices
• Review active contracts
• Update contracts/policies to comply with EU Model
Policies and Rules
• Consider using EU-based providers without affiliates in the US
Questions?