View
215
Download
0
Category
Tags:
Preview:
Citation preview
Presentation Overview• Speaker introduction and short summary• Historical Overview• Dating Game: Safe Harbor/Model
Contracts/Binding Corporate Rules (BCR)– Hostess: Katia Bloom– Mechanism #1: EU/US Safe Harbor: Pete McGoff– Mechanism #2: BCR: K Royal– Mechanism #3: Model Clauses: Phil Lee
• Questions
Historical Overview: EU Data Protection Directive of 1995 (DPD)• DPD describes how organizations should best
handle, transfer and process personal information
• An organization can only transfer data outside of the European Economic Area (EEA) if adequate level of protection exists for individual’s privacy
Historical Overview: Model Contracts
• The European Commission created standard contractual clauses (known as model contract clauses) as a way to ensure adequate safeguards of personal information (for purposes of Article 26(2) of the DPD)
• Clauses were created (and subsequently revised) for controller/controller and controller/processor relationships
• Must have a contract between each and every entity (which, for large companies, can turn into a contract management nightmare)
• Currently most popular option
Historical Overview: Safe Harbor
• 1995: European Commission (EC) Data Protection Directive which prohibits transfer of personal data to countries that do not meet EU standard for adequate data protection
• 1998-2000: US/EU Safe Harbor Framework Negotiated to bridge gap between US and EU system of data protection
• 2000: Safe Harbor Framework finalized and eligible companies can self-certify that they are Safe Harbor compliant
• 2000-2013: Adoption of Safe Harbor grows and includes over 4,000 organizations
• June 2013: Snowden leaks give EU the platform to say “We told you so.”
Historical Overview: Safe Harbor Post Snowden
• Prior to Snowden, EU regulators and partners were already skeptical because there was so little Safe Harbor enforcement from the FTC (and its limited jurisdiction over certain industries)
• Snowden causes EU regulators and partners to stop trusting the process and if your organization is actively working with EU companies, Safe Harbor just may not be sufficient any longer
• Future of Safe Harbor is very uncertain due to EU/US Safe Harbor reform discussions – though hard to know actual resulting changes
• Currently, there is a suggestion that the EU's proposed General Data Protection Regulation could include a "sunset" clause for safe harbor
Binding Corporate Rules (BCR) to the Rescue
• BCR are the EU's response to all of the down sides of the currently-existing solutions and attempt to overcome the aforementioned issues by facilitating export, but also providing the kind of accountability even the EU approves of
• Because EU data protection and privacy laws are so strict, complying with the BCR likely means your organization complies with data protection laws globally
• GDPR expressly promotes BCR• BCR are designed by, and tailored for, the applicant organization
so they reflect and respect your culture, processes, and business – they are not a regulatory-imposed solution, unlike model clauses.
• Down side: time and cost – this definitely is not a quick fix
Our Contestants– Hostess: Katia Bloom– Mechanism #1: EU/US Safe Harbor: Pete McGoff– Mechanism #2: BCR: K Royal– Mechanism #3: Model Clauses: Phil Lee rself
Question #1• Mechanism #1, Safe Harbor, if I were a U.S. company with an online
presence, tell me why I would choose you?
• Mechanism #2, BCR, you seem a little too large of an undertaking. Why would I choose you?
• Mechanism, #3, Model Contracts, I am probably already using you to some extent, why and how I can stay away from Mechanisms #2 and 3?
Benefits of Each MechanismEU/US Safe Harbor Binding Corporate Rules Model clauses
• Self-certification• Widely adopted by US
companies• Enforced by a “known
entity” regulator• Permits data transfers
from the EEA/CH to the US
• Enables global data transfers within a group of companies
• Recognized as the “gold standard” for data exports – in the EEA and beyond
• Future proofed - mentioned explicitly in proposed data reforms
• Provides a comprehensive data governance framework
• Available for controllers and processors
• Very simple, tick box solution
• Universally recognized by all EEA DPAs
• Permits global data exports
• Available for controllers and processors
Question #2• I am surprised that all of you only mentioned the EU. I am sure that there are more
considerations than just the EU. Mechanism #2, BCR, can you speak to that? • Mechanism #3, Model Contracts, although you only discussed the EU, you seem
rather flexible and could apply in other countries. Please tell me more.
• Mechanism #1, Safe Harbor, you say you are limited to the EU and US. Is there anything about you that would help me in other countries?
Global ApplicabilityEU/US Safe Harbor Binding Corporate Rules Model clauses
• Straightforward process, easy to adopt
• Good flexibility for subcontracting data processing
• Avoids the needs for exponential model contracts
• The simplest solution if you are a US data importer
• Can be tailored to internal culture and processes
• PR uplift – BCR are akin to a data protection trust mark
• Great relationship building with EU DPAs
• Institutes training, audit and compliance structure requirements
• Recognized throughout the EU – and beyond!
• Tried and trusted solution
• Very quick and easy to execute
• No need for regulatory approvals
• Enables transfers globally (not just US)
• Seldom (never?) enforced
Question #3• Mechanism #1 (Safe Harbor), not every relationship starts with fireworks and
flowers. How hard would I have to work to get you?
• Same question to you, Mechanism #2 (BCR).
• Mechanism #3 (Model Contract) we already have some relationship, but it doesn’t seem to be working perfectly. What do we need to do to make sure you are all I need?
ChallengesEU/US Safe Harbor Binding Corporate Rules Model clauses
• Currently going through process of reform – uncertain what outcome will be
• Uncertain future under EU General Data Protection Regulation
• Strictly speaking, a “controller-only” solution
• Not available to financial services clients, telecoms networks or NFPs
• Not a process to be undertaken lightly
• Time commitment – authorization typically around 18 months.
• Resource commitment– organization needs to live up to its BCR commitments!
• Model clauses require a contract “per export”. Often leads to tens (if not hundreds) of contracts
• Very commercially unfriendly – strict restrictions on subcontracting, some joint and several liability
• Do not deliver compliance in practice – tick box solution.
Question #4• If you are chosen, you have to learn how to live within my
company, from executives down to front-line people. How do we build that relationship and would it take a long time?
ImplementingEU/US Safe Harbor Binding Corporate Rules Model clauses
• Two approaches to self-certification: sign up to Safe Harbor and then bring practices into compliance; or full audit, remediation and then certification.
• Former is quick, cheap and easy – but the source of current concerns about Safe Harbor
• Latter almost as costly as BCR, but with fewer benefits
• Mutual Recognition process means approval by a single authority binding in nearly all EU Member States
• BCR implementation requires creation of privacy compliance team, training program and audit schedule.
• Flexible - can be implemented for all data or just some data (e.g. customer data but not HR data)
• A tick box solution – sign the contract and you are done
• Meant to implement the contractual requirements – but who does this in practice?
• Any modification to the model clauses can trigger DPA review and approval requirements
Question #5• I am going to ask the same question to all
three. If I wanted to take you home to meet my executives, what would they not like about you?
DetractorsEU/US Safe Harbor Binding Corporate Rules Model clauses
• EU Parliament and EU Commission consider it “Not So Safe Harbor”
• Concerns that self-certification commitments aren’t lived up to in practice
• Limited enforcement to date a source of criticism
• Equally mistrusted by EU customers (particularly German customers) and privacy groups alike
• Considered the “gold standard” in the EU – by regulators and customers alike
• Historically, have had a bad reputation for complex and expensive approval process
• A rarer solution in practice, so uneducated EU customers may still push for safe harbor or model clauses.
• Privacy professionals not fans – burdensome to administer and do not deliver real compliance (though loved by EU regulators, whatever their limited practical effect)
• Very unpopular amongst cloud suppliers due to subcontracting restrictions and need for exponential contracts
Question #6• Let’s talk about sensitive stuff, especially
sensitive data. What can you handle and how?
Sensitive DataEU/US Safe Harbor Binding Corporate Rules Model clauses
• Can be used to transfer sensitive information
• Explicit opt-in required for transfers to a third party or re-purposing
• Not clear what is “sensitive” for Safe Harbor purposes – uses the term “sensitive information” rather than EU term of “sensitive personal data”
• Can be used to transfer sensitive data
• No express requirements for sensitive data, save that it must be processed in accordance with EU standards
• Can be used to transfer sensitive data
• Data exporter must inform individuals their data being sent to a processor in an ‘unsafe’ country
• Onward transfers to third parties generally require consent
InteroperabilityEU/US Safe Harbor Binding Corporate Rules Model clauses
• Allows data transfers from the EU and Switzerland
• Beyond that, limited global interoperability – an “inbound” data transfer solution only
• A global solution – BCR meet and exceed most countries’ data protection requirements
• Ensure high standard of protection for data transfers from EU to RoW and by and between RoW countries
• Compatibility with APEC Cross-Border Privacy Rules (BCR for Asia-Pac)
• Permits data transfers from EU to anywhere in the world
• Envisages only one way transfer flows – from EU to RoW, not the other way around
Question #7• Let’s be brutally frank here: are you expensive,
what is the most expensive part about you, and how can I save costs?
Costs and EffortEU/US Safe Harbor Binding Corporate Rules Model Clauses
• Depends on whether take the ‘certify now / fix later’ or ‘fix now / certify later’ approach
• Simply submitting a Safe Harbor certification is minimal cost – little paperwork involved
• Real expense is in audit to bring practices in line with safe harbor commitments – depending on size of organization, can be $$$
• A commitment in terms of time, cost and resource
• Typical budget about US$220, 000, depending on efficiency and “lead authority”
• Timescale for authorization around 18 months start to finish
• Very cheap• Standard form contract,
populate the annex (describing data, processing etc.), sign and you are done
Question #8• Again, to all three of you: if I tell you that I am
a small company with an online presence, would that change any of your answers – and you can speak to any of the topics we have touched on. Would my size make a difference? (and be careful, I have delicate feelings).
Large vs. Small CompanyEU/US Safe Harbor Binding Corporate Rules Model Clauses
• Solution equally viable for large and small companies
• Commonly used by US start-ups – like “home grown” solution and sold by their US counsel
• Administratively much simpler than model clauses
• Solution geared towards high growth or blue chip businesses due to time and resource commitments
• But process getting simpler and BCR are becoming more attractive to smaller companies as doubts about Safe Harbor persist
• Really only works well for small companies
• Large companies need exponential number of model contracts to meet their data transfer needs
• Impossible to use in a cloud environment!
Question #9• If we were in a relationship and broke the
rules, who would we have to answer to and what could they do to punish me?
EnforcementEU/US Safe Harbor Binding Corporate Rules Model clauses
• Enforcement by FTC• >20 cases of
enforcement to date – and most in 2014!
• Enforcement by EU DPAs for HR data
• Need for third party dispute resolution provider
• Enforcement by EU DPAs
• Individuals have third-party rights as well
• Processors can be held liable for breaches by their controller (but very unlikely)
• Internal complaints procedure intended to resolve most complaints – so seldom (never?) brought to attention of DPA
• No known DPA enforcement to date
• Enforcement by EU DPAs
• Individuals have third- party rights as well
• Some model clauses include joint and several liability provisions
• Processors can be held liable for breaches by their controller (but very unlikely)
• Seldom (never?) enforced in practice
Question #10• This is your last chance to impress me. If I met
you on an elevator and knew nothing about you, how would you introduce yourself to me?
ExperiencesBox: EU/US Safe Harbor certified, undergoing BCR applicationAlign: Successfully closed dual controller/processor BCR application
It’s Time to Pick the Winner!• To the audience: are there any questions you
want answered that would help me make the right choice?
Recommended