EU Data Protection Compliance Trends - What US Companies Need to Know 30 January 2013
Session Contents • Why European data protection rules matter and an introduction to the main privacy rules • Transferring data outside of Europe – the Compliance Options • Outsourcing • A brief UK perspective on privacy compliance • A French perspective on privacy compliance • A German perspective on privacy compliance • Concluding remarks 2
Your Speakers Today Caroline Egan Ann La France Birmingham, UK London, UK Stephanie Faber Andreas Fillmann Paris, France Frankfurt, Germany 3
INTRODUCTORY OVERVIEW
Why Does EU Data Protection Law Matter • Why European DP law matters to US companies Applies to European subsidiaries in their domestic processing of personal data (even when US parent is Safe Harbor certified) Applies when they transfer/allow access to personal data from US or outside EEA. • Our focus – on transfers of data outside Europe • Though based on EU Directive – there are differences in implementation in individual countries • Applies to all types of personal data – Employee – Customer – Supplier 5
Why Does EU Data Protection Law Matter • Downsides of non-compliance? Fines and regulatory sanctions – substantial and increasing – See table on next slide Reputational damage - name and shame policy of regulators Employee data - damaged employee relations Potential conflicts with US law - eg Sarbanes Oxley and whistleblowing in France 6
Examples of Fines Imposed by EU DPAs Country/DPA Date Company Fine imposed Reason UK (ICO) Jan Sony 250,000 GBP Failing to prevent personal 2013 data of Playstation users being hacked UK (ICO) Oct The Prudential 50,000 GBP Mixing up accounts of two 2012 customers UK (ICO) May NHS Trust 325,000 GBP Failure to prevent sensitive 2012 personal data being sold on internet auction site France (CNIL) March Google 100,000 EUR Collection of Wi-Fi and 2011 login/email data during its Street View operations; France (CNIL) July Association 10,000 EUR Published legal cases online 2011 Lexeek and injunction containing parties’ names Germany Hamburger 200,000 EUR Using neuromarketing (Hamburg Sparkasse techniques without customer DPA) consent Spain (AEPD) April Zeppelin 1,000,000 Failure to protect personal 2007 Television EUR data of 7000 applicants for Big Brother Netherlands Dec DollarRevenue 1,000,000 Installing adware/spyware (OPTA) 2011 EUR software on 22million 7 computers
Why Does EU Data Protection Law Matter • Existing law tough; new law tougher? • Proposed new European Data Protection Regulation Harmonised stricter rules – Regulation – direct effect – no scope to alter Much higher penalties – Up to 2% of global turnover Mandatory data breach notification Requirement to appoint Data Protection Officer Territorial application - applies even if no European presence – if market to Europe or monitor European citizens 8
Timescale for Implementation • A long way to being finalised • Earliest date for finalising Regulation 2014 • Implementation – 2018? 9
Overview of EU Data Protection Rules • Key terms Personal data Data controller especially as these terms not used in Safe Harbor Data processor Processing Transfer outside EEA - including allowing access Sensitive personal data EEA – EU plus Norway, Iceland and Liechtenstein 10
Overview of EU Data Protection Rules • Data protection compliance principles Must have justification – consent or other permitted purpose Notice to individuals about usage of their data (privacy policy) Accurate and up to date Sufficient and not excessive for purpose Destroyed when no longer needed for purpose Compliance with individual's rights - eg providing information on request Kept secure (and higher security required for sensitive data) Only transferred outside EEA if adequate protection 11
TRANSFERS OUTSIDE OF THE EEA
Compliance Options When Transferring Data Outside the EEA • Approved country – Switzerland, Argentina, Australia, Canada, Israel, Uruguay • US Safe Harbor (some sectors excluded) • EC approved Model Clauses Controller to Controller Controller to Processor • Binding Corporate Rules - within multi-national groups • NB: EU law treats group companies as separate third parties 13
Safe Harbor Advantages/Disadvantages • Safe Harbor Geographical limitations – Issues with onward transfers Some sectors excluded eg financial services, telecoms Check exact certification Lack of fit for pure processors Long term future? 14
EU Model Clauses - Advantages/Disadvantages • EU standard model clauses Must be used unamended Jurisdictional issues – governing law of exporting country Notification/prior approval in many countries Service providers becoming more familiar with them Sub-contracting – further complications 15
EU Standard Model Clauses • Complexity of contracting – an administrative nightmare! Non-EU operations EU operations 1 1 9 2 2 10 3 3 11 4 4 12 5 5 13 6 6 14 7 7 15 8 8 16 9 16
Binding Corporate Rules - Advantages/Disadvantages • Binding corporate rules Only apply within multi-national groups Favoured by many regulators Costly and time consuming Involves getting approval of regulators in all affected countries, through lead regulator – up to a year Useful if a lot of data being transferred/accessed 17
Overview on Compliance Options • In theory – straightforward • In practice – tricky EU requirements – not business-friendly getting third parties to agree additional requirements of local regulators/national laws • The UK position least prescriptive least red tape particular sensitivities 18
OUTSOURCING – OVERVIEW OF PRIVACY ISSUES
Outsourcing • Nature of outsourcing Providing services to other group members External providers Examples – Global HR databases – Global email hosting – Using external marketing companies – Cloud computing » Data may be transferred to multiple jurisdictions Frequently involve sub-contracting 20
Outsourcing • Practical issues You appointing service provider – who will access/use data from Europe You as service provider – to third parties or member of group – either to EU clients or US parent and its European affiliates Understanding who is data controller and who is data processor; usually service provider is processor Virtually all obligations on data controller Considering privacy issues at the outset Increasing willingness of processors to address customer compliance issues 21
Practical Issues (continued) • If personal data comes to you first, before you appoint processor/sub-processor Compliance for transfer to you Compliance for transfer to processor/sub-processor 22
Outsourcing • Appointing a Processor Processor Agreement always needed - even if processor is in the EEA, or recipient is Safe Harbor certified ("basic processor agreement") Due diligence - up front and ongoing Mandatory terms of basic processor agreement – Only process on data controller's instructions – Take appropriate technical and organisational measures to keep data secure, proportionate to amount and sensitivity of data – Security - major priority of regulators, especially in UK » Encryption in transit and when accessed from mobile devices » Possibly always encryption? Strongly advisable terms – Notify data breaches within 24/48 hours – Obligation to take remedial measures if breach – Audit rights Often involve sub-processing 23
EU Processor Model Clauses 2010 • Not very business friendly • Don't apply if initial processor is inside EEA • Audit requirement compulsory • Must identify in agreement security measures to be taken • Appointing sub-processors Significant formalities Requires notification to and consent of controller – Can give generic consent » May be okay within groups » Risky if arm's length transaction 24
UK Hot Topics • Data security Encryption • Data breach reporting Not mandatory Aggravating factor in fines • Power to fine Data breach – – Liability for processors – Not having agreement in place – Not checking security measures Inaccurate data 25
A FRENCH PERSPECTIVE ON PRIVACY COMPLIANCE
Cloud Computing • CNIL’s (French DPA) guidance on Cloud (June 2012) : Similar to opinion of WP 29 Also contains a list of contractual requirements failing which data controller will not be compliant; as well as proposed clauses 27
Data for Litigation Disclosure • Cultural difference: no pre-trial discovery in France • Guidelines of the CNIL (cooperation through Hague and data minimization) • So called “French Blocking Statute” on “business data” 28
Recommend
More recommend