This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Presentation Overview• Speaker introduction and short summary• Historical Overview• Dating Game: Safe Harbor/Model
Contracts/Binding Corporate Rules (BCR)– Hostess: Katia Bloom– Mechanism #1: EU/US Safe Harbor: Pete McGoff– Mechanism #2: BCR: K Royal– Mechanism #3: Model Clauses: Phil Lee
• Questions
Historical Overview: EU Data Protection Directive of 1995 (DPD)• DPD describes how organizations should best
handle, transfer and process personal information
• An organization can only transfer data outside of the European Economic Area (EEA) if adequate level of protection exists for individual’s privacy
Historical Overview: Model Contracts
• The European Commission created standard contractual clauses (known as model contract clauses) as a way to ensure adequate safeguards of personal information (for purposes of Article 26(2) of the DPD)
• Clauses were created (and subsequently revised) for controller/controller and controller/processor relationships
• Must have a contract between each and every entity (which, for large companies, can turn into a contract management nightmare)
• Currently most popular option
Historical Overview: Safe Harbor
• 1995: European Commission (EC) Data Protection Directive which prohibits transfer of personal data to countries that do not meet EU standard for adequate data protection
• 1998-2000: US/EU Safe Harbor Framework Negotiated to bridge gap between US and EU system of data protection
• 2000: Safe Harbor Framework finalized and eligible companies can self-certify that they are Safe Harbor compliant
• 2000-2013: Adoption of Safe Harbor grows and includes over 4,000 organizations
• June 2013: Snowden leaks give EU the platform to say “We told you so.”
Historical Overview: Safe Harbor Post Snowden
• Prior to Snowden, EU regulators and partners were already skeptical because there was so little Safe Harbor enforcement from the FTC (and its limited jurisdiction over certain industries)
• Snowden causes EU regulators and partners to stop trusting the process and if your organization is actively working with EU companies, Safe Harbor just may not be sufficient any longer
• Future of Safe Harbor is very uncertain due to EU/US Safe Harbor reform discussions – though hard to know actual resulting changes
• Currently, there is a suggestion that the EU's proposed General Data Protection Regulation could include a "sunset" clause for safe harbor
Binding Corporate Rules (BCR) to the Rescue
• BCR are the EU's response to all of the down sides of the currently-existing solutions and attempt to overcome the aforementioned issues by facilitating export, but also providing the kind of accountability even the EU approves of
• Because EU data protection and privacy laws are so strict, complying with the BCR likely means your organization complies with data protection laws globally
• GDPR expressly promotes BCR• BCR are designed by, and tailored for, the applicant organization
so they reflect and respect your culture, processes, and business – they are not a regulatory-imposed solution, unlike model clauses.
• Down side: time and cost – this definitely is not a quick fix
Our Contestants– Hostess: Katia Bloom– Mechanism #1: EU/US Safe Harbor: Pete McGoff– Mechanism #2: BCR: K Royal– Mechanism #3: Model Clauses: Phil Lee rself
Question #1• Mechanism #1, Safe Harbor, if I were a U.S. company with an online
presence, tell me why I would choose you?
• Mechanism #2, BCR, you seem a little too large of an undertaking. Why would I choose you?
• Mechanism, #3, Model Contracts, I am probably already using you to some extent, why and how I can stay away from Mechanisms #2 and 3?
Benefits of Each MechanismEU/US Safe Harbor Binding Corporate Rules Model clauses
• Self-certification• Widely adopted by US
companies• Enforced by a “known
entity” regulator• Permits data transfers
from the EEA/CH to the US
• Enables global data transfers within a group of companies
• Recognized as the “gold standard” for data exports – in the EEA and beyond
• Future proofed - mentioned explicitly in proposed data reforms
• Provides a comprehensive data governance framework
• Available for controllers and processors
• Very simple, tick box solution
• Universally recognized by all EEA DPAs
• Permits global data exports
• Available for controllers and processors
Question #2• I am surprised that all of you only mentioned the EU. I am sure that there are more
considerations than just the EU. Mechanism #2, BCR, can you speak to that? • Mechanism #3, Model Contracts, although you only discussed the EU, you seem
rather flexible and could apply in other countries. Please tell me more.
• Mechanism #1, Safe Harbor, you say you are limited to the EU and US. Is there anything about you that would help me in other countries?
Global ApplicabilityEU/US Safe Harbor Binding Corporate Rules Model clauses
• Straightforward process, easy to adopt
• Good flexibility for subcontracting data processing
• Avoids the needs for exponential model contracts
• The simplest solution if you are a US data importer
• Can be tailored to internal culture and processes
• PR uplift – BCR are akin to a data protection trust mark
• Great relationship building with EU DPAs
• Institutes training, audit and compliance structure requirements
• Recognized throughout the EU – and beyond!
• Tried and trusted solution
• Very quick and easy to execute
• No need for regulatory approvals
• Enables transfers globally (not just US)
• Seldom (never?) enforced
Question #3• Mechanism #1 (Safe Harbor), not every relationship starts with fireworks and
flowers. How hard would I have to work to get you?
• Same question to you, Mechanism #2 (BCR).
• Mechanism #3 (Model Contract) we already have some relationship, but it doesn’t seem to be working perfectly. What do we need to do to make sure you are all I need?
ChallengesEU/US Safe Harbor Binding Corporate Rules Model clauses
• Currently going through process of reform – uncertain what outcome will be
• Uncertain future under EU General Data Protection Regulation
• Strictly speaking, a “controller-only” solution
• Not available to financial services clients, telecoms networks or NFPs
• Not a process to be undertaken lightly
• Time commitment – authorization typically around 18 months.
• Resource commitment– organization needs to live up to its BCR commitments!
• Model clauses require a contract “per export”. Often leads to tens (if not hundreds) of contracts
• Very commercially unfriendly – strict restrictions on subcontracting, some joint and several liability
• Do not deliver compliance in practice – tick box solution.
Question #4• If you are chosen, you have to learn how to live within my
company, from executives down to front-line people. How do we build that relationship and would it take a long time?
ImplementingEU/US Safe Harbor Binding Corporate Rules Model clauses
• Two approaches to self-certification: sign up to Safe Harbor and then bring practices into compliance; or full audit, remediation and then certification.
• Former is quick, cheap and easy – but the source of current concerns about Safe Harbor
• Latter almost as costly as BCR, but with fewer benefits
• Mutual Recognition process means approval by a single authority binding in nearly all EU Member States
• BCR implementation requires creation of privacy compliance team, training program and audit schedule.
• Flexible - can be implemented for all data or just some data (e.g. customer data but not HR data)
• A tick box solution – sign the contract and you are done
• Meant to implement the contractual requirements – but who does this in practice?
• Any modification to the model clauses can trigger DPA review and approval requirements
Question #5• I am going to ask the same question to all
three. If I wanted to take you home to meet my executives, what would they not like about you?
DetractorsEU/US Safe Harbor Binding Corporate Rules Model clauses
• EU Parliament and EU Commission consider it “Not So Safe Harbor”
• Concerns that self-certification commitments aren’t lived up to in practice
• Limited enforcement to date a source of criticism
• Equally mistrusted by EU customers (particularly German customers) and privacy groups alike
• Considered the “gold standard” in the EU – by regulators and customers alike
• Historically, have had a bad reputation for complex and expensive approval process
• A rarer solution in practice, so uneducated EU customers may still push for safe harbor or model clauses.
• Privacy professionals not fans – burdensome to administer and do not deliver real compliance (though loved by EU regulators, whatever their limited practical effect)
• Very unpopular amongst cloud suppliers due to subcontracting restrictions and need for exponential contracts
Question #6• Let’s talk about sensitive stuff, especially
sensitive data. What can you handle and how?
Sensitive DataEU/US Safe Harbor Binding Corporate Rules Model clauses
• Can be used to transfer sensitive information
• Explicit opt-in required for transfers to a third party or re-purposing
• Not clear what is “sensitive” for Safe Harbor purposes – uses the term “sensitive information” rather than EU term of “sensitive personal data”
• Can be used to transfer sensitive data
• No express requirements for sensitive data, save that it must be processed in accordance with EU standards
• Can be used to transfer sensitive data
• Data exporter must inform individuals their data being sent to a processor in an ‘unsafe’ country
• Onward transfers to third parties generally require consent
Question #7• I also want to know if I choose you, would we
party with any of the other data laws?
InteroperabilityEU/US Safe Harbor Binding Corporate Rules Model clauses
• Allows data transfers from the EU and Switzerland
• Beyond that, limited global interoperability – an “inbound” data transfer solution only
• A global solution – BCR meet and exceed most countries’ data protection requirements
• Ensure high standard of protection for data transfers from EU to RoW and by and between RoW countries
• Compatibility with APEC Cross-Border Privacy Rules (BCR for Asia-Pac)
• Permits data transfers from EU to anywhere in the world
• Envisages only one way transfer flows – from EU to RoW, not the other way around
Question #7• Let’s be brutally frank here: are you expensive,
what is the most expensive part about you, and how can I save costs?
Costs and EffortEU/US Safe Harbor Binding Corporate Rules Model Clauses
• Depends on whether take the ‘certify now / fix later’ or ‘fix now / certify later’ approach
• Simply submitting a Safe Harbor certification is minimal cost – little paperwork involved
• Real expense is in audit to bring practices in line with safe harbor commitments – depending on size of organization, can be $$$
• A commitment in terms of time, cost and resource
• Typical budget about US$220, 000, depending on efficiency and “lead authority”
• Timescale for authorization around 18 months start to finish
• Very cheap• Standard form contract,
populate the annex (describing data, processing etc.), sign and you are done
Question #8• Again, to all three of you: if I tell you that I am
a small company with an online presence, would that change any of your answers – and you can speak to any of the topics we have touched on. Would my size make a difference? (and be careful, I have delicate feelings).
Large vs. Small CompanyEU/US Safe Harbor Binding Corporate Rules Model Clauses
• Solution equally viable for large and small companies
• Commonly used by US start-ups – like “home grown” solution and sold by their US counsel
• Administratively much simpler than model clauses
• Solution geared towards high growth or blue chip businesses due to time and resource commitments
• But process getting simpler and BCR are becoming more attractive to smaller companies as doubts about Safe Harbor persist
• Really only works well for small companies
• Large companies need exponential number of model contracts to meet their data transfer needs
• Impossible to use in a cloud environment!
Question #9• If we were in a relationship and broke the
rules, who would we have to answer to and what could they do to punish me?
EnforcementEU/US Safe Harbor Binding Corporate Rules Model clauses
• Enforcement by FTC• >20 cases of
enforcement to date – and most in 2014!
• Enforcement by EU DPAs for HR data
• Need for third party dispute resolution provider
• Enforcement by EU DPAs
• Individuals have third-party rights as well
• Processors can be held liable for breaches by their controller (but very unlikely)
• Internal complaints procedure intended to resolve most complaints – so seldom (never?) brought to attention of DPA
• No known DPA enforcement to date
• Enforcement by EU DPAs
• Individuals have third- party rights as well
• Some model clauses include joint and several liability provisions
• Processors can be held liable for breaches by their controller (but very unlikely)
• Seldom (never?) enforced in practice
Question #10• This is your last chance to impress me. If I met
you on an elevator and knew nothing about you, how would you introduce yourself to me?