Presentation Overview Speaker introduction and short summary Historical Overview Dating Game: Safe Harbor/Model Contracts/Binding Corporate Rules (BCR)

Presentation Overview• Speaker introduction and short summary• Historical Overview• Dating Game: Safe Harbor/Model

Contracts/Binding Corporate Rules (BCR)– Hostess: Katia Bloom– Mechanism #1: EU/US Safe Harbor: Pete McGoff– Mechanism #2: BCR: K Royal– Mechanism #3: Model Clauses: Phil Lee

• Questions

Historical Overview: EU Data Protection Directive of 1995 (DPD)• DPD describes how organizations should best

handle, transfer and process personal information

• An organization can only transfer data outside of the European Economic Area (EEA) if adequate level of protection exists for individual’s privacy

Historical Overview: Model Contracts

• The European Commission created standard contractual clauses (known as model contract clauses) as a way to ensure adequate safeguards of personal information (for purposes of Article 26(2) of the DPD)

• Clauses were created (and subsequently revised) for controller/controller and controller/processor relationships

• Must have a contract between each and every entity (which, for large companies, can turn into a contract management nightmare)

• Currently most popular option

Historical Overview: Safe Harbor

• 1995: European Commission (EC) Data Protection Directive which prohibits transfer of personal data to countries that do not meet EU standard for adequate data protection

• 1998-2000: US/EU Safe Harbor Framework Negotiated to bridge gap between US and EU system of data protection

• 2000: Safe Harbor Framework finalized and eligible companies can self-certify that they are Safe Harbor compliant

• 2000-2013: Adoption of Safe Harbor grows and includes over 4,000 organizations

• June 2013: Snowden leaks give EU the platform to say “We told you so.”

Historical Overview: Safe Harbor Post Snowden

• Prior to Snowden, EU regulators and partners were already skeptical because there was so little Safe Harbor enforcement from the FTC (and its limited jurisdiction over certain industries)

• Snowden causes EU regulators and partners to stop trusting the process and if your organization is actively working with EU companies, Safe Harbor just may not be sufficient any longer

• Future of Safe Harbor is very uncertain due to EU/US Safe Harbor reform discussions – though hard to know actual resulting changes

• Currently, there is a suggestion that the EU's proposed General Data Protection Regulation could include a "sunset" clause for safe harbor

Binding Corporate Rules (BCR) to the Rescue

• BCR are the EU's response to all of the down sides of the currently-existing solutions and attempt to overcome the aforementioned issues by facilitating export, but also providing the kind of accountability even the EU approves of

• Because EU data protection and privacy laws are so strict, complying with the BCR likely means your organization complies with data protection laws globally

• GDPR expressly promotes BCR• BCR are designed by, and tailored for, the applicant organization

so they reflect and respect your culture, processes, and business – they are not a regulatory-imposed solution, unlike model clauses.

• Down side: time and cost – this definitely is not a quick fix

Our Contestants– Hostess: Katia Bloom– Mechanism #1: EU/US Safe Harbor: Pete McGoff– Mechanism #2: BCR: K Royal– Mechanism #3: Model Clauses: Phil Lee rself

Question #1• Mechanism #1, Safe Harbor, if I were a U.S. company with an online

presence, tell me why I would choose you?

• Mechanism #2, BCR, you seem a little too large of an undertaking. Why would I choose you?

• Mechanism, #3, Model Contracts, I am probably already using you to some extent, why and how I can stay away from Mechanisms #2 and 3?

Benefits of Each MechanismEU/US Safe Harbor Binding Corporate Rules Model clauses

• Self-certification• Widely adopted by US

companies• Enforced by a “known

entity” regulator• Permits data transfers

from the EEA/CH to the US

• Enables global data transfers within a group of companies

• Recognized as the “gold standard” for data exports – in the EEA and beyond

• Future proofed - mentioned explicitly in proposed data reforms

• Provides a comprehensive data governance framework

• Available for controllers and processors

• Very simple, tick box solution

• Universally recognized by all EEA DPAs

• Permits global data exports

• Available for controllers and processors

Question #2• I am surprised that all of you only mentioned the EU. I am sure that there are more

considerations than just the EU. Mechanism #2, BCR, can you speak to that? • Mechanism #3, Model Contracts, although you only discussed the EU, you seem

rather flexible and could apply in other countries. Please tell me more.

• Mechanism #1, Safe Harbor, you say you are limited to the EU and US. Is there anything about you that would help me in other countries?

Global ApplicabilityEU/US Safe Harbor Binding Corporate Rules Model clauses

• Straightforward process, easy to adopt

• Good flexibility for subcontracting data processing

• Avoids the needs for exponential model contracts

• The simplest solution if you are a US data importer

• Can be tailored to internal culture and processes

• PR uplift – BCR are akin to a data protection trust mark

• Great relationship building with EU DPAs

• Institutes training, audit and compliance structure requirements

• Recognized throughout the EU – and beyond!

• Tried and trusted solution

• Very quick and easy to execute

• No need for regulatory approvals

• Enables transfers globally (not just US)

• Seldom (never?) enforced

Question #3• Mechanism #1 (Safe Harbor), not every relationship starts with fireworks and

flowers. How hard would I have to work to get you?

• Same question to you, Mechanism #2 (BCR).

• Mechanism #3 (Model Contract) we already have some relationship, but it doesn’t seem to be working perfectly. What do we need to do to make sure you are all I need?

ChallengesEU/US Safe Harbor Binding Corporate Rules Model clauses

• Currently going through process of reform – uncertain what outcome will be

• Uncertain future under EU General Data Protection Regulation

• Strictly speaking, a “controller-only” solution

• Not available to financial services clients, telecoms networks or NFPs

• Not a process to be undertaken lightly

• Time commitment – authorization typically around 18 months.

• Resource commitment– organization needs to live up to its BCR commitments!

• Model clauses require a contract “per export”. Often leads to tens (if not hundreds) of contracts

• Very commercially unfriendly – strict restrictions on subcontracting, some joint and several liability

• Do not deliver compliance in practice – tick box solution.

Question #4• If you are chosen, you have to learn how to live within my

company, from executives down to front-line people. How do we build that relationship and would it take a long time?

ImplementingEU/US Safe Harbor Binding Corporate Rules Model clauses

• Two approaches to self-certification: sign up to Safe Harbor and then bring practices into compliance; or full audit, remediation and then certification.

• Former is quick, cheap and easy – but the source of current concerns about Safe Harbor

• Latter almost as costly as BCR, but with fewer benefits

• Mutual Recognition process means approval by a single authority binding in nearly all EU Member States

• BCR implementation requires creation of privacy compliance team, training program and audit schedule.

• Flexible - can be implemented for all data or just some data (e.g. customer data but not HR data)

• A tick box solution – sign the contract and you are done

• Meant to implement the contractual requirements – but who does this in practice?

• Any modification to the model clauses can trigger DPA review and approval requirements

Question #5• I am going to ask the same question to all

three. If I wanted to take you home to meet my executives, what would they not like about you?

DetractorsEU/US Safe Harbor Binding Corporate Rules Model clauses

• EU Parliament and EU Commission consider it “Not So Safe Harbor”

• Concerns that self-certification commitments aren’t lived up to in practice

• Limited enforcement to date a source of criticism

• Equally mistrusted by EU customers (particularly German customers) and privacy groups alike

• Considered the “gold standard” in the EU – by regulators and customers alike

• Historically, have had a bad reputation for complex and expensive approval process

• A rarer solution in practice, so uneducated EU customers may still push for safe harbor or model clauses.

• Privacy professionals not fans – burdensome to administer and do not deliver real compliance (though loved by EU regulators, whatever their limited practical effect)

• Very unpopular amongst cloud suppliers due to subcontracting restrictions and need for exponential contracts

Question #6• Let’s talk about sensitive stuff, especially

sensitive data. What can you handle and how?

Sensitive DataEU/US Safe Harbor Binding Corporate Rules Model clauses

• Can be used to transfer sensitive information

• Explicit opt-in required for transfers to a third party or re-purposing

• Not clear what is “sensitive” for Safe Harbor purposes – uses the term “sensitive information” rather than EU term of “sensitive personal data”

• Can be used to transfer sensitive data

• No express requirements for sensitive data, save that it must be processed in accordance with EU standards

• Can be used to transfer sensitive data

• Data exporter must inform individuals their data being sent to a processor in an ‘unsafe’ country

• Onward transfers to third parties generally require consent

Question #7• I also want to know if I choose you, would we

party with any of the other data laws?

InteroperabilityEU/US Safe Harbor Binding Corporate Rules Model clauses

• Allows data transfers from the EU and Switzerland

• Beyond that, limited global interoperability – an “inbound” data transfer solution only

• A global solution – BCR meet and exceed most countries’ data protection requirements

• Ensure high standard of protection for data transfers from EU to RoW and by and between RoW countries

• Compatibility with APEC Cross-Border Privacy Rules (BCR for Asia-Pac)

• Permits data transfers from EU to anywhere in the world

• Envisages only one way transfer flows – from EU to RoW, not the other way around

Question #7• Let’s be brutally frank here: are you expensive,

what is the most expensive part about you, and how can I save costs?

Costs and EffortEU/US Safe Harbor Binding Corporate Rules Model Clauses

• Depends on whether take the ‘certify now / fix later’ or ‘fix now / certify later’ approach

• Simply submitting a Safe Harbor certification is minimal cost – little paperwork involved

• Real expense is in audit to bring practices in line with safe harbor commitments – depending on size of organization, can be $$$

• A commitment in terms of time, cost and resource

• Typical budget about US$220, 000, depending on efficiency and “lead authority”

• Timescale for authorization around 18 months start to finish

• Very cheap• Standard form contract,

populate the annex (describing data, processing etc.), sign and you are done

Question #8• Again, to all three of you: if I tell you that I am

a small company with an online presence, would that change any of your answers – and you can speak to any of the topics we have touched on. Would my size make a difference? (and be careful, I have delicate feelings).

Large vs. Small CompanyEU/US Safe Harbor Binding Corporate Rules Model Clauses

• Solution equally viable for large and small companies

• Commonly used by US start-ups – like “home grown” solution and sold by their US counsel

• Administratively much simpler than model clauses

• Solution geared towards high growth or blue chip businesses due to time and resource commitments

• But process getting simpler and BCR are becoming more attractive to smaller companies as doubts about Safe Harbor persist

• Really only works well for small companies

• Large companies need exponential number of model contracts to meet their data transfer needs

• Impossible to use in a cloud environment!

Question #9• If we were in a relationship and broke the

rules, who would we have to answer to and what could they do to punish me?

EnforcementEU/US Safe Harbor Binding Corporate Rules Model clauses

• Enforcement by FTC• >20 cases of

enforcement to date – and most in 2014!

• Enforcement by EU DPAs for HR data

• Need for third party dispute resolution provider

• Enforcement by EU DPAs

• Individuals have third-party rights as well

• Processors can be held liable for breaches by their controller (but very unlikely)

• Internal complaints procedure intended to resolve most complaints – so seldom (never?) brought to attention of DPA

• No known DPA enforcement to date

• Enforcement by EU DPAs

• Individuals have third- party rights as well

• Some model clauses include joint and several liability provisions

• Processors can be held liable for breaches by their controller (but very unlikely)

• Seldom (never?) enforced in practice

Question #10• This is your last chance to impress me. If I met

you on an elevator and knew nothing about you, how would you introduce yourself to me?

ExperiencesBox: EU/US Safe Harbor certified, undergoing BCR applicationAlign: Successfully closed dual controller/processor BCR application

It’s Time to Pick the Winner!• To the audience: are there any questions you

want answered that would help me make the right choice?