Privacy protection in a Globalized World Association of Corporate Counsel New York, 24 March 2015 1
Jul 15, 2015
The plan
• Bringing out the main cross-border privacy issues for in-house counsel
• Describing that reality from the point of view of regulators
• Exploring strategies for resolution
• Sharing experiences
05 May 2015 2
Key
Offices, associate officesx and facilities*
Associate firms and special alliances*
Kansas City
Edmonton
CalgaryVancouver
San Francisco
Silicon Valley
Los Angeles
PhoenixDallas
Toronto
Atlanta
MontrealOttawa
New YorkShort Hills
Washington, DCSt. Louis
Chicago
LondonMilton Keynes
Madrid
Barcelona
Paris
BrusselsBerlin
St. Petersburg
Moscow
Kyiv
Warsaw
Istanbul
PragueBratislava
Budapest
Frankfurt
BucharestZürich
Baku
AshgabatTashkent
Almaty
Algiers
Tripoli
Nouakchott
Praia
Bissau
Accra
São Tomé
Luanda
Cape Town
Maputo
Port Louis
Lusaka
Nairobi
Kampala
Kigali
Beirut
Cairo
MuscatDubai
Doha
Abu Dhabi
Singapore
Hong Kong
Beijing
Shanghai
New OrleansMiami
Boston
Amman
Riyadh
Lagos
Tbilisi
KrasnodarRostov on Don
Astana
Houston Casablanca
Minsk
Johannesburg
05 May 2015 3
A Global View
In-House – A Global Privacy Analysis
• Global patchwork of privacy laws + globalized business = challenge
05 May 2015 5
• How does this come up?
• Most projects are multijurisdictional
• MasterPass – Product Development and
Expansion
• Simplify Commerce – Product
Development and Expansion
• MasterCard Datacash – Acquired UK
payment processing business
In-House – A Global Privacy Analysis
• Goal is always to understand the rights and obligations that attach to
data at point of collection and throughout lifecycle
• First, what is the business matter at hand?
• What are we doing (and where)?
• What is our role in the ecosystem?
• Who are we working with?
• Then, how does data layer in?
• Country of collection / data subject
• Entity/mechanism of collection
• Notice & consent mechanics
• Cross-border transfers
• Type of data elements collected and processed
• Nature of processing (primary and secondary uses)
• Sharing with third parties / participants in an ecosystem
05 May 2015 6
In-House – A Global Privacy Analysis
• Result of that analysis drives
• Product design
• Contract terms
• Security protocol
• Risk allocation and determination
• Analysis applies to all situations
• Acquisitions and investments
• Product development and expansion
• Contracting with customers and vendors
• Incident response
05 May 2015 7
Main issues
• Asserting jurisdiction over foreign respondents
• Holding a common front across diverse legislative
frameworks
• Coordinating compliance
05 May 2015 9
Outside Counsel – A Global Privacy Analysis
Consistent policies and processes are essential to
managing privacy and data protection risk.
Why?
• High process integrity greatly minimizes operational risk.
• Speaking with a consistent voice to customers and partners builds
trust and creates accountability with business partners.
• Managing different policies within different businesses and markets
can create unmanageable compliance obligations and expectations.
05 May 2015 11
Outside Counsel – A Global Privacy Analysis
Companies have trouble driving consistent privacy
policies and practices across businesses and
geographies.
Why?
• Business Units are in silos with different leadership and strategy.
• Lack of an integrated, enterprise-wide risk management framework.
• Misperception that adopting consistent standards will lead to missed
business opportunities.
05 May 2015 12
Outside Counsel – A Global Privacy Analysis
Regulatory schemes in North America and Europe
will continue to harmonize while maintaining
substantial differences.
Why?
• The EU will adopt breach notification rules and requirements.
• The US may adopt EU-style rights, such as right to be
forgotten/obscurity.
• International data protection schemes like Canada and in Asia-Pacific
will continue to move closer to the EU approach.
05 May 2015 13
Outside Counsel – A Global Privacy Analysis
What should In-House Counsel do to stay on top of
the global complexity?
• Be knowledgeable about privacy laws in other jurisdictions.
• Attempt to rationalize requirements at a high level and drill down at a
local level.
• Ensure that you have both a short term and longer term compliance
strategy.
05 May 2015 14