Top Banner
Sarah Branam Mehmet Munur Dino Tsibouris [email protected] [email protected] [email protected] International Data Transfers: Strategic Considerations for Sending or Receiving Data Internationally © Copyright 2009 Tsibouris & Associates, LLC 88 E. Broad Ste. 1560, Columbus, OH 43215 © Copyright 2009 OCLC Online Computer Library Center, Inc. 6565 Kilgour Place, Dublin, Ohio 43017-3395 USA
40

Sarah Branam Mehmet MunurDino Tsibouris [email protected] [email protected] [email protected]@[email protected]@Tsibouris.com.

Dec 16, 2015

Download

Documents

Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Sarah Branam Mehmet Munur Dino Tsibouris [email protected] [email protected] [email protected]

International Data Transfers: Strategic Considerations for Sending or Receiving Data

Internationally

© Copyright 2009 Tsibouris & Associates, LLC 88 E. Broad Ste. 1560, Columbus, OH 43215

© Copyright 2009 OCLC Online Computer Library Center, Inc.6565 Kilgour Place, Dublin, Ohio 43017-3395 USA

Page 2: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

International data transfers that avoid fines and injunctions require:

• Attention to numerous local laws and regulations,

• Cooperation with regulators,• Proper initial collection, and • Agreements with processors.

Page 3: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

I. Data Protection Challenges Facing a Hypothetical Company and Concepts of EU Data Protection

II. Transfers of Data from the EU using Different MethodsA. EU Safe HarborB. Standard Contractual ClausesC. Binding Corporate Rules

III. CanadaIV. AustraliaV. Enforcement Actions

Page 4: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Hypothetical Corporation

Company XYZ• Publicly traded • Multinational corporation • Headquartered in the US• Sells goods online to customers around the

world

Page 5: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 6: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

`

Source: Google Maps

Page 7: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Source: Google Maps

Page 8: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Source: Google Maps

Page 9: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Source: Google Maps

Page 10: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

EU Data Protection Directive

• Applies to all 27 EU Member States• Requires transposition to local law• Protects fundamental right to privacy • Comprehensive, not sectoral• Prohibits transfers to third countries with

inadequate protections• Data Protection Authorities• Article 29 Working Party

Page 11: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

What law applies?

Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.

Page 12: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Concepts

• Data Controller: entity that determines the purposes and means of processing

• Processor: processes personal data on behalf of the controller

• Processing: any operation performed upon personal data

Page 13: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Concepts, Cont.• Personal Data: any information relating to a data

subject• Data Subjects: identified or identifiable natural

person• Sensitive Personal Data: racial or ethnic origin,

political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.

• Establishment: the effective and real exercise of activity through stable arrangements

Page 14: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 15: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Obligations of Data Controllers• Provide Notice to Individuals about

– the identity of the controller– the purposes and means of processing– the recipients or the types of recipients of

the data• Notify the DPAs• Enter into Article 17 Agreements with

Processors

Page 16: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Legal Bases for Processing• Unambiguous consent• Necessary for:

– Contract– Compliance with legal obligation– Protection of the vital interests– Performance of task carried out in public

interest– *Purposes of legitimate interest of the

controller v. interests of data subject*

Page 17: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 18: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Adequacy for Transfers• General Rule: Transfers to 3rd Countries with

inadequate protections prohibited– Adequacy presumed for EU Member States,

Canada, Australia, Argentina, Switzerland, Israel, US Safe Harbor

• Exceptions:– Unambiguous consent– Standard Contractual Clauses– Binding Corporate Rules

Page 19: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 20: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 21: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Safe Harbor• Agreement between US DoC and European

Commission • Voluntary Participation by US organizations that

abide by the 7 Principles and 15 FAQs• Organization must be regulated by FTC or DoT

– Excludes:• Banks and other Financial Institutions• Non-Profits

Page 22: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Safe Harbor, Cont.• Principles:

– Notice – Choice – Onward Transfer– Security– Data Integrity– Access– Enforcement

Page 23: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Onward Transfer• Mapping Data Flows• Ensuring Adequate Notice • Cloud Computing• Audit Rights• Negotiation of Onward Transfer Agreements

Page 24: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 25: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.
Page 26: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Standard Contractual Clauses

• Standard contracts that have been adopted by the European Commission for the transfer of data to countries that do not offer an adequate level of protection

• The contracts cannot be modified in any way, except that the parties can add additional commercial provisions

Page 27: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Standard Contractual Clauses – Cont.

Controller to Processor– Data exporter: the processing and transfer has

and will continue to be carried out in accordance with applicable law, instruct data importer to process only on exporter’s behalf

– Data importer: processes the data only on behalf of exporter and at exporter’s instructions

Page 28: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Standard Contractual Clauses – Cont.

Controller to Controller– Data exporter: data collected, processed and

transferred in accordance with applicable law, used reasonable efforts to determine the data importer satisfies the legal obligations in the Clauses

– Data importer: appropriate technical and organizational measures to protect data, process only for purposes in the Clauses, subject to audit by data exporter

Page 29: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Standard Contractual Clauses – Cont.

Processor to Processor– Not yet established but under consideration– Would permit data processor in the EU to

transfer data to a sub-processor in a country that does not offer an adequate level of protection

Page 30: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Binding Corporate Rules

• Corporate privacy rules that protect the processing and transfer of personal data within a global organization

• Purpose: Enable multi-national organizations to transfer data to intra-company locations that do not have adequate level of protection

• Process: Create BCR framework, complete and submit application, select lead DPA, lead DPA will liaise with other DPAs for approval

Page 31: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Binding Corporate Rules – Cont.• Advantages:

– Company wide solution– Flexible in form– Creates image that company respects privacy

• Disadvantages:– Only apply to intra-company transfers – No guidance on what to include in BCRs– Time consuming

Page 32: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Specific Data Transfer Issues

• HR Data Transfer – Presumed that employee cannot willingly consent

• Sensitive Personal Information – race, ethnic origin, sexual orientation, political opinions, religious beliefs, trade union membership– General Rule: cannot be processed

• Cross-Border E-Discovery – conflict of laws

Page 33: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

CanadaPIPEDA – Personal Information Protection and

Electronic Documents Act• Uses an organization - organization approach

– Requires finding of “comparable level of protection”

– Organizations are held accountable for the protection of personal information transferred

– Not based on “adequacy” as in the EU

Page 34: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Canada, Cont.10 Principles:

– Accountability – Safeguards– Identifying Purposes – Openness– Consent – Individual Access– Limiting Collection – Accuracy– Challenging Compliance– Limiting Use, Disclosure, and Retention

Page 35: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Canada, Cont.Cross border transfer:• Organization is responsible for personal

information in its possession or custody, including information that has been transferred to a 3rd party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a 3rd party.

Page 36: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

AustraliaPrivacy Act9 National Privacy Principles:

– Collection – Openness– Use and disclosure – Identifier– Access and correction – Anonymity– Information quality and security– Sensitive information– Trans-border data flow

Page 37: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Australia, Cont.Trans-border data transfer permitted if:

– Recipient is subject to law, binding scheme or contract which upholds substantially similar principles

– Consent– Necessary for performance of contract

between individual and organization or contract concluded in the interest of the individual between the organization and a 3rd party

Page 38: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

International Transfers, Local Consequences

• French court invalidates McDonald’s Sarbanes Oxley Hotline on data protection grounds

• French DPA fines Tyco €30,000• Spanish DPA audits Columbian call center• Canadian court orders Privacy Commissioner

to investigate American company

Page 39: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Conclusion

International data transfers that avoid fines and injunctions require:

• Proper initial collection with attention to numerous local laws and regulations,

• Agreements with processors with attention to security, and

• Cooperation with regulators with attention to picking the right methods.

Page 40: Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com.

Questions & Answers Sarah Branam Mehmet Munur Dino Tsibouris [email protected] [email protected] [email protected]

© Copyright 2009 Tsibouris & Associates, LLC 88 E. Broad Ste. 1560, Columbus, OH 43215

© Copyright 2009 OCLC Online Computer Library Center, Inc.6565 Kilgour Place, Dublin, Ohio 43017-3395 USA