Transcription
Webinar: US-EU Safe HarborFramework Declared InvalidBruce Heiman (Washington DC)Ignasi Guardans (Brussels)Etienne Drouard (Paris) Copyright 2015 by K&L Gates LLP. All rights reserved.
What happened?klgates.com1
The Schrems Case (Ruling C-362/14)* 9/25/13 Irish DPA receives complaint from citizen on FBtransferring his data to US DPA States it has no right to verify data transfer, only EC can, based on ECDecision 2000/520 (Safe Harbor decision) Schrems takes DPA to Irish High Court* 7/17/14: Irish High Court asks the CJEU for preliminaryruling Is the Irish DPA bound by the EC findings on protections of data transfer to a3rd state? Can the DPA carry its own investigation?* 10/6/15: CJEU ruling C-362/14 EC decision 2000/520 can be reviewed and challenged at national level byDPAs and courts But only the CJEU can declare it void EU Court reviews it, and declares it voidklgates.com2
Why Is 2000/520 Declared Invalid?( What’s the test for a valid one?) Transfers of data can only be allowed IF 3rd country ensures“adequate level of protection”: measured according to nonexhaustive list of circumstances The European Commission must assess level of protection of the3rd country According to laws & practice. Reliability check: effective detection & supervision mechanisms incase of infringement But EC acknowledges that: National security, public interest, or law enforcement requirements haveprimacy over the safe harbor principles No legal protection: data subjects have no administrative or judicialmeans of redress (FTC only for commercial disputes)klgates.com3
Why Is 2000/520 Declared Invalid?( What’s the test for a valid one?) Derogations to protection of personal data can apply only if“strictly necessary”. Not the case: no objective criteriondetermining limits of access by public authorities and its use forpurposes that are “specific, strictly restricted, justifying theinterference” “Generalized” storage of and access to personal data byauthorities compromise the “essence of the fundamental right forprivate life” Effective judicial review is inherent to existence of rule of law The EC failed to prove “that US in fact ensures adequate level ofprotection”: Decision 2000/520 establishing equivalent “adequatelevel of protection” is invalidklgates.com4
Essentially, Two Issues Make Safe Harbor InvalidThese two issues will make a new agreement acceptable in the EU: US Government has access to personal information “withoutlimitation” EC had already raised concerns that access is beyond what is “strictlynecessary and proportionate” to protect national security EU citizens cannot pursue legal remedies to access and correctdata EC had already raised concerns that there is “no administrative orjudicial means of redress” for access and ability to rectify or erase dataklgates.com5
Who May Be Impacted?
‘Personal Data’ Under the EU FrameworkDirective 95/46 Article 2.a) “[ ] Any information relating to an identified or identifiable naturalperson (‘data subject’) [ ], directly or indirectly, [ ] by reference to anidentification number or to one or more factors specific to his physical,physiological, mental, economic, cultural or social identity.” Whereas 26 “[ ] account should be taken of all the means likely reasonably to beused either by the controller or by any other person to identify the saidperson.”Opinions from the “Article 29 Working Party” e-29/documentation/opinionrecommendation/index en.htmklgates.com7
Are You Subject to EU-US Data Transfer Regulations?1.Your company or group of companies is composed of:A US company1.1.with personnel, and/or subsidiaries, and/or affiliates, and/or holding/mothercompany in the EU1.2.using technical infrastructures (including e.g. servers) or service providerslocated in Europe1.3.with commercial partners located in Europe(wholesalers, retailers, distributors, licensees )2.NOAn EU company2.1.with personnel, and/or subsidiaries and/or affiliates, and/or holding/mothercompany in the United States2.2.using technical infrastructures (including e.g., servers) or service providerslocated in the United States2.3.with commercial partners located in the United States (wholesalers, retailers,distributors, licensees )3.YESA US company operating services entirely from the United States and/ora non-EU country, directed at customers in Europe (draft EU Regulation)klgates.com8
Who May Be Impacted in Practice?Note: Situations listed hereafter should be read with the following assumption: “ for the processing of personal data, browsing and localization data, orbehavioral data, which may relate, directly or indirectly, to an individual(employee, customer, etc.)”klgates.com9
Which US Companies May Be Impacted?Safe harbor certified US companies.Non-safe harbor certified US companies: that are not bound by group-wide “Binding Corporate Rules” (“BCR”). that have not executed EU-compliant data transfer agreements with: their EU mother company, sister companies, affiliates, contractors,subcontractors, service providers, business partners that receive or access personal data from the EU without: the data subjects’ consent to the transfer to the USklgates.com10
Which EU Companies May Be Impacted?EU companies sending data to US mother company, sister companies,affiliates, contractors, subcontractors, service providers, businesspartnersEU companies sharing databases with their US mother company,sister companies or affiliates without any EU-compliant data transfer agreement in place without any BCR in place without the data subjects’ consentklgates.com11
What Are the Risks?
Popular Solutions Under the Current EU LawsExecute EU-compliant data transfer agreements Model clauses from the EU Commission Description of data, purposes and security measures Amend existing notifications with the data protection authority (“DPA”) re.grounds for data transferImplement group-wide “Binding Corporate Rules” Binding list of data protection commitments Approval of the BCRs by the competent DPAs One representative EU entity liable before competent DPAs All group entities liable before the representative EU entityObtain consent from data subjects Explicit, specific, freely given, discretionary, waivable Impracticable?klgates.com13
Data Transfer Assessment
Data Transfer AssessmentPerform a data transfer audit Data transfers tailored checklist IT/Commercial/outsourcing contracts review Look for references to “safe harbor” Look for data transfer agreementsClassify and prioritize Intra-group transfers Transfers to clients Transfers to contractors or subcontractorsAssess the most effective and practicable legal solution, following thepriorities previously definedklgates.com15
Example of Data Transfers Standard Check List (US)We are a US company and we do:YESNOAccess/extract HR data from our European-based affiliatesAccess/extract CRM data from our European-based affiliatesAccess/extract accounting data from our European-based affiliatesImplement a global anti-money-laundering and/or SOX compliance framework from theUnited StatesEnforce and control a global IT policy from the United StatesDraw statistics about our European employees/customers based on any of the following:health conditions, race, ethnicity, trade union membership, criminal offenses or allegations,religion, sexual orientationConsolidate/assess a biometric database (e.g., fingerprint, hand shape, iris) for employeeaccess control or other purposesConsolidate/access a genetic databaseOperate a global active directory including our European employeesOperate data centers in the EUOutsource data hosting in the EUHost data from our EU affiliatesHost data from our EU service providersOperate global IT infrastructures from the United Statesklgates.com16
Example of Data Transfers Standard Check List (EU)We are a European company and we do:YESNOUse global IT services, tools and/or servers provided by our US affiliate/mother companyOutsource IT services to subcontractors in the United StatesOutsource IT infrastructures to subcontractors in the United StatesOutsource hosting activities to subcontractors in the United StatesOutsource medical analysis to subcontractors in the United StatesShare our database with our affiliates/mother company in the United StatesProvide our subcontractors in the US with accesses to our EU databaseProvide information related to health conditions, race, ethnicity, trade union membership,criminal offenses or allegations, religion, sexual orientation, to our mother company in theUnited States for statistical purposesShare an online recruiting tool and database with our affiliates/sister companies/mothercompany in the United StatesOutsource biometric security services to subcontractors in the United StatesBenefit from biometric security services provided and managed / operated by our mothercompany in the United Statesklgates.com17
EU Next Moves
Policy / Regulatory Follow-up in the EuropeanUnionEC VPFranzTimmermansECCommissionerVerá JurovàEuropeanParliamentLIBECommitteeArticle 29Working Partyklgates.com19
US Next Moves
Will a US-EU Safe Harbor 2.0 Provide ReliefFrom the ECJ/EU Privacy Regulation Storms?klgates.com21
Safe Harbor 2.0 Negotiations Were in Final Stage Impact of 2013 Snowden disclosures (June 2013)EC’s 13 Recommendations for Improvement (November 2013) Transparency Enforcement Redress Access by U.S. AuthoritiesIncreased FTC enforcement (January 2014)Key Issue Recommendation 13 – National Security exception “Strictly necessary or proportionate”Note parallel initiative – EU-US umbrella agreement Protection framework for data transfers for law enforcement purposes EU citizens should have same privacy rights and remedies available to USpersonsklgates.com22
Need to address two prongs of ECJ decision USG unrestricted access to information PRISM program disbanded Section 215 bulk collection of telephonemeta data ended (USA Freedom Act)?Final resolution of “strictly necessary andproportionate”EU citizens ability to access and correct data Judicial Redress Act (H.R. 1428) Legislative prospectsklgates.com23
Commerce Secretary Pritzker Reaction“Since 2000, the Safe Harbor Framework has proven to be critical toprotecting privacy on both sides of the Atlantic and to supportingeconomic growth in the United States and the EU. We are deeplydisappointed in today’s decision ”“For the last two years, we have worked closely with the EuropeanCommission to strengthen the U.S.-EU Safe Harbor Framework, withrobust and transparent protection, including clear oversight by theDepartment of Commerce and strong enforcement by the U.S. FederalTrade Commission.”“The court’s decision necessitates release of the updated Safe HarborFramework as soon as possible.”klgates.com24
Q&A With K&L Gates PresentersBruce J HeimanPartner, Public Policy and Law – Washington DC 1.202.661.3935bruce.heiman@klgates.comIgnasi GuardansPartner, Public Policy and Law – Brussels 32.(0)2.336.1949ignasi.guardans@klgates.comEtienne DrouardPartner, Privacy, Data Protection and Information Management – Paris tes.com25
The Schrems Case (Ruling C-362/14) klgates.com 2 * 9/25/13 Irish DPA receives complaint from citizen on FB transferring his data to US DPA
