Difference in Perception
between EU and US
• Privacy as a matter of commerce in the U.S.
• Privacy as a fundamental human right in the EU
• Right to be forgotten
Once data crosses international borders,
where is it “safe?”
• “it depends”
• Do you know where your cloud actually is?
• Guess what? It matters.
Schrems v. Data Protection Commissioner
• What the case means
• Historical context
• 2000 decision enabled U.S. companies to self-certify that company practices
ensured an adequate level of protection for personal data under the EU Data
Protection Directive, thus permitting the company to transfer data from the
EU to the United States.
• Schrems decision holds that U.S. law does not afford adequate protection to
What’s happened since the decision
• Data transfers from the EU to the United States trigger the
provisions of the EU Data Protection Directive and may come
• Many companies utilize U.S.-based cloud services
• If personal data is kept outside of a U.S. jurisdiction
• Knowledge of compliance regs is required
• So is compliance!
Companies can no longer rely on “safe
• Entities need to independently verify that company transfers of personal
data from the EU to the United States meet the level of data privacy
protection considered adequate by the EU Data Protection Directive.
• The European Commission recommends that entities consider using the EU-
approved standard contractual clauses, the EU-approved Binding Corporate
Rules, or the enumerated derogations under which data can be transferred.
Use of Standard Contract Clauses
• two sets of standard contractual clauses for transfers from data
controllers to data controllers established outside the EU/EEA
• one set for the transfer to processors established outside the EU/EEA.
Foreign Corrupt Practices Act
The Foreign Corrupt Practices Act of 1977, as amended, 15 U.S.C. §§ 78dd-1, et seq.
• The anti-bribery provisions prohibit paying foreign officials to obtain or
• Accurate accounting and adequate internal controls are REQUIRED!
• jurisdiction of the FCPA is far-reaching and hinges on the use of interstate
commerce by a U.S. or foreign person.
• Aggressive Enforcement
• compliance policies to maintain watch over company actors to avoid
inadvertently violating the FCPA.
• Department of Justice is happy to offer opinions on
U.S. Department of Justice
Criminal Division, Fraud Section
Attn: FCPA Coordinator
Bond Building, 4th Floor
10th and Constitution Ave., NW
Washington, DC 20530-0001
Email - FCPA.Fraud@usdoj.gov
Protecting the Jewels
• Protecting data within a company’s control
• Protecting data beyond the company’s walls