EY Human Capital Conference 2012: Global HR - Data privacy and global mobility


Published on

This presentation explores the management of international transfer of data: complex rules/selection of a transfer strategy and existing tools. The security of personal data is critical and subject to public scrutiny: this presentation looks at examples of data breaches/best practices. Plus how to anticipate the new EU data protection framework requirements.

Published in: Business
  • Be the first to comment

EY Human Capital Conference 2012: Global HR - Data privacy and global mobility

  1. 1. 2012 Human Capital conference23-26 October Data privacy and global bilit mobility
  2. 2. Disclaimer► Ernst & Young refers to the global organization of member firms of Ernst Y E t & Young Global Li it d each of which i a separate l Gl b l Limited, h f hi h is t legal entity. l tit Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited located in the US.► This Thi presentation i ©2012 E t & Y t ti is Ernst Young LLP All rights reserved. N LLP. i ht d No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, photocopying transmission recording rekeying or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or d st but o o t s o o a y o t e ate a e e s p o b ted and s distribution of this form or any of the material herein is prohibited a d is in violation of US and international law. Ernst & Young LLP expressly disclaims any liability in connection with use of this presentation or its contents by any third party.► The views expressed by panelists in this session are not necessarily those of Ernst & Young LLP.Page 2 Data privacy and global mobility
  3. 3. Presenters► Fabrice Naftalski ► Dr. Peter Katko ► Ernst & Young Société d’Avocats ► Ernst & Young Law GmbH ► Attorney at Law/Partner ► Attorney/Partner ► Head of IP/IT Law ► Head of IP/IT Law ► fabrice.naftalski@ey-avocats.com ► peter.katko@de.ey.com ► EuroPriSe legal expert and CIPP/E ► EuroPriSe legal expertPage 3 Data privacy and global mobility
  4. 4. Agenda► Data privacy in g p y global mobility y► Focus 1: Management of international transfer of data: complex rules/selection of a transfer strategy and existing tools► Focus 2: Security of personal data is critical and subject to public scrutiny: examples of data breaches/best practices ti► What’s next: How to anticipate the new EU data protection framework requirementsPage 4 Data privacy and global mobility
  5. 5. Data privacy in global mobilityPage 5 Data privacy and global mobility
  6. 6. Global mobility triggers recurrent andimportant personal data transfers► International assignments involve various flows of g personal data*, subject to data protection regulation: ► Name, gender, address, identification card number, residence permit number, nationality, passport number, family situation, phone number, educational background and career experience related data, record of performance evaluation related data, etc.► Specific data privacy aspects related to mobility programs: ► Processing of the data of expatriated employees ► Management of the data flows and international transfers between the group companies *Information that can be used to identify, contact or locate a natural person or can be linked to other sources to identify this i di id l *I f ti th t b d t id tif t t l t t l b li k d t th t id tif thi individual.Page 6 Data privacy and global mobility
  7. 7. Rationale for data protection► Human rights law: g ► Universal Declaration of Human Rights ► European Convention on Human Rights ► Charter of Fundamental Rights from 7 December 2000 ► National constitutions► EU directive di ti► OECD guidelines► Consumer and security regulation (US) C d it l ti► Asia Pacific Economic Cooperation (APEC) frameworkPage 7 Data privacy and global mobility
  8. 8. Global trend towards more data privacyregulation South Korea: ► Act on the Protection of Personal Data 2011) Philippines: ► Bill on data protection US: based on EU- ► Consumer Privacy directive 95/46 Bill of Rights (March 2012) ► FTC ► Bill is supposed recommendations on to d t reduce ththe privacy on the concerns internet regarding an India: outsourcing toCosta Rica andColombia: ► Strives to become a Philippine y safe third country p companies► Data protection legislation based on ► New Data Protection the 1995 EU Data Act (regarding Protection IT-topics) in 2011 DirectivePeru:P Brazil:► New Data Protection Act ► Work in progress: Data Australia and Hong Kong: (2011) inspired by the Protection Act based on ► Intend to strengthen data Spanish Data Protection Act the EU-directive New Zealand: protection and the APEC (Asia-Pacific ► Safe third country Economic Cooperation) Privacy FrameworkPage 8 Data privacy and global mobility
  9. 9. Data privacy in the USUS-Consumer Privacy Bill of Rights y g► Self-commitment: ► Catalog of rights regarding consumer data protection ► Catalog of rights leads to a better protection of consumers’ privacy on the world wide web ► Goal: contribution to the improvement of the international “interoperability” a d add t o s to t e Sa e Harbor Agreement te ope ab ty and additions the Safe a bo g ee e t with the EU ► Better recognition of the mutual data protection standards ► Enforcement by the F d l T d C E f b h Federal Trade Commission (FTC) i iPage 9 Data privacy and global mobility
  10. 10. EU framework to protect personal data► Legal framework in Europe: ► EU Law (Personal Data Protection Directive 95/46 and Privacy Directive 2002/58) ► Local data protection laws corresponding to Member States implementation p p g p ► Article 29 Working Party group and National Data Protection Regulator’s soft law► Data protection regulators: ► Authorize certain data processing and transfers outside the EU/EEA ► Control compliance with data protection law ► Sanction breaches of th l S ti b h f the law ► Act also as "jurisdiction" in certain countries► Sanctions for the violation of data protection legislation: p g ► Criminal sanctions ► Administrative sanctions including monetary penalties ► Damage to the image of the companyPage 10 Data privacy and global mobility
  11. 11. Overview of requirements and sanctionsMain EU data protection principles to comply with p p p py Legal basis to All personal data must: process Personal/ sensitive data Be processed fairly and lawfully 1 Be obtained for only one or more specified and lawful Information I f ti 2 purposes Transfer obligationrequirements Be adequate, relevant and not excessive 3 Be accurate and kept up to date 4 Be kept no longer than necessary 5Data subject Security Be processed in accordance with the identifiable person’s rights measures 6 rights Be kept secure 7 Filing requirements Not be transferred to third parties outside of the European 8 Economic Area (EEA), unless certain conditions are metPage 11 Data privacy and global mobility
  12. 12. Why is data privacy compliance critical whenmonitoring mobility programs?► Because organizations are more complex and global, g p g , data is no more static and hosted in one place: ► Security of data is more challenging ► International data flows are more numerous► Because employees’ data is a strategic and very sensitive asset iti t► In this context, maintaining a secure and compliant environment is a growing challengePage 12 Data privacy and global mobility
  13. 13. Focus 1: Management of international transferof dataPage 13 Data privacy and global mobility
  14. 14. Management of international transfer of dataunder European Union law► Transfer between group entities: ► Considered as a disclosure by transmission even within one Member State ► Subject to justification (need of employment, intra-group outsourcing, group interest)► EU Directive 95/46 was the first international instrument dealing with the issue of the transfers of personal data to third countries: ► One stated objective of the Directive is to allow the free flow of personal data between Member States, based on agreed-upon principles of personal data protection ► At the same time, transfers of personal data to third countries require special consideration► Applicability of EU law: ► Transfer differs from mere transit. Therefore, personal data may be routed through a third country without considering thi operation as a t th h thi d t ith t id i this ti transfer if no f substantive processing operation is conducted on the data in the third country ► It involves hosting but also mere access from non-EU countries to data hosted in the EUPage 14 Data privacy and global mobility
  15. 15. Complex rules for the management ofinternational transfer of data► EU general principles regarding data transfers: ► The data controller may not transfer personal data to a state that is not a Member State of the EU if this state does not provide a sufficient level of p protection of individuals’ p privacy, liberties and fundamental rights. y, g ► If a third country has enacted a generally applicable privacy law that the European Commission deems “adequate,” the country is eligible to receive personal data from Europe (Switzerland, Isle of Man, Canada, Argentina, Israel, Uruguay, S Switzerland, GGuernsey, European Economic Area countries) ) ► If not, the following legal tools must be implemented to transfer personal data from Europe, not country-by-country, but company-by-company: ► S f H b Safe Harbor ► Standard contractual clauses of the EC ► Binding corporate rulesPage 15 Data privacy and global mobility
  16. 16. Strategies for international transfer ofpersonal data► Lack of a so-called group privilege (often criticized by companies): ► Data exchange between affiliates is regulated under data protection laws as a transfer between third parties► The strategy to adopt should be determined regarding the specificities of the company and its activity (size of the company, number and locations of affiliates and processor, etc.): ► The EU standard contractual clauses export European principles concerning the processing of personal data to all companies receiving the data + : “ready-to-be-signed” - : potentially numerous contracts to be concluded ► In th I the case of US companies, they can agree to comply with d t f i th t l ith data protection laws on the European model as part of Safe Harbor self- certification process + : self-certification process - : only for US companies; liability before the FTC ► Important groups, in consultation with the data protection regulatory I t t i lt ti ith th d t t ti l t agencies, can adopt Binding Corporate Rules (BCRs) to facilitate transfers between all entities within the group + : cover all data transfers within a group - : implementation process may be complexPage 16 Data privacy and global mobility
  17. 17. Management of international transfers of dataFocus on the BCRs► Definition of the BCRs: ► BCRs are a set of internal guidelines, similar to a Code of Conduct, that establishes policies for transferring personal information within the organization and across international boundaries. g► BCRs benefits: ► Elimination of contracts for each transfer ► Mitigation f i k f Miti ti of risks from data transfers to third countries d t t f t thi d ti ► Consistency in data protection strategies and practices within the organization ► In-house awareness of privacy issues ► A way to achieve accountability within the organization► Implementing BCRs Circulate Close the EU Designate Draft BCRs to cooperation a lead BCRs relevants procedure/ DPA procedure DPA implement BCRsPage 17 Data privacy and global mobility
  18. 18. Focus 2: Security of personal data is critical andsubject to public scrutinyPage 18 Data privacy and global mobility
  19. 19. Security of personal dataElements of context► A highly p g y publicized issue: ► ABC Corporation: ► External intrusion in the PlayStation Network: ► Data from approximately 77 million accounts were stolen ► Several legal actions have been engaged against ABC Corporation ► Loss of trust/damage to the image of the company ► Impressive fall in the share pricePage 19 Data privacy and global mobility
  20. 20. Security of personal dataElements of context► Focus on HR data: ► External intrusion: ► The “hacktivist” group called Anonymous succeeded into obtaining and publishing a d t b d bli hi database containing th emails and other material t i i the il d th t i l related to a big pharma’s employees ► Internal mistake: ► The HR of Company B accidently sent an email to 300 employees revealing wage levels, proposed increases and comments of HR services concerning the evaluation of the employeesPage 20 Data privacy and global mobility
  21. 21. Security of personal dataTechnical and legal leading p g g practices► IT risk has privacy implications: p y p ► More and more countries have or are adopting data privacy regulations with strong security requirements: ► In th EU I the EU, certain countries such as S i It l P t t i ti h Spain, Italy, Portugal, G l Germany are very demanding in terms of security ► In the past years Mexico enacted a comprehensive privacy law such as South Korea, Peru, Colombia or Costa Rica ► In 2011, India enacted a controversial new privacy regulation ► Breach notification requirements are emerging in many countries from q g g y Latin America (Brazil, Uruguay and Mexico) to Europe (draft regulation) and Japan in the Asia-Pacific region ► Regulators will always be in a position of having to react to the challenges new technologies presentPage 21 Data privacy and global mobility
  22. 22. Security of personal dataTechnical and legal leading p g g practices► Questions to consider: ► Does your network architecture design route data from different countries to a central location? ► Do you have a good knowledge of data privacy regulations in the countries where expatriates are located or where their data is processed? ► Have the privacy regulations in the jurisdictions in which you operate changed in the last years? ► If you outsource to countries with new or updated privacy regulations, have you considered what impact that may have on your business in these countries? ► If you are transferring data to countries with new or updated regulations, have you considered the impact of those regulations on your local or expatriated employees? ► Have you identified solutions to address compliance needs and limit the risk of inappropriate access and exposure of personal information across the organization?Page 22 Data privacy and global mobility
  23. 23. Security of personal dataTechnical and legal leading p g g practices► Tools to address compliance needs and IT risks: p ► Cartography of security requirements in local data protection laws ► Accountability within the organization ► Improve internal monitoring and identify privacy professionals within the organization ► Organize security and privacy audits on a regular basis ► Set up privacy impact assessment/privacy by design ► Reinforce employees’ awareness (internal policies and training of the employees) ► Secure contractual relationship with processorsPage 23 Data privacy and global mobility
  24. 24. What’s next: How to anticipate the new EU dataprotection framework requirementsPage 24 Data privacy and global mobility
  25. 25. Illustrations of the main changes providedby the new EU regulation currently in draft version y g y► Increased responsibility and accountability for those processing personal data: ► Breach notifications ► Application of EU rules to companies active in the EU market (even if not established in the EU) ► “Principle of accountability” ► Obligation to appoint Data Privacy Officers ► New obligations applicable to data processors► Simplification: ► A “one-stop-shop” for data protection: only one set of data protection rules valid across the EU one stop shop and one responsible data protection authority — the national authority of the Member State in which the company has its main establishment► Right to be foregotten► Maximum penalty of 2% of the groupwide annual turnover► New rules regarding transfer to third countries, consistency mechanism, role of the EC, European Data Protection Board, supervisory authorities, etc.► Still open f national rules on privacy i employments for ti l l i in l t► Still no group privilege but promotion of BCRsPage 25 Data privacy and global mobility
  26. 26. How to anticipate the new EU data protectionframework requirements► Practical steps to comply: p py ► Perform a privacy audits and regular privacy impact assessment ► Perform regular training ► Appoint a data protection officer ► Implement BCRs to meet transfer and future accountability requirements ► Stay aware of developmentsPage 26 Data privacy and global mobility
  27. 27. QuestionsPage 27 Data privacy and global mobility