VPAs are voluntary partnership agreements between the EU and timber exporting countries that aim to tackle illegal logging. They establish commitments for both parties around monitoring legal compliance of timber exports. VPAs define applicable laws, set up legality assurance systems for verification of legal timber, and require independent audits to ensure credibility. Negotiating and implementing effective VPAs can strengthen governance, but requires meaningful stakeholder participation and a long-term focus on addressing issues.
Presentation by Reka Somssich, Hungary, on the Sources of the EU Law and decision making institutional framework in the EU, given at the workshop organised by SIGMA with the Turkish Ministry for EU Affairs on the Transposition of EU legislation into the legal system of Turkey, Ankara 25 May 2016.
The text assesses the existence and availability of the information listed in VPA about legal frameworks and procedures or forest activities:
-It finds that there are difficulties in the interpretation of complex information and dissemination depends on the authority’s discretion.
-EU will support the implementation of VPA by and activating civil society to demand and use data. In Ghana, the EU will work to establish a formal agreement on which documents should be routinely published.
-Ghana: no binding obligation to publish data routinely. Legal documents are available, but mostly after written request.
-Cameroon: commits the parties to publish information on specific items. There is missing implementing regulation and key information on logging permits. Almost no data on production, plans, exports, social agreements, etc
-Liberia: Legal documents available, but missing information on private use permits, production, and law enforcement.
Voluntary Partnership Agreements (VPAs) are legally binding bilateral trade agreements between the EU and timber exporting countries that set out commitments to tackle illegal logging. They require defining legal timber, developing tracking systems to verify legality, and independent audits. The goal is to strengthen governance, increase transparency, protect community rights, and reduce corruption through a participatory process involving stakeholders.
This document provides an analysis of access blocking in Europe, specifically analyzing the 2014 CJEU case of UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH. It summarizes the key facts of the case, which involved a copyright infringement on a website and an ISP declining a request to block access. It then analyzes the CJEU decision, which found that ISPs can be considered intermediaries and that outcome prohibition injunctions requiring reasonable blocking measures are compatible with fundamental rights and do not require specific technical measures. Finally, it calls for the establishment of an EU-wide test of proportionality for access blocking measures to balance relevant rights and interests.
The document discusses Voluntary Partnership Agreements (VPAs) between the EU and timber-exporting countries to tackle illegal logging. It provides updates on countries negotiating and implementing VPAs, lessons learned from the process, and ongoing challenges. Key challenges include ensuring proper stakeholder involvement, maintaining interest over time, and balancing trade facilitation with governance reforms. The future of VPAs depends on successful implementation of commitments and navigating relationships with other policies around forests.
Voluntary Partnership Agreements (VPAs) are agreements between the EU and timber-producing countries to help eliminate illegal logging. Under a VPA, a country agrees to develop a licensing system to verify legally harvested timber and improve forest governance. The VPA will cover establishing verification of legal timber, improving transparency, and building systems to issue export licenses. A joint committee oversees each VPA's implementation and progress. VPAs aim to improve forest management over time through capacity building and reforms supported by the EU.
Cisac university the_role_of_cmos_finalUmar Ashraf
Collective management organizations (CMOs) serve two main purposes: 1) enabling copyright owners to administer certain rights effectively and cheaply to obtain a fair return, and 2) providing a service to rights users by facilitating access to and licensing of copyright works easily and cost-effectively. CMOs license repertoire, monitor use, and collect and distribute royalties. They provide "one-stop" licensing solutions through blanket licenses that allow use of an entire repertoire for a standard fee. CMOs also collect unpaid royalties, distribute payments according to internal rules, and undertake additional representation and advocacy functions on behalf of rights owners.
VPAs are voluntary partnership agreements between the EU and timber exporting countries that aim to tackle illegal logging. They establish commitments for both parties around monitoring legal compliance of timber exports. VPAs define applicable laws, set up legality assurance systems for verification of legal timber, and require independent audits to ensure credibility. Negotiating and implementing effective VPAs can strengthen governance, but requires meaningful stakeholder participation and a long-term focus on addressing issues.
Presentation by Reka Somssich, Hungary, on the Sources of the EU Law and decision making institutional framework in the EU, given at the workshop organised by SIGMA with the Turkish Ministry for EU Affairs on the Transposition of EU legislation into the legal system of Turkey, Ankara 25 May 2016.
The text assesses the existence and availability of the information listed in VPA about legal frameworks and procedures or forest activities:
-It finds that there are difficulties in the interpretation of complex information and dissemination depends on the authority’s discretion.
-EU will support the implementation of VPA by and activating civil society to demand and use data. In Ghana, the EU will work to establish a formal agreement on which documents should be routinely published.
-Ghana: no binding obligation to publish data routinely. Legal documents are available, but mostly after written request.
-Cameroon: commits the parties to publish information on specific items. There is missing implementing regulation and key information on logging permits. Almost no data on production, plans, exports, social agreements, etc
-Liberia: Legal documents available, but missing information on private use permits, production, and law enforcement.
Voluntary Partnership Agreements (VPAs) are legally binding bilateral trade agreements between the EU and timber exporting countries that set out commitments to tackle illegal logging. They require defining legal timber, developing tracking systems to verify legality, and independent audits. The goal is to strengthen governance, increase transparency, protect community rights, and reduce corruption through a participatory process involving stakeholders.
This document provides an analysis of access blocking in Europe, specifically analyzing the 2014 CJEU case of UPC Telekabel Wien GmbH v Constantin Film Verleih GmbH. It summarizes the key facts of the case, which involved a copyright infringement on a website and an ISP declining a request to block access. It then analyzes the CJEU decision, which found that ISPs can be considered intermediaries and that outcome prohibition injunctions requiring reasonable blocking measures are compatible with fundamental rights and do not require specific technical measures. Finally, it calls for the establishment of an EU-wide test of proportionality for access blocking measures to balance relevant rights and interests.
The document discusses Voluntary Partnership Agreements (VPAs) between the EU and timber-exporting countries to tackle illegal logging. It provides updates on countries negotiating and implementing VPAs, lessons learned from the process, and ongoing challenges. Key challenges include ensuring proper stakeholder involvement, maintaining interest over time, and balancing trade facilitation with governance reforms. The future of VPAs depends on successful implementation of commitments and navigating relationships with other policies around forests.
Voluntary Partnership Agreements (VPAs) are agreements between the EU and timber-producing countries to help eliminate illegal logging. Under a VPA, a country agrees to develop a licensing system to verify legally harvested timber and improve forest governance. The VPA will cover establishing verification of legal timber, improving transparency, and building systems to issue export licenses. A joint committee oversees each VPA's implementation and progress. VPAs aim to improve forest management over time through capacity building and reforms supported by the EU.
Cisac university the_role_of_cmos_finalUmar Ashraf
Collective management organizations (CMOs) serve two main purposes: 1) enabling copyright owners to administer certain rights effectively and cheaply to obtain a fair return, and 2) providing a service to rights users by facilitating access to and licensing of copyright works easily and cost-effectively. CMOs license repertoire, monitor use, and collect and distribute royalties. They provide "one-stop" licensing solutions through blanket licenses that allow use of an entire repertoire for a standard fee. CMOs also collect unpaid royalties, distribute payments according to internal rules, and undertake additional representation and advocacy functions on behalf of rights owners.
US – EU Safe Harbor for Cross-Border DataMark Aldrich
This document summarizes recent developments regarding the US-EU Safe Harbor framework for cross-border data transfers. It provides background on the Safe Harbor and outlines key events that have challenged its validity, including European court cases and actions by data protection authorities. These developments include a pending case before the European Court of Justice to determine the validity of Safe Harbor given revelations about US government surveillance programs. Several data protection authorities have also initiated enforcement actions against US companies that self-certified under Safe Harbor.
Safe Harbor is a framework that allows the transfer of personal data from the EU to the US in compliance with EU data privacy laws. It provides a bridge between differing US and EU privacy approaches through voluntary self-certification to its principles by organizations doing business between the regions. The principles address issues like notice, choice, security and enforcement to protect EU citizens' privacy rights when their data is transferred to the less restrictive US context. While initially controversial, Safe Harbor has helped enable transatlantic data flows for many companies over the past 15 years.
The Eu Dimension In Intellectual Capital – Treaties And The Acquis CommunautaireBirsemin Jurgens
The document discusses the EU acquis communautaire and its relevance to intellectual capital. It provides definitions of key EU legal concepts and structures, including the treaties, secondary legislation, and legal instruments. The document outlines Turkey's progress in opening acquis chapters for accession negotiations. It then analyzes whether the acquis contains any legislation specifically about intellectual capital or human capital by searching official EU databases and finding few explicit references. It concludes the acquis does not have a coherent position on either concept on its own.
Presentation delivered at the EUI in Florence during the FSR C&M, CMPF and FCP Annual Scientific Seminar on 'Competition, Regulation and Pluralism in the Online World' (22-23 March 2018).
Presentation delivered at the EUI in Florence during the FSR C&M, CMPF and FCP Annual Scientific Seminar on 'Competition, Regulation and Pluralism in the Online World' (22-23 March 2018).
Read the 26th edition of Insights Brussels, our regular alert on key European Union policy developments from our team in Brussels. This issue covers new compelling initiatives related to the European digital market, to energy policies and financial services, all requiring bolder stakeholders’ engagement at the pan-European and national levels.
Learn about the latest policy developments with this monthly alert from our team in Brussels. For real-time updates, follow @MSL_Brussels or reach out to us on Twitter @msl_group.
EU Privacy Shield - Understanding the New Framework from TRUSTeTrustArc
Webinar to understand the new EU-US Privacy Shield Framework which replaces the EU-US Safe harbor framework followed by a demo of the TRUSTe EU data privacy transfer assessment.
Visit https://info.truste.com/WB-2016-02-10-Insight-Series-Privacy-Shield_RegPage-On-Demand_Recording.html to view the complete webinar.
VIETNAM – THE WORLD BANK GROUP IS ASKING DUANE MORRIS ABOUT PUBLIC PROCUREMENTDr. Oliver Massmann
The document provides information about a case study involving a public road resurfacing project in Vietnam. It describes the project, assumptions about the bidding company BidCo, and phases of the procurement process. The World Bank Group is asking Duane Morris for information about Vietnam's public procurement laws and practices as they relate to this case study.
The document outlines key information to help formulate arguments for exam questions on media regulation:
1) It provides example exam questions on the nature and effectiveness of contemporary media regulation compared to past practices, and arguments for and against specific forms.
2) It lists relevant UK legislation affecting film regulation from 1952 to the present and the powers they give to regulatory bodies like the BBFC.
3) Students are instructed to research case studies of contemporary and historical films assessed by the BBFC to support their arguments, including release data, cuts made, and supporting theories and statistics.
The document summarizes several regulatory and professional bodies within the UK creative media sector, including:
- The British Board of Film Classification (BBFC) which classifies films, videos, and DVDs according to age ratings.
- The British Video Association (BVA) which represents video publishers and works to promote legal video entertainment.
- The Film Distributors' Association (FDA) which focuses on addressing film piracy in the UK.
- The Video Standards Council (VSC) which sets standards for the video and video games industries and administers the PEGI age rating system for video games in the UK.
- Ofcom which regulates TV, radio, telecommunications and postal sectors
VIETNAM – THE NATIONAL ASSEMBLY INCORPORATED DUANE MORRIS’S RECOMMENDATIONS I...Dr. Oliver Massmann
VIETNAM – THE NATIONAL ASSEMBLY INCORPORATED DUANE MORRIS’S RECOMMENDATIONS INTO VIETNAM’S FIRST EVER LAW ON INVESTMENT IN THE FORM OF PUBLIC-PRIVATE PARTNERSHIP (PPP)
Lawyer in Vietnam Dr. Oliver Massmann DOING BUSINESS IN VIETNAMDr. Oliver Massmann
This document provides an overview of Duane Morris, a law firm with offices around the world including Vietnam, and discusses investing and Vietnam's legal system. It summarizes Vietnam's economy in 2018, the forms of investing in Vietnam including establishing entities and business cooperation contracts, and provides highlights of Vietnam's tax system and incentives for foreign investment.
Content blocking technology
The European Commission’s Digital Single Market Strategy aims to ease content blocking restrictions on paid content across Europe. However, when it comes to copyright infringement, the Strategy currently only encompasses “large-scale infringement.” In order to achieving a level-playing field, Internet blocking order has become the ‘weapon of choice’ for combatting music piracy in the digital world. But what are a content owner’s rights?
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
1. The document outlines a presentation given in Moscow on the European Union's privacy and data protection legal framework.
2. It provides an overview of the key EU directives and regulations governing privacy, including the upcoming EU Data Protection Regulation, and discusses the regulatory approach of focusing on individuals' rights and informational self-determination.
3. The presentation also examines issues around implementing privacy compliance in practice and focuses on selected issues like secrecy of communications, user identification, and security requirements.
The document summarizes key points from a legal update seminar on the proposed EU Data Protection Regulation. It discusses proposed changes such as expanded definitions of personal data, the need for explicit consent, the right to be forgotten, data breach notification requirements, and enhanced sanctions for noncompliance. The proposed regulation would significantly impact how companies process and protect personal data.
This document provides an overview of trends and issues from the Information Commissioner's Office (ICO), including key statistics on Data Protection Act (DPA) complaints and enforcement actions. Common data protection failures seen by the ICO include a lack of training, inadequate policies and procedures, and failure to implement appropriate technical solutions like encryption. The ICO has a range of regulatory and enforcement options, including civil monetary penalties (CMPs), with a framework that considers the seriousness, aggravating/mitigating factors, financial impact, objectives, and consistency with past cases. An example CMP of £50,000 issued to Amber UPVC Fabrications Ltd is described.
New media and co-regulation Bangkok TMPCChris Marsden
This document discusses internet co-regulation and constitutionalism. It examines different models of regulation including statutory regulation, co-regulation, and self-regulation. It also discusses challenges like ensuring civil society has a role, dealing with competing interests, and preventing self-regulation from being camouflaged. The document also analyzes recent examples and court cases related to defamation and privacy to understand how co-regulation is working in practice and its relationship to constitutional rights.
The European Court of Justice ruled the US Safe Harbor agreement invalid for protecting data transferred from the EU to the US. Alternatives for legitimizing cross-border data transfers include standard contractual clauses, binding corporate rules, or consent from data subjects. Companies now need to evaluate their current data transfer mechanisms and determine if changes are needed to comply with EU regulations in the absence of Safe Harbor.
The document summarizes the key changes between the Data Protection Act and the new General Data Protection Regulation (GDPR) that takes effect in 2018. Some of the major changes include stricter consent requirements, increased accountability and governance responsibilities, larger fines for noncompliance, and new data subject rights around access, erasure, and portability. It recommends organizations form working groups, obtain specialist knowledge, and get certified to ensure compliance with the GDPR before enforcement begins in 2018.
This document summarizes key points from a presentation about proposed changes to the EU's Data Protection Regulation. It discusses expanded definitions and new requirements for consent, data breaches, subject access requests and more. Consent would need to be explicit under the new rules. IP addresses and cookies may be defined as personal data, affecting digital marketing. Data subjects could request deletion of data. Organizations would face stricter security rules and larger fines for noncompliance. The impact on direct marketing could be significant.
US – EU Safe Harbor for Cross-Border DataMark Aldrich
This document summarizes recent developments regarding the US-EU Safe Harbor framework for cross-border data transfers. It provides background on the Safe Harbor and outlines key events that have challenged its validity, including European court cases and actions by data protection authorities. These developments include a pending case before the European Court of Justice to determine the validity of Safe Harbor given revelations about US government surveillance programs. Several data protection authorities have also initiated enforcement actions against US companies that self-certified under Safe Harbor.
Safe Harbor is a framework that allows the transfer of personal data from the EU to the US in compliance with EU data privacy laws. It provides a bridge between differing US and EU privacy approaches through voluntary self-certification to its principles by organizations doing business between the regions. The principles address issues like notice, choice, security and enforcement to protect EU citizens' privacy rights when their data is transferred to the less restrictive US context. While initially controversial, Safe Harbor has helped enable transatlantic data flows for many companies over the past 15 years.
The Eu Dimension In Intellectual Capital – Treaties And The Acquis CommunautaireBirsemin Jurgens
The document discusses the EU acquis communautaire and its relevance to intellectual capital. It provides definitions of key EU legal concepts and structures, including the treaties, secondary legislation, and legal instruments. The document outlines Turkey's progress in opening acquis chapters for accession negotiations. It then analyzes whether the acquis contains any legislation specifically about intellectual capital or human capital by searching official EU databases and finding few explicit references. It concludes the acquis does not have a coherent position on either concept on its own.
Presentation delivered at the EUI in Florence during the FSR C&M, CMPF and FCP Annual Scientific Seminar on 'Competition, Regulation and Pluralism in the Online World' (22-23 March 2018).
Presentation delivered at the EUI in Florence during the FSR C&M, CMPF and FCP Annual Scientific Seminar on 'Competition, Regulation and Pluralism in the Online World' (22-23 March 2018).
Read the 26th edition of Insights Brussels, our regular alert on key European Union policy developments from our team in Brussels. This issue covers new compelling initiatives related to the European digital market, to energy policies and financial services, all requiring bolder stakeholders’ engagement at the pan-European and national levels.
Learn about the latest policy developments with this monthly alert from our team in Brussels. For real-time updates, follow @MSL_Brussels or reach out to us on Twitter @msl_group.
EU Privacy Shield - Understanding the New Framework from TRUSTeTrustArc
Webinar to understand the new EU-US Privacy Shield Framework which replaces the EU-US Safe harbor framework followed by a demo of the TRUSTe EU data privacy transfer assessment.
Visit https://info.truste.com/WB-2016-02-10-Insight-Series-Privacy-Shield_RegPage-On-Demand_Recording.html to view the complete webinar.
VIETNAM – THE WORLD BANK GROUP IS ASKING DUANE MORRIS ABOUT PUBLIC PROCUREMENTDr. Oliver Massmann
The document provides information about a case study involving a public road resurfacing project in Vietnam. It describes the project, assumptions about the bidding company BidCo, and phases of the procurement process. The World Bank Group is asking Duane Morris for information about Vietnam's public procurement laws and practices as they relate to this case study.
The document outlines key information to help formulate arguments for exam questions on media regulation:
1) It provides example exam questions on the nature and effectiveness of contemporary media regulation compared to past practices, and arguments for and against specific forms.
2) It lists relevant UK legislation affecting film regulation from 1952 to the present and the powers they give to regulatory bodies like the BBFC.
3) Students are instructed to research case studies of contemporary and historical films assessed by the BBFC to support their arguments, including release data, cuts made, and supporting theories and statistics.
The document summarizes several regulatory and professional bodies within the UK creative media sector, including:
- The British Board of Film Classification (BBFC) which classifies films, videos, and DVDs according to age ratings.
- The British Video Association (BVA) which represents video publishers and works to promote legal video entertainment.
- The Film Distributors' Association (FDA) which focuses on addressing film piracy in the UK.
- The Video Standards Council (VSC) which sets standards for the video and video games industries and administers the PEGI age rating system for video games in the UK.
- Ofcom which regulates TV, radio, telecommunications and postal sectors
VIETNAM – THE NATIONAL ASSEMBLY INCORPORATED DUANE MORRIS’S RECOMMENDATIONS I...Dr. Oliver Massmann
VIETNAM – THE NATIONAL ASSEMBLY INCORPORATED DUANE MORRIS’S RECOMMENDATIONS INTO VIETNAM’S FIRST EVER LAW ON INVESTMENT IN THE FORM OF PUBLIC-PRIVATE PARTNERSHIP (PPP)
Lawyer in Vietnam Dr. Oliver Massmann DOING BUSINESS IN VIETNAMDr. Oliver Massmann
This document provides an overview of Duane Morris, a law firm with offices around the world including Vietnam, and discusses investing and Vietnam's legal system. It summarizes Vietnam's economy in 2018, the forms of investing in Vietnam including establishing entities and business cooperation contracts, and provides highlights of Vietnam's tax system and incentives for foreign investment.
Content blocking technology
The European Commission’s Digital Single Market Strategy aims to ease content blocking restrictions on paid content across Europe. However, when it comes to copyright infringement, the Strategy currently only encompasses “large-scale infringement.” In order to achieving a level-playing field, Internet blocking order has become the ‘weapon of choice’ for combatting music piracy in the digital world. But what are a content owner’s rights?
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
1. The document outlines a presentation given in Moscow on the European Union's privacy and data protection legal framework.
2. It provides an overview of the key EU directives and regulations governing privacy, including the upcoming EU Data Protection Regulation, and discusses the regulatory approach of focusing on individuals' rights and informational self-determination.
3. The presentation also examines issues around implementing privacy compliance in practice and focuses on selected issues like secrecy of communications, user identification, and security requirements.
The document summarizes key points from a legal update seminar on the proposed EU Data Protection Regulation. It discusses proposed changes such as expanded definitions of personal data, the need for explicit consent, the right to be forgotten, data breach notification requirements, and enhanced sanctions for noncompliance. The proposed regulation would significantly impact how companies process and protect personal data.
This document provides an overview of trends and issues from the Information Commissioner's Office (ICO), including key statistics on Data Protection Act (DPA) complaints and enforcement actions. Common data protection failures seen by the ICO include a lack of training, inadequate policies and procedures, and failure to implement appropriate technical solutions like encryption. The ICO has a range of regulatory and enforcement options, including civil monetary penalties (CMPs), with a framework that considers the seriousness, aggravating/mitigating factors, financial impact, objectives, and consistency with past cases. An example CMP of £50,000 issued to Amber UPVC Fabrications Ltd is described.
New media and co-regulation Bangkok TMPCChris Marsden
This document discusses internet co-regulation and constitutionalism. It examines different models of regulation including statutory regulation, co-regulation, and self-regulation. It also discusses challenges like ensuring civil society has a role, dealing with competing interests, and preventing self-regulation from being camouflaged. The document also analyzes recent examples and court cases related to defamation and privacy to understand how co-regulation is working in practice and its relationship to constitutional rights.
The European Court of Justice ruled the US Safe Harbor agreement invalid for protecting data transferred from the EU to the US. Alternatives for legitimizing cross-border data transfers include standard contractual clauses, binding corporate rules, or consent from data subjects. Companies now need to evaluate their current data transfer mechanisms and determine if changes are needed to comply with EU regulations in the absence of Safe Harbor.
The document summarizes the key changes between the Data Protection Act and the new General Data Protection Regulation (GDPR) that takes effect in 2018. Some of the major changes include stricter consent requirements, increased accountability and governance responsibilities, larger fines for noncompliance, and new data subject rights around access, erasure, and portability. It recommends organizations form working groups, obtain specialist knowledge, and get certified to ensure compliance with the GDPR before enforcement begins in 2018.
This document summarizes key points from a presentation about proposed changes to the EU's Data Protection Regulation. It discusses expanded definitions and new requirements for consent, data breaches, subject access requests and more. Consent would need to be explicit under the new rules. IP addresses and cookies may be defined as personal data, affecting digital marketing. Data subjects could request deletion of data. Organizations would face stricter security rules and larger fines for noncompliance. The impact on direct marketing could be significant.
What does the Proposed EU General Data Protection Regulation (GDPR) mean for ...TrustArc
We outline the proposed changes in the EU General Data Protection Regulation (GDPR) and its effect on the privacy of US-EU Data transfers.
Access the complete webinar on how the EU GDPR will affect your business https://info.truste.com/lp/truste/On-Demand-Webinar-Reg-Page.html?asset=J68IQUDK-565
This document provides an agenda and summaries for a legal update event on data protection hosted by Pinsent Masons. The event will cover the current position of the EU Draft Data Protection Regulation and potential changes, consumer rights legislation, and ICO guidance on direct marketing. Speakers will discuss the impact of these regulations and guidance on businesses, including increased compliance obligations, sanctions for non-compliance, and restrictions on data processing and direct marketing. The event aims to help businesses understand and prepare for new data protection laws and regulations.
Presentation at Data protection in the Western Balkans and the Eastern Partnership Region. High-level exchange and learning week organised by SIGMA, GIZ, RCC and ReSPA.
EU General Data Protection: Implications for Smart Meteringnuances
This presentation provides the reader with an insight into the politics of EU Data protection as well as an overview of the key stakeholders. We focus on the implication for the smart metering industry.
The GDPR: What About Data Stored or Transmitted Outside the EU?TAG Alliances
The General Data Protection Regulation (GDPR): What About Data Stored or Transmitted Outside the EU? Written by: Rutger Ketting of Nysingh advocaten-notarissen N.V. (Apeldoorn, The Netherlands - TAGLaw).
This document provides a summary of a presentation on data protection law and the proposed EU Data Protection Regulation. Key points from the proposed regulation discussed include expanded definitions of personal data, the requirement for explicit consent, the right to be forgotten, increased accountability and security breach notification requirements, more sanctions for non-compliance, and the direct coverage of data processors. Impacts on practices like profiling, use of IP addresses and cookies, and responding to access requests are also covered. The presentation provides timelines for the regulation and discusses lobbying efforts regarding the proposals.
Social business software is all about sharing content and data in a “collaborative” way to identify internal or external experts. Most of these data must be considered as personal data which is related to an individual person.
Implementing social business technologies in enterprises often leads to discussion with data protection supervisors how to be compliant with EU data protection law. This discussion gets even more challenging if you consider using social business applications in “the cloud” which might the only choice in the near future due IBMs “Cloud First” or Microsoft’s “Cloud only” delivery model.
This session will give you an overview
- about EU data protection regulations
- its implications for using social business systems
- special considerations for using cloud based social business systems
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
Data Protection Rules are Changing: What Can You Do to Prepare?Lumension
The European Union’s proposed new data protection regulation aims to update Europe’s data protection laws and to provide a more consistent data protection framework across the Continent.
But the new regulation, which replaces the EU’s existing data protection directive and member states’ data protection laws, will put some new demands on organisations holding personal data. Breach disclosure and “the right to be forgotten” will force businesses to update their data protection and retention policies.
This presentation will:
- Review the current EU laws, and contrast them with laws in other parts of the world;
- Examine the arguments for strengthening data protection in Europe, and the likely outcomes;
- Look at what security teams should already be doing to put themselves ahead of legislative changes;
- Outline strategies and technologies organisations need to meet current and future data protection requirements
- Help infosecurity teams to explain the changes – and their consequences – to their boards
Decision CAMP 2014 - Tobias Vigmostad - Digitalizing Business and Legislative...Decision CAMP
The document discusses the Norwegian Immigration Administration's (UDI) efforts to digitalize its business and legislative rules. It aims to increase efficiency by automating routine processes and decisions using a Business Rules Management System (BRMS). The BRMS allows non-technical staff to manage rules and supports increasing levels of automation over time. Examples show how the BRMS facilitates automated information exchange with other agencies and increases the number of cases handled through its decision module. The goal is to standardize equivalent cases while retaining human review of complex cases and ensuring policymakers can easily update the system with new rules.
The sources of EU law are primary sources like treaties, secondary sources like regulations and directives, and tertiary sources like case law from the European Court of Justice. Primary sources are the most significant as all subsequent law must be derived from them. Secondary legislation includes regulations which are directly applicable, and directives which require implementation by member states. Tertiary sources include principles of EU law developed by the ECJ like proportionality, subsidiarity, and equality.
The Practical Impact of the General Data Protection RegulationGhostery, Inc.
The document provides an overview of the General Data Protection Regulation (GDPR) and its impact on digital advertising. It discusses GDPR's aim to give individuals more control over their personal data and create a single set of privacy rules across the EU. The GDPR will increase obligations for companies, including strengthened consent requirements, data subject rights, and accountability measures. It will also allow for fines of up to 20 million euros or 4% of global revenue. The document also summarizes Ghostery's privacy tools and an industry initiative to enhance ad transparency and user control in compliance with the GDPR.
Similar to Expert Meeting on Binding Corporate Rules | Presentations (20)
Public lecture | Prof. Claire Cutler | PresentationHiiL
HiiL | Public lecture on the occasion of the launch of the Morris Tabaksblat Visiting Chair on Private Actors and Globalisation
23 April 2012, Leiden University, Lorentz Room, Leiden
Presentation
Public lecture by Prof. Claire Cutler
BITs: Turning Shields into Swords?
HiiL National Judges and European Union Law | Dr. Tobias NowakHiiL
This document summarizes research on the knowledge, experiences, and attitudes of lower court judges in Germany and the Netherlands regarding European Union law. It finds that while judges are generally supportive of EU integration, they consider their knowledge of EU law to be lower than their knowledge of national law. Judges report that EU law has a limited impact in most cases, but plays a more routine role for those dealing with highly Europeanized legal fields. The document recommends further training and guidance focused on specific EU law issues to help judges better recognize and address any relevant EU law questions in their cases.
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
Title: Conflict, Fragility and Development in a Globalized World:
Challenges and Implications for the Law of The Future
By: Hassane Cisse
Keynote Presentation
www.lawofthefuture.org
The document discusses EMCOD, a tool for measuring the costs and quality of online dispute resolution (ODR). The objectives of EMCOD were to adapt an existing tool called MA2j, design and develop a software tool to measure ODR costs and quality, and promote research in this area. Some of the achievements included publishing a handbook by the end of August 2011, developing software, and networking. The tool is intended to increase accessibility, transparency, and focus on users in justice systems and enable comparison and competition among ODR providers.
This document discusses ten theses regarding globalization and law from a global perspective:
1) We should avoid overgeneralizing about law globally due to lack of concepts, data, and capacity for evidence-based generalizations across legal systems.
2) A conception of law confined only to state/municipal law leaves out non-state legal forms like religious, customary, and unofficial laws.
3) Significant legal patterns are often sub-global, like those from empires, diasporas, alliances, and language/legal tradition spread.
4) Accepting non-state law leads to accepting legal pluralism as a social fact occurring within and between countries at all levels of organization
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
Title: Privatization and the law of the future
By: Marieke Klompe
Workshop: The Youth, the Law and the Future
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
Title: Internationalization of Law & Enforcement
By: Lena Waloszek
www.lawofthefuture.org
The document discusses increasing "universalization" and pluralism in asymmetric warfare. It notes a trend towards greater universal applicability of international humanitarian law (IHL) through enforcement of IHL, adapting and supplementing IHL rules, and taking comprehensive approaches. However, increasing pluralism through high-tech solutions may result in opponents using different means that IHL does not cover as well. The document examines solutions to address these trends in asymmetric wars where Western forces face irregular opponents.
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title: Informal International Law-making in the Pharmaceutical Field
By: Ayelet Berman
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title: Informal International Lawmaking (“IN-LAW”)
By: Prof. Joost Pauwelyn
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title:
Mapping Transjudicial Dialogue and Learning Across Borders
By: Emmanuel Lazega
Highest Courts Workshop
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title:
Beyond the State Monopoly:
Making Law Work in Times of Globalisation
By: Jan M. Smits
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title:
Justice sector innovators: We better reward them!
By Maurits Barendrecht, Innovating Justice
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title:
Opening Law of the Future Conference 2011
www.lawofthefuture.org
Law of the Future 2011
23 & 24 June 2011, Peace Palace, The Hague, The Netherlands
title:
Law Scenarios to 2030 & Report on conclusions from
the Law of the Future Forum
www.lawofthefuture.org
Youngest c m in India- Pema Khandu BiographyVoterMood
Pema Khandu, born on August 21, 1979, is an Indian politician and the Chief Minister of Arunachal Pradesh. He is the son of former Chief Minister of Arunachal Pradesh, Dorjee Khandu. Pema Khandu assumed office as the Chief Minister in July 2016, making him one of the youngest Chief Ministers in India at that time.
13062024_First India Newspaper Jaipur.pdfFIRST INDIA
Find Latest India News and Breaking News these days from India on Politics, Business, Entertainment, Technology, Sports, Lifestyle and Coronavirus News in India and the world over that you can't miss. For real time update Visit our social media handle. Read First India NewsPaper in your morning replace. Visit First India.
CLICK:- https://firstindia.co.in/
#First_India_NewsPaper
Essential Tools for Modern PR Business .pptxPragencyuk
Discover the essential tools and strategies for modern PR business success. Learn how to craft compelling news releases, leverage press release sites and news wires, stay updated with PR news, and integrate effective PR practices to enhance your brand's visibility and credibility. Elevate your PR efforts with our comprehensive guide.
केरल उच्च न्यायालय ने 11 जून, 2024 को मंडला पूजा में भाग लेने की अनुमति मांगने वाली 10 वर्षीय लड़की की रिट याचिका को खारिज कर दिया, जिसमें सर्वोच्च न्यायालय की एक बड़ी पीठ के समक्ष इस मुद्दे की लंबित प्रकृति पर जोर दिया गया। यह आदेश न्यायमूर्ति अनिल के. नरेंद्रन और न्यायमूर्ति हरिशंकर वी. मेनन की खंडपीठ द्वारा पारित किया गया
9. Regulatory landscape
• Data protection qualifies as a fundamental
right under ECHR and Treaty on the
Functioning of the EU
• Data protection is regulated by EU legislators
in the Data Protection Directive
11. Regulatory landscape
• Some countries no laws at all
• Long arm reach
• Overlapping and Conflicting
– Germany requires registration church employees,
forbidden in the Netherlands
• Data transfer rules
12. Enforcement
• Enforcement is not left to the market (protection individuals)
• Data Protection Authority (DPA) supervising and enforcing its
national data protection law
• Individuals may file complaint with DPA (appeal to the courts)
or enforce through courts
• The Working Party 29 is the advisory body to the Commission
on data protection
• Members of the WP 29 are the chairs of the DPAs, the
European Data Protection Supervisor and the Commission
– Issues opinions on how to apply the Directive
– No enforcement powers
– Coordinates cross-border enforcement actions DPAs
13. What
• Binding Corporate Rules
• Global corporate privacy policy
• Rules how to process personal data within the
group
• Creates a “safe haven” for personal data
• Facilitates the intra-group data transfers
14. Companies process data
• Employees
– Past
• Personnel file in cupboard
– Now
• Data of use handheld device, email, internet, social media
• Customers (consumers)
– Past
• Guarantuee voucher for vacuum cleaner
– Now
• All online orders, all surfing tracks
15. How
• With software
• Past
– Each group company its own system (e.g. SAP)
• Now
– 1 central system
17. Central IT system
• 100% compliance not possible
– 82 omnibus data protection laws, 7 sectoral laws
– Conflicting
• Italy and Spain have specific data security rules
– Can implement security only once
– Company must make choices when implementing
central system
18. Why
1. Strategic decisions as to data processing and
security
• One set global instructions
• Centrally imposed by parent on all group companies
2. Cost perspective:
• Cheaper to implement compliance top down than
bottom up
• Budgetary retraints
19. Why
3. EU data transfer rules are outdated
• prohibit data transfers outside of the EU, unless a
company has “adduced adequate safeguards” for data
protection
• The Commission has acknowledged specific tools for
companies to adduce adequate safeguards
• model contractual clauses to be entered in between
data exporter and data importer
22. Next step
• If multinationals have corporate privacy policy…
• And all group companies are bound…
• And policies provide adequate protection…
• Can policies be alternative to EU model contracts?
• Various multinationals filed request with DPA of their
EU headquarters…
• DPAs negotiated draft BCR…
• Based on drafts the WP 29 issued 7 opinions on BCR…
• The national DPAs followed and approved …
• 19 national DPAs agreed on Mutual Recognition
Procedure…
23. BCR requirements
• Authorised by DPA of EU headquarters (Lead DPA)
• Must be internally binding within the organisation
• Must be externally binding for the benefit of the beneficiaries (employees,
consumers)
• Incorporate the material data processing principles of the Directive
• Privacy governance (global network of privacy officers)
• Internal complaints procedure
• Auditing programme
• Training programme for employees who process the data
• Be enforceable against EU headquarters before Lead DPA and its courts
• EU headquarters should accept liability for paying compensation and
remedying breaches
• Group companies should have a duty to cooperate with the DPAs and to
submit to their audits
24. Assessment
• Self-regulation has to apply EU wide
• Lack of regulatory capacity at EU level
• WP 29 as de facto regulator set rules
• Authorisation BCR at national level by Lead
DPA
• By mutual recognition of national approvals
EU wide application is achieved
• Circumvention of EU regulators (and unwilling
Member States)
• Transnational supervision and enforcement
achieved not at EU level, but by DPA of EU
headquarters
25. Case study
• Evaluation of BCR as form of Transnational Private
Regulation (TPR)
• Evaluation criteria for public law
– Legitimacy
– Monitoring, evaluation and enforcement
– Quality
– Effectiveness
• “Transposed” for evaluating TPR
– More actors and accountability forums involved
– Problem of the many hands and the many eyes
• Often: self-regulation is trade off between legitimacy
and effectiveness
26. Legitimacy
• Self-regulation of data protection (being a
fundamental right)?
• Inclusion (key stakeholders have to play an active
role in the decision-making processes and
activities which affect them)
• Procedural transparency (key stakeholders should
have accessible and timely information)
• Independence (also de facto regulator should be
independent)
27. Legitimacy
• Self-regulation of data protection requires
public framework legislation
– Should have been provided for in Directive
• Current norm-setting by de facto regulator WP
29 in opinions on BCR
– Not inclusive (no civil society stakeholders)
– Not transparent
– Not independent
• Commission is at same time member, secretariat and
addressee of opinions
28. Legitimacy
• Solved in Proposal for Data Protection
Regulation
– Norm-setting inclusive and transparent
– Direct applicability in all Member States
– BCR acknowledged as valid tool for inter-company
data transfers
– Regulates main substantive requirements
– Detailed norm-setting delegated to Commission
(no longer WP 29)
29. Legitimacy
• Solved in Proposal for Data Protection Regulation
– Uniform BCR authorisation procedure by the DPA
of the main establishment of the multinational in
the EU
– Still not at EU level (risk of national interest
prevailing)
– However, consistency mechanism: BCR
authorisation requires prior opinion of successor
WP 29
– WP 29 still de facto regulator
• Independency and transparency WP 29 ensured
30. Chart 1
Norm -set t ing of
BCR
PRESENT FUTURE
BCR
EU legislat or stake EU legislat or
holders
EU EU
WP 29 WP 29
MS Lead DPA Lead DPA MS
EU Mult inat ional EU
Actors involved involved in norm -set t ing
Consult at ion input
31. Quality
• Precision and predictability
• Consistency
• Conformity with public goals
Conformity
• Prior authorisation by Lead DPA
– very much aligned with public goals
– Much more effective than current public regulation:
public policy even benefits
32. Quality
Precision and predictability
• BCR are global and general in nature
• Too EU specific and too legalistic
– Solution: practical guidelines
Consistency
• Yes if approved by same Lead DPA
• Not if approved by different Lead DPAs
– Caused by differences in national implementation laws
– Solved by Proposed Regulation
– Detailed norm-setting by Commission
– Consistency mechanism (prior opinion successor WP 29)
33. Enforcement
• Monitoring
• Enforcement and sanctions
• Information
Main issues
• Can be the strongest point of BCR (next to
effectiveness), but requires additional
measures
34. Enforcement
Strongest point (legal innovation)
• Internal complaints procedure, which overcomes main obstacles
individuals encounter when enforcing their rights on cross-border basis
– Also if damages are diffuse or too small
– Even if countries do not provide for adequate protection
– Or have insufficient enforcement infrastructure
– Overcomes time zones and language issues
– If individual does not agree outcome, appeal to Lead DPA and courts
Lead DPA (also to be facilitated by local group company)
• Lead DPA is in country of EU headquarters: sanctions can be enforced on
global basis
• Export of rule of law and judiciary enforcement infrastructure
35. Enforcement
But
• No data yet on effectiveness of enforcement (next study, too early)
• No external accountability to stakeholders
• Monitoring, audit and reporting requirements to internal forums
company only
– CPO
– Board of management
• Reporting on compliance and complaints procedure to external
stakeholders also
– Driver: is reputation
– Deleted from Proposed Regulation
• But what is the quid pro quo?
36. Chart 2
Monitoring and evaluation of
BCR
PRESENT FUTURE
EU legislator EU legislator
EU EU
BCR
WP 29 stake WP 29
holders
MS Lead DPA Lead DPA MS
Int ernal
EU Multinational Account abilit y Multinational EU
Forum s
Accountability forums involved
Active information duty
Passive information duty
37. Effectiveness
• First empirical research into effectiveness
• Nymity, Canadian private research firm, recommended
by EDPS
• Nymity Maturity Tool measuring compliance maturity
of 10 multinationals on 73 criteria, adding up to 10
privacy principles
• Nymity tool is based on accountability
• Verified whether complete “match” with BCR
requirements
• Different sequence, but 95% match
• Added some elements
40. MEASURING ACCOUNTABILITY
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented
and implemented, and cover all relevant aspects.
Managed – reviews are conducted to assess the
effectiveness of the controls in place.
Optimized – regular review and feedback are used to
ensure continuous improvement towards optimization
of the given process.
40
41. NORMS
Norms are Repeatable
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the controls in
place.
Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
42
42. NORMS
Privacy Awareness and Training 1.2.10 (page 10)
A privacy awareness program about the entity’s privacy policies and related
matters, and specific training for selected personnel depending on their roles
and responsibilities, are provided.
43
43. NORMS
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the controls in
place.
Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
44
44. HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
Before BCR
Repeatable 72.4%
Privacy management procedures or processes exist; however, they are not fully
documented and do not cover all relevant aspects.
After BCR
Managed 22.4%
Privacy management procedures and processes are fully documented and
implemented, and cover all relevant aspects (i.e. Defined) plus 22.4% of the time
reviews are conducted to assess the effectiveness of the controls in place.
Post BCR
Pre BCR
Copyright 2012
Nymity Inc.
45
All rights
reserved.
45. HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the
controls in place.
Optimized – regular review and feedback are used to ensure continuous
improvement towards optimization of the given process.
46
46. EXAMPLE 1
Privacy Awareness and Training 1.2.10 (page 10)
A privacy awareness program about the entity’s privacy policies and related
matters, and specific training for selected personnel depending on their roles
and responsibilities, are provided.
Before BCR: Repeatable 60%
The entity has a privacy awareness program, but training is sporadic and
inconsistent.
After BCR: Managed 10%
An enterprise-wide privacy awareness and training program exists and is
monitored by management to ensure compliance with specific training
requirements. The entity has determined which employees require privacy
training and tracks their participation during such training.
47
47. EXAMPLE 2
Consequences of Denying or Withdrawing Consent 3.1.2 (page 13)
When personal information is collected, individuals are informed of the
consequences of refusing to provide personal information or of denying or
withdrawing consent to use personal information for purposes identified in the
notice.
Before BCR: Repeatable 86%
Consequences may be identified but may not be fully documented or
consistently disclosed to individuals.
After BCR: Managed 14%
Processes are in place to review the stated consequences periodically to
ensure completeness, accuracy and relevance.
48
48. ANY EXAMPLES OF OPTIMIZED?
Ad hoc – procedures or processes are generally informal,
incomplete, and inconsistently applied.
Repeatable – procedures or processes exist; however,
they are not fully documented and do not cover all
relevant aspects.
Defined – procedures and processes are fully documented and implemented,
and cover all relevant aspects.
Managed – reviews are conducted to assess the effectiveness of the controls in
place.
Optimized – regular review and feedback are used to ensure
continuous improvement towards optimization of the given process.
49
49. HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
Optimized Criteria
Copyright 2012
Nymity Inc.
50
All rights
reserved.
50. HIIL STUDY RESULTS
NYMITY BCR ACCOUNTABILITY ANALYSIS
Copyright 2012
Nymity Inc.
51
All rights
reserved.
51. COMPARE YOUR ORGANIZATION
Use the study and the Privacy Maturity Model to
compare your organization’s privacy program to
before and after BCR
Paper or automated – no cost.
52
53. Expert Meeting on Binding Corporate
Rules – Implementing Legal Innovations
Business Perspectives
March 15, 2012
54. JPMC Binding Corporate Rules
• On 2/26/10 UK ICO authorised the binding corporate rules of
JPMorgan Chase & Co. (JPMC)
• JPMC BCRs apply to any
– processing of Personal Data in one of 12 specified jurisdictions in
JPMC’s Europe, Middle East and Africa (EMEA) region in the
European Economic Area (EEA) by a JPMC data controller
– export of EMEA Personal Data out of the EEA by a JPMC data
controller to another JPMC Affiliate outside the EEA
– processing by a JPMC data controller or JPMC data processor of
EMEA Personal Data exported out of the EEA by a JPMC data
controller
• JPMC BCRs are published on JPM website
55. Research Results
• Disclaimer
• Unsurprising Results
– Multinationals using BCRs are ones that fundamentally seek to be
compliant as one of their operating values. (Question 5)
– Companies before introduction of BCRs had a basic maturity level of
compliance
– After BCR, disclosure to third parties of personal information 7.2.1, 78%
said repeatable
– After BCR, accuracy and completeness of personal information 9.2.1,
100% said repeatable
• Surprising Results
– After BCR, access communication to individuals 6.1.1, 70% said
repeatable
56. Largest Issue with Current Regime
• Additional national requirements imposed by various Member
States which apply on top of the requirements set by the Article 29
Working Party
• For example, although JPMC BCRs were authorised in February
2010, the royal decree approving JPMC BCRs was signed by the
Belgian king on February 15, 2012.
57. Recommendations with Respect to Proposed Regulations
• Since controllers are accountable for each processing operation,
BCRs should be expanded to transfers to third parties (i.e. not
limited to within a corporate group)
• Supervisory authority in accordance with the consistency
mechanism approves binding corporate rules
– Consistency from Member State to Member State needed
– However, process cannot be too bureaucratic
• With inclusion of BCRs in regulation, BCRs may become more
popular and demand for approval could exceed DPA resources;
therefore, further simplification of approval process may be
necessary
59. Philips active in:
•Healthcare
•CL
•Lighting
•BCR for controller:
Consumer database: over 12 mio consumers
Employee data: over 100.000 employees
•Filed for BCR for processor:
Processor of Health data for hospitals
March 15, 2012 60
60. •Privacy compliance rules are exceptionally prescriptive, to a
large extent justified in light of fundamental rights
New system is an improvement but not all issues resolved:
•Article 26 (2) still requires internal processor agreements
despite BCR;
•Why not EU model contracts by parent company that
adopted BCR? (position of WP29);
•Even worse: Article 34: obligation to perform PIAs and obtain
prior approval; added value BCR?
•Article 28: Extensive documentation obligations
•Administrative burden will not by definition lead to more
material compliance, especially if company has adopted BCR
March 15, 2012 61
61. Expert Meeting on Binding Corporate Rules, Amsterdam, March 2012
Colin Scott
University College Dublin
62. Modelling and Evaluating
TPR for BCR Environment
B
Eg boycotts Rules
buycotts Monitoring Legislation
Enforcement Contract
Social/market
D pressures/
contracts
A C
standards
Self-
Regulation
Eg CSR Contract
employment - supply chains
contracts - audit and assurance
A – Firm
B – Government (agency and/or department) OR Trade Association
C – Contracting Party (firm or government)
D – Third parties – eg consumers, employees NGOs, investors
63. • Legitimacy
• Mirroring of Public Proceduralization
• Transparency
• Inclusiveness, etc
• OR mixing market incentives with public models?
• Effectiveness
• Scope of BCR
• Outcomes
• Quality
• Reflection and Evaluation
• Benchmarking – eg grievance handling processes
• Enforcement
• Providing reassurance /credibility
• Public oversight
• Self-reporting
• Compliance programmes and third party assurance
• Enforceable consumer and employee rights
64. Binding Corporate Rules for Employee and
Customer Data Protection:
What Makes A Successful Innovation?
Professor Maurits Barendrecht
Tilburg Institute for the Interdisciplinary Studies of Civil Law and Conflict Resolution Systems (TISCO)
Hague Institute for the Internationalisation of Law (HiiL)
www.innovatingjustice.com
65. Strongest points
• Moerel: Internal complaints procedure
– Simple access in own country, in every country
– Appeal to Lead DPA and its court
• Nymity
– Security for privacy, collection close to optimal
– All dimensions improved
– Including complaints process (subfactor 10.2.1 to 2 partly cover
this)
• JP Morgan and Philips
– Great, but local Kings ask more!
– Great, but danger of new administrative burdens
66. Dispute system design
Emerging discipline. How to achieve?
A. Fair solutions for problems, optimally serving all interests
B. Just in time/low costs/sustainable for all stakeholders
What makes a dispute system work? Generally:
1. A setting for better communication, win/win negotiation and
zero sum bargaining/decision making
2. Backed up by norms/schedules showing what generally is
paid/done to solve such problems
3. Access to third party who guarantees parties grow towards
decision
67. Innovation is Hard Work
• Life for innovators is very complex!
• Many factors contribute to innovation:
– 40 determinants of succesful product innovation (meta-analytic
review 108 articles, Becheikh et al. 2006)
– 27 factors associated to successful public sector innovation
68. Justice Innovation Impossible?
• Sarat and Grossman 1975:
Problems in Mobilization of Adjudication
• Susskind 2008 The End of Lawyers: Predicting commoditization
• Hadfield 2008: Regulation of profession blocks innovation
• Botero et al. 2003 and Cabrillo et al. 2008:
Insufficient incentives on courts to offer better services
• Carothers 2006 and Fukuyama 2011:
Rule of law and accountability very hard to implement
• World Bank World Development Report 2011: Conflict, Security,
and Development: Rule of Law takes 40 years to build
72. I Paid A Bribe
Ramesh Ramanathan
Co-founder Janaagraha Centre for Citizenship and Democracy
73.
74. What was/is crucial for BCR to
be/remain sustainable?
… 27 factors … and at least 5
My talk borrows from:
• Project documents
• Short interview with Lokke Moerel
• Innovation in The Justice Sector: What Makes it Happen?
Innovation Model Version 1.5: June 2011
www.innovatingjustice.org
75. A. Generating Possibilities
1. Vision and commitment from government
2. Focus on users, frontline staff and middle managers
3. Diversity
4. Scanning of horizons and margins: a process need
5. Developing capacity for creative thinking
6. Working backwards from outcome goals: terms of reference
7. Creating time and space
8. Allow breaking the rules
9. Competition: the submission problem and regulation of legal
services
76. 4. Scanning of horizons and margins:
a process need
• Peter Drucker: Innovations often supply the missing link
between processes. They start from an incongruity between
how things are and how they ought to work.
• Here:
– Cross border data transfers within companies
– A need for privacy protection of employees and customers
– National regulation and enforcement
– ‘Networks of intragroup contracts’ as ‘red tape’ with high
administrative costs, and doubtful access to remedies
77. 8. Allow breaking the rules
• Innovation often involves organizational rule breaking
(Markides 1997). Implicit or explicit ways of thinking, practices
or norms are a barrier (Johnson, Christensen et al. 2008).
• Public sector best practice: Give innovative projects space for
breaking the rules (suspension) ….. If it can be shown that
better results can be reached by not following the rule.
• In a legal environment, where practices tend to become norms
and norms tend to become sacred, it is more difficult to
overcome such barriers.
78. Data protection authorities
• Allowed to proceed although clear that not all 80+ regimes can
be observed
• Putting burden of proof that it can be done in a ‘better way’ on
innovators and companies
• Took risks
79. B. Developing Innovations
1. Appropriate selection of fruitful ideas: simplifying procedures
2. Adequate risk management
3. Fostering innovation champions
4. Creating incubating space
5. Involving incubators and public-private partnerships
6. Introduce modeling
7. Better funding for early development
8. Involving end users at all stages
80. 5. Public private partnership
• Regulators work with companies
• Working party 29
• 19 DPA’s want to cooperate
81. C. Replicating and Scaling Up
1. Improved incentives for individuals and teams
2. Improved incentives for organizations
3. Scaling up and disruptive innovation
4. Specialize and beware of early standardization
5. Change management
82. Incentives (following Colin Scott)
Every stakeholder should continue to gain from BCR:
• Reputation for companies that they are careful with data
• Employees and customers get more protection and better
remedies
• Legal profession
• Administrative costs for companies
• Data Protection Authorities show they create good protection
• DPA show they are necessary and need budgets
• DPA have lower administrative costs
Rather unstable equilibrium
83. Challenges for BCR
• Legal, formal challenges < ??? Continue to show it works in
the real world
• Major scandal < ??? Risk management
• DPA’s create new administrative burdens < ???
• Competition by even better system < ???
• Covering the less compliant guys < ???
Continuous improvement and further innovation is essential
84. D. Analyzing and Learning
1. Metrics for success
2. Real time learning
3. Peer and user involvement
4. Double loop learning
5. Variety of perspectives
85. 1. Metrics for success
• Nimity tool accountability 73 criteria > further development?
• Before BCR and After BCR > next phase?
• Many procedural requirements > more indicators for what
happens in real world?
• Independent from particular procedure > innovation means
standards have to renew all the time and indicators get new
weights
86. Innovators in Justice Sector
• Have to work on many factors, probably 27 of them
• Are essential for serving legal needs, for making
the system work and for building the law of the future
• Deserve our deep respect
• Need our continuous support
87. HiiL Expert Meeting
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
Evaluation
Peter Hustinx
Colin Scott
88. HiiL Expert Meeting
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
Evaluation
Open forum discussion
Colin Scott
89. HiiL Expert Meeting
Expert Meeting on Binding Corporate
Rules - Implementing Legal Innovations
Evaluation
Conclusion Colin Scott
and recommendations