2. T h u r s d a y, F e b r u a r y 4 t h , 1 : 0 0 E S T
Safe Harbor Webinar
DATA PROTECTION UPDATE: SAFE HARBOR AND THE
PRACTICAL IMPACT FOR COMPANIES
3. Speakers
Robert Bond, Partner, Charles Russell Speechlys
Dennis Haist, General Counsel & Compliance Advisor,
STEELE CIS
Michael Scuvee, Director Global Data Privacy,
Corporate Compliance, Johnson Controls
4. Topics of Discussion
• Available Data Transfer Solutions
• Data Protection Notifications
• Summary of Schrems vs. Data Commissioner
• Article 29 Working Party Activities
• Tuesday’s Announcement of a “political deal”
• Likelihood of Safe Harbor 2.0 or EU-US Privacy Shield
Framework
• Alternative mechanisms for data transfer (Unambiguous
Consent, Binding Corporate Rules, Model Clauses)
5. UNDERSTANDING DATA TRANSFER
SOLUTIONS
Binding corporate
rules – not valid in
all countries
Model
clauses
Strategies for
Trans border
Data flows
Safe Harbor/Privacy Shield
Consent
Presumption
of adequacy
Adequate
destination
Contractual
necessity
Seals and
trust marks
6. Data
Exported
Within EEA
Automatically
adequate
Outside EEA
Which country/jurisdiction?
Argentina, Channel Islands,
Isle of Man, Switzerland,
Faroe Islands, Israel,
Uruguay, New Zealand
Adequate for transfer
to proceed
Canada
Mostly adequate for
transfer to proceed
USA
To a signatory of the
Safe Harbor/Privacy Shield
principles?
Other countries
Yes No
Adequate for transfer to
proceed
Do any of the other key legal grounds for transfer apply?
1. Transfers using the appropriate EU Commission approved Model Transfer Terms
2. Transfers subject to the use of Binding Corporate Rules
3. Transfers in accordance with an approved privacy contract
4. Companies that have self-assessed their adequacy (in some jurisdictions)
Yes
Adequate for transfer to take place
No
Can adequacy be presumed?
Yes No
Transfer can
proceed
Legal advice required
7. Data Protection notifications, filings and
registrations – what is this?
• More than a tick the box exercise
• More than a bureacratic formality
• Purpose
To assist the Data Protection Authorities
(DPAs) enforce the data protection laws
• You must be fully informed to present a
registration/notification
• Types of notifications:
Prior registration of processing operations
Prior checking of processing operations
Prior notification of data transfers from EEA
to 3rd countries
Notification of breaches to the DPA
Notification of breaches to the data subjects
Other types of notifications / requests for
authorisation
8. Schrems v. Data Protection Commissioner
(October 6, 2015)
• Background of appeal to Court of Justice
• Significant Findings of the Court
Commission finding of “adequacy” does not prevent supervisory authority of
Member State from examining claim of data subject that third country does not
ensure adequate level of protection (paragraph 66)
“Adequate level of protection” must require third country to ensure by its domestic
law or international commitments, a level of protection of fundamental rights and
freedoms essentially equivalent to that guaranteed by EU (paragraph 73)
Decision 2000/250 recognizes that national security, public interest, or law
enforcement requirements have primacy over the Safe Harbor principles.
(paragraph 84)
Decision 2000/520 did not state that the U.S. “ensures” an adequate level of
protection by reason of its domestic law or international commitments (paragraph
97)
Decision 2000/250 fails to comply with the requirements of Article 25(6) of
Directive 95/46 and is accordingly invalid.
9. Schrems v. Data Protection Commissioner
(October 6, 2015)
• Initial Reactions
Law firm clients, Data Controllers, Data Processors
• Article 29 Working Party activities since Schrems
• Expiration of “Grace period” on January 31
Latest developments-Tuesday’s Announcement of a “political
deal” on EU-US Privacy Shield framework
• Judicial Redress Act of 2015 (HR 1428)
• Privacy Shield or Safe Harbor 2.0
10. Data Processing contracts
• The Data Controller must ensure that the Data Processor is suitable for the
processing activities having regard to the nature of the data – so due
diligence is required.
• Contractual controls need to be put in place – the Data Processor may
already have these, but check!
• If the Data Processor is outside the EU then the EU Model Clauses for
transfers to a Data Processor should be used.
• Reliance on Safe Harbor was possible provided that the Certification was in
relation to the type of personal data being transferred.
• Privacy Shield may be a new solution
• Notwithstanding the use of Model Clauses, some DPA’s require notification
and deposit of the contract for approval.
• Some DPA’s have difficulty in the concept that Sensitive Data needs to be
transferred to a 3rd party outside the EU.
13. 13
30-page summary of key
insights from the 2015 Ethics
Quotient and World’s Most
Ethical Companies data set …
A “MUST READ” for all who
want to move their programs
forward.
DOWNLOAD:
http://ethisphere.com/worlds-
most-ethical/2015-wme-
insights-series/whitepaper/
MEASUREMENT MATTERS ..
NEW WHITEPAPER
14. This webcast and all future Ethisphere webcasts are
available complimentary and on demand for BELA
members. BELA members are also offered complimentary
registration to Ethisphere’s Global Ethics Summit and other
Summits around the world.
For more information on BELA contact:
Stefan Linssen
Chief Content Officer
Stefan.Linssen@ethisphere.com
Business Ethics Leadership Alliance
(BELA)
15. 8th Annual Global Ethics Summit
GlobalEthicsSummit2016.com
New York City | Grand Hyatt
March 9-10, 2016
Additional 15% off Discount for Webcast Attendees!
Discount code: WEBCAST
All upcoming Ethisphere events can be found at:
http://ethisphere.com/events/
PLEASE JOIN US FOR