If you're a legal or security professional, the looming General Data Protection Regulation, or GDPR, is likely causing your blood pressure to rise. Expected to impose strict limitations on organizations that do business in the European Union, or otherwise collect the data of European citizens, the regulation is said to raise the stakes for privacy compliance as well as for transcontinental discovery. Organizations that don't meet its standards by May 2018 will be the subject of potentially business-rattling sanctions.
The GDPR: What About Data Stored or Transmitted Outside the EU?TAG Alliances
The General Data Protection Regulation (GDPR): What About Data Stored or Transmitted Outside the EU? Written by: Rutger Ketting of Nysingh advocaten-notarissen N.V. (Apeldoorn, The Netherlands - TAGLaw).
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
Check out this link for the latest version: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
The European Commission's proposal for a new General Data Protection Regulation (GDPR), represents the most significant global development in data protection law since Directive 95/46. It will considerably impact cross-border e-discovery in the EU.
The GDPR: What About Data Stored or Transmitted Outside the EU?TAG Alliances
The General Data Protection Regulation (GDPR): What About Data Stored or Transmitted Outside the EU? Written by: Rutger Ketting of Nysingh advocaten-notarissen N.V. (Apeldoorn, The Netherlands - TAGLaw).
The EU Data Protection Reform's Impact on Cross Border E-discovery; updated h...AltheimPrivacy
Check out this link for the latest version: http://www.slideshare.net/EDiscoveryMap/the-eu-data-protection-reforms-impact-on-cross-border-ediscovery-27629797
The European Commission's proposal for a new General Data Protection Regulation (GDPR), represents the most significant global development in data protection law since Directive 95/46. It will considerably impact cross-border e-discovery in the EU.
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...AltheimPrivacy
This is a new set of slides, adapted after the 10/21/2013 LIBE Committee vote on the proposed amendments to the Regulation. Quite a few of the original GDPR rules have changed so far.
Raising the EU Data Protection Laws in a U.S. Litigation: A Guidepost for the...Freshfields
Your client, a U.S. company with a subsidiary located in Germany, is served with a non-party subpoena in a U.S. litigation for documents located on its subsidiary's server in Germany. The documents sought are protected from disclosure by the German Federal Data Protection Act and, if produced, may expose your client to monetary fines under that Act. Your client faces a conflict—comply with the discovery request and violate EU privacy law, or, comply with EU law and contravene the discovery request.
Constitutional Privacy and Data Protection in the EUDavid Erdos
Although both data protection and the right to privacy (or respect for private life) are recognised within the EU Charter, they are otherwise generally seen as having very different constitutional histories. The right of privacy is often seen as traditional and data protection as novel. Drawing on a comprehensive analysis of rights within EU State constitutions, it can be shown that this distinction is overdrawn. Only five current EU States recognised a constitutional right to privacy prior to 1990, although approximately three quarters and also the European Convention do so today. Subsidiary constitutional rights related to the home and correspondence but not honour and/or reputation are more long-standing and this helps link the core of privacy to the protection of intimacy. Constitutional rights to data protection emerged roughly contemporaneously and were often linked to a general right to privacy but are still only found in around half of EU States. There is also no clear consensus on specific guarantees, although around half of the States which recognise these do include rights to transparency and a slightly lower number right to rectification. This could suggest that data subject empowerment over a wide range of connected information is an important emerging particularity tied to data protection as a constitutional guarantee.
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
Whilst it is sometimes suggested that the treatment of legal and deceased person data during European data protection’s development has been broadly comparable, this presentation demonstrates the stark divergences which are in fact apparent. Despite early fusion, legal persons have been increasingly seen to have lesser and, more importantly, qualitatively different information entitlements compared to natural persons, thereby leaving European data protection with a very limited and indirect role here. In contrast, natural persons and the deceased have not been conceived as normatively dichotomous and since the 1990s there has been growing interest both in establishing sui generis direct protection for deceased data and also indirect inclusion through a link with living natural persons. Whilst the case for some indirect inclusion is overwhelming, a broad approach to the inter-relational nature of data risks further destabilizing the personal data concept. Nevertheless, given that jurisdictions representing almost half of the EEA’s population now provide some direct protection and the challenges of managing digital data on death continue to grow, the time may be ripe for a ‘soft’ recommendation on direct protection in this area. Drawing on existing law and scholarship, such a recommendation could seek to specify the role of both specific control rights and diffuse confidentiality obligations, the criteria for time-limits in each case and the need for a balance with other rights and interests which recognises the significantly decreasing interest in protection over time. N.B. The full working paper accompanying these slides may be found at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3599852
The Private International Law Dimension of the UN Principles on Business and ...Veerle Van Den Eeckhout
Powerpoint-presentation
at Lausanne, 10 October 2014
Conference "The Implementation of the UN Principles on Business and Human Rights in Private International Law"
( see http://www.isdc.ch/d2wfiles/document/4713/4018/0/Human%20Rights%20in%20PIL-%2010-10-2014.pdf at http://www.isdc.ch )
Abstract:
In the reports on Business and Human Rights by John Ruggie, "access to remedies cq access to justice" appears to be a key element.
Rules of Private International Law can be seen as key factors in achieving access to remedies cq access to justice: PIL rules act like hinges that allow doors - granting access to a specific court and to a specific legal norm - to be opened or to be kept closed; thus, as PIL deals with issues of international jurisdiction and applicable law, PIL rules are of paramount importance in determining access to a specific court and access to a specific legal norm.
In his Guiding Principles, Ruggie addresses the responsibility of States for issuing suitable legislation and ‘access to remedies’; it may be well argued that PIL legislation (rules on jurisdiction and applicable law) and the interpretation of this legislation should also be examined in this context.
In the presentation the focus will be on the hypothesis that plaintiffs want to bring an action before a EU Member State court. When focusing on this hypothesis, one can observe that at least some PIL-aspects are covered by rules of PIL of European origin (the regulation of some other aspects is still left to the EU- Member States themselves). To what extent do these rules allow or deny access to remedies cq access to justice?
In the presentation, some rules and issues of (mainly) European PIL - both jurisdiction and applicable law - that deserve attention from this perspective will be highlighted in an introductory way.
Cross-Border eDiscovery is a hot topic this year. Globalization of businesses and mass mergers and acquisitions has caused an increase in the need for an understanding of how eDiscovery should be handled in other countries. All over the world, courts and local governments have instituted new rules for how parties will engage in discovery related to digital evidence. These new rules have been causing issues between the attorneys required by the US discovery rules to discover digital evidence for their cases and the various governments outside the US and across the world.
While the law in the United States makes it clear that parties to a litigation must preserve documents and electronically stored information, laws in other countries make it equally clear that preserving or collecting that data may violate their data protection laws. In this seminar, you will learn the updates in the local discovery and privacy rules of the top trade partners of the U.S. so that you will be able to handle overseas eDiscovery requirements with greater ease and more knowledge.
New Media Internet Expression and European Data ProtectionDavid Erdos
These slides are based on my keynote address to the Maison Française d'Oxford conference "Data Privacy Law: Policy and Legal Challenges", 20 November 2015. Drawing on both doctrinal analysis and a survey of European Data Protection Authorities (DPAs) it makes four key claims about law and practice as entrenched in C-131/12 Google Spain (2014). Firstly, both the Court of Justice and especially European DPAs have adopted an expansive interpretative stance as regards data protection applied to internet expression. Secondly, that paradigm has serious implications for a range of internet actors beyond search engines. Thirdly, enforcement has been both limited and sporadic. Fourthly, a focus by DPAs on enforcement can result in the production of detailed guidance which "reads down" the law and therefore is some tension with the expansive interpretative stance generally adopted, the implementation of the Google Spain decision against search engines being a case in point.
Using GDPR to Transform Customer ExperienceMongoDB
Infosys and MongoDB – A strategic relationship
What is GDPR?
Overview of GDPR – Infosys PoV [Key Focus Areas, Own Journey]
Infosys Solution Framework to GDPR
What Organizations are doing to be GDPR Ready and Infosys’ Relevant experience
DevOpsDaysRiga 2017: Edward van Deursen - GDPR in DevOps for DummiesDevOpsDays Riga
Since organisations are already struggling with getting compliant to the security standards like ISO 27001/2, it’s even harder to get the right measures in place for the GDPR.
Topics: the relation between privacy and security, Privacy by Design, translate GDPR into useful privacy requirements.
Organisations are preparing for the General Data Protection Regulation (GDPR), the latest European privacy law. Since organisations are already struggling with getting compliant to the security standards like ISO 27001/2, NEN 7510 or Dutch baseline as BIR / BIG/ BIWA, it’s even harder to get the right measures in place for the GDPR.
In this presentation, we start with the relations between privacy and security. And why it is even more relevant to Shift left in the development lifecycle (Privacy by Design). Then we will discuss some articles from the GDPR and will translate them into useful privacy requirements. This will demonstrate why you must have privacy and security requirements in place even before you start building or changing a system.
Next, to the requirement, we will end with the articles which are beneficial for organisations.
Take away: some generic user and abuser stories which are relevant for most applications.
The EU Data Protection Reform's Impact on Cross Border e-Discovery: new Devel...AltheimPrivacy
This is a new set of slides, adapted after the 10/21/2013 LIBE Committee vote on the proposed amendments to the Regulation. Quite a few of the original GDPR rules have changed so far.
Raising the EU Data Protection Laws in a U.S. Litigation: A Guidepost for the...Freshfields
Your client, a U.S. company with a subsidiary located in Germany, is served with a non-party subpoena in a U.S. litigation for documents located on its subsidiary's server in Germany. The documents sought are protected from disclosure by the German Federal Data Protection Act and, if produced, may expose your client to monetary fines under that Act. Your client faces a conflict—comply with the discovery request and violate EU privacy law, or, comply with EU law and contravene the discovery request.
Constitutional Privacy and Data Protection in the EUDavid Erdos
Although both data protection and the right to privacy (or respect for private life) are recognised within the EU Charter, they are otherwise generally seen as having very different constitutional histories. The right of privacy is often seen as traditional and data protection as novel. Drawing on a comprehensive analysis of rights within EU State constitutions, it can be shown that this distinction is overdrawn. Only five current EU States recognised a constitutional right to privacy prior to 1990, although approximately three quarters and also the European Convention do so today. Subsidiary constitutional rights related to the home and correspondence but not honour and/or reputation are more long-standing and this helps link the core of privacy to the protection of intimacy. Constitutional rights to data protection emerged roughly contemporaneously and were often linked to a general right to privacy but are still only found in around half of EU States. There is also no clear consensus on specific guarantees, although around half of the States which recognise these do include rights to transparency and a slightly lower number right to rectification. This could suggest that data subject empowerment over a wide range of connected information is an important emerging particularity tied to data protection as a constitutional guarantee.
Dead Ringers? Legal Persons & the Deceased in European Data Protection LawDavid Erdos
Whilst it is sometimes suggested that the treatment of legal and deceased person data during European data protection’s development has been broadly comparable, this presentation demonstrates the stark divergences which are in fact apparent. Despite early fusion, legal persons have been increasingly seen to have lesser and, more importantly, qualitatively different information entitlements compared to natural persons, thereby leaving European data protection with a very limited and indirect role here. In contrast, natural persons and the deceased have not been conceived as normatively dichotomous and since the 1990s there has been growing interest both in establishing sui generis direct protection for deceased data and also indirect inclusion through a link with living natural persons. Whilst the case for some indirect inclusion is overwhelming, a broad approach to the inter-relational nature of data risks further destabilizing the personal data concept. Nevertheless, given that jurisdictions representing almost half of the EEA’s population now provide some direct protection and the challenges of managing digital data on death continue to grow, the time may be ripe for a ‘soft’ recommendation on direct protection in this area. Drawing on existing law and scholarship, such a recommendation could seek to specify the role of both specific control rights and diffuse confidentiality obligations, the criteria for time-limits in each case and the need for a balance with other rights and interests which recognises the significantly decreasing interest in protection over time. N.B. The full working paper accompanying these slides may be found at https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3599852
The Private International Law Dimension of the UN Principles on Business and ...Veerle Van Den Eeckhout
Powerpoint-presentation
at Lausanne, 10 October 2014
Conference "The Implementation of the UN Principles on Business and Human Rights in Private International Law"
( see http://www.isdc.ch/d2wfiles/document/4713/4018/0/Human%20Rights%20in%20PIL-%2010-10-2014.pdf at http://www.isdc.ch )
Abstract:
In the reports on Business and Human Rights by John Ruggie, "access to remedies cq access to justice" appears to be a key element.
Rules of Private International Law can be seen as key factors in achieving access to remedies cq access to justice: PIL rules act like hinges that allow doors - granting access to a specific court and to a specific legal norm - to be opened or to be kept closed; thus, as PIL deals with issues of international jurisdiction and applicable law, PIL rules are of paramount importance in determining access to a specific court and access to a specific legal norm.
In his Guiding Principles, Ruggie addresses the responsibility of States for issuing suitable legislation and ‘access to remedies’; it may be well argued that PIL legislation (rules on jurisdiction and applicable law) and the interpretation of this legislation should also be examined in this context.
In the presentation the focus will be on the hypothesis that plaintiffs want to bring an action before a EU Member State court. When focusing on this hypothesis, one can observe that at least some PIL-aspects are covered by rules of PIL of European origin (the regulation of some other aspects is still left to the EU- Member States themselves). To what extent do these rules allow or deny access to remedies cq access to justice?
In the presentation, some rules and issues of (mainly) European PIL - both jurisdiction and applicable law - that deserve attention from this perspective will be highlighted in an introductory way.
Cross-Border eDiscovery is a hot topic this year. Globalization of businesses and mass mergers and acquisitions has caused an increase in the need for an understanding of how eDiscovery should be handled in other countries. All over the world, courts and local governments have instituted new rules for how parties will engage in discovery related to digital evidence. These new rules have been causing issues between the attorneys required by the US discovery rules to discover digital evidence for their cases and the various governments outside the US and across the world.
While the law in the United States makes it clear that parties to a litigation must preserve documents and electronically stored information, laws in other countries make it equally clear that preserving or collecting that data may violate their data protection laws. In this seminar, you will learn the updates in the local discovery and privacy rules of the top trade partners of the U.S. so that you will be able to handle overseas eDiscovery requirements with greater ease and more knowledge.
New Media Internet Expression and European Data ProtectionDavid Erdos
These slides are based on my keynote address to the Maison Française d'Oxford conference "Data Privacy Law: Policy and Legal Challenges", 20 November 2015. Drawing on both doctrinal analysis and a survey of European Data Protection Authorities (DPAs) it makes four key claims about law and practice as entrenched in C-131/12 Google Spain (2014). Firstly, both the Court of Justice and especially European DPAs have adopted an expansive interpretative stance as regards data protection applied to internet expression. Secondly, that paradigm has serious implications for a range of internet actors beyond search engines. Thirdly, enforcement has been both limited and sporadic. Fourthly, a focus by DPAs on enforcement can result in the production of detailed guidance which "reads down" the law and therefore is some tension with the expansive interpretative stance generally adopted, the implementation of the Google Spain decision against search engines being a case in point.
Using GDPR to Transform Customer ExperienceMongoDB
Infosys and MongoDB – A strategic relationship
What is GDPR?
Overview of GDPR – Infosys PoV [Key Focus Areas, Own Journey]
Infosys Solution Framework to GDPR
What Organizations are doing to be GDPR Ready and Infosys’ Relevant experience
DevOpsDaysRiga 2017: Edward van Deursen - GDPR in DevOps for DummiesDevOpsDays Riga
Since organisations are already struggling with getting compliant to the security standards like ISO 27001/2, it’s even harder to get the right measures in place for the GDPR.
Topics: the relation between privacy and security, Privacy by Design, translate GDPR into useful privacy requirements.
Organisations are preparing for the General Data Protection Regulation (GDPR), the latest European privacy law. Since organisations are already struggling with getting compliant to the security standards like ISO 27001/2, NEN 7510 or Dutch baseline as BIR / BIG/ BIWA, it’s even harder to get the right measures in place for the GDPR.
In this presentation, we start with the relations between privacy and security. And why it is even more relevant to Shift left in the development lifecycle (Privacy by Design). Then we will discuss some articles from the GDPR and will translate them into useful privacy requirements. This will demonstrate why you must have privacy and security requirements in place even before you start building or changing a system.
Next, to the requirement, we will end with the articles which are beneficial for organisations.
Take away: some generic user and abuser stories which are relevant for most applications.
Op 25 mei 2018 treedt de General Data Protection Regulation (GDPR), oftewel Algemene verordening gegevensbescherming (AVG) in werking. Deze nieuwe Europese privacywet is van toepassing op bedrijven van elke omvang en binnen alle branches. De wet stelt strikte eisen aan de bescherming van persoonsgegevens en is bedoeld om privacyrechten te waarborgen en beveiligen. Vanaf de ingangsdatum zijn organisaties die data verzamelen en opslaan verplicht om deze informatie volgens de GDPR-richtlijnen te beveiligen. Wie daar niet aan voldoet riskeert grote boetes.
Bent u klaar voor de GDPR?
Bent u al begonnen met de voorbereidingen om voor 25 mei 2018 GDPR compliant te zijn? Het GDPR-traject stelt u mogelijk voor een hoop uitdagingen. Gelukkig bieden Microsoft Cloud oplossingen zoals Office 365, EM+S en Windows 10 vele functies die u helpen om de maatregelen te nemen die nodig zijn.
Tijdens dit webinar gaan we vooral in op hoe Microsoft oplossingen u kunnen helpen om GDPR-compliant te worden.
GDPR From the Trenches - Real-world examples of how companies are approaching...Ardoq
As GDPR enforcement approaches, companies around the world are making changes to their internal processes and systems to ensure they are compliant by May 2018. For many, getting started can be a daunting task, especially at larger organizations.
There’s no one-size-fits-all strategy for GDPR compliance, but there are some steps that every business should take:
1. Document the data and processes that power your organization
2. Assess the realistic compliance risks that you need to protect against
3. Keep your documentation up-to-date to demonstrate continuous compliance.
In this slide deck, you’ll read about a real-world example of a company that has started their compliance project and how they structured it.
A recording of this webinar is available for free here: http://bit.ly/2hMsQmu
Doing Business in Europe? GDPR: What you need to know and doPatric Dahse
General Data Protection Regulation (GDPR) will become effective on the 25th of May 2018. IT leaders are required to be compliant on that date but may not yet be aware of its consequences such as time-consuming investigations and hefty fines of over €20 million.
Considering the short preparation period and the broad changes resulting from the GDPR, this webinar provides 12 simple steps to discover how to inventory your SAP data repositories and safely process personal data so that you can begin to better scope your GDPR readiness project.
How is GDPR relevant for US companies Patric Dahse
GDPR Road-Map and Prioritization for SAP System Landscapes
Doing Business in Europe?EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.What you need to know and do by Friday, May 25, 2018.
Profiling, Big Data & Consent Under the GDPR [TrustArc Webinar Slides]TrustArc
Watch the webinar on-demand: https://info.trustarc.com/profiling-big-data-consent-gdpr-webinar.html
Required Changes around Profiling & Consent for GDPR Compliance
Some of the most closely followed areas of the GDPR negotiations concerned profiling and consent. Profiling, as defined in Articles 4 & 22, is one of the new provisions in the Regulation which could have a significant impact on businesses seeking to use targeted marketing and other analytics for business growth. Consent remains a legal basis for processing but it’s been restricted under the GDPR and must be “freely given, specific, informed and unambiguous.” There is lots of discussion and privacy scare stories around these two areas alone.
Watch this webinar on-demand where we examine:
- the details of the profiling and consent requirements in the GDPR to help determine what is and isn’t in scope for profiling
- where you can and can’t rely on consent
- what solutions are available and how privacy leaders can work with their business and marketing teams to ensure compliance
To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/
Ensuring GDPR Compliance - A Zymplify GuideZymplify
The GDPR will come into force on 25 May 2018 and will change data protection laws across the EU. Organisations can face heavy fines if they are found to be in breach of the GDPR, so take a look at Zymplify's guide to the most important parts of the regulation. Act now to get ready for the GDPR. Book a Demo with Zymplify - http://d36.co/12vWD
Geek Sync | Tackling Key GDPR Challenges with Data Modeling and GovernanceIDERA Software
You can watch the replay for this Geek Sync webcast in the IDERA Resource Center: http://ow.ly/tLtr50A5b4b
The General Data Protection Regulation (GDPR) is inevitable and goes live in the EU beginning May 25th 2018. It touches all technical and organizational measures as well as the design of internal systems and processes, and affects all companies around the world that have customers in the EU.
Join IDERA and Dr. Sultan Shiffa as he focuses on how data modeling, governance and collaboration help Executives, IT Managers, Architects, DBAs and Developers tackle the key challenges around data protection by design and by default, individual rights to access and erasure, valid consent, data protection roles and accountabilities, data breach notifications, and auditing the records of data processing activities. This session will also explore best practices and examples for how to master those challenges and assess the data protection impact. After this session, you can be prepared to become GDPR compliant ahead of the deadline and beyond.
My presentation at the IGov2 conference at the University of Oslo, 9 Sept 2014. Gave shorter version at Norwegian Board of Technology hearing on 10 Sept 2014. Related journal article at http://ijlit.oxfordjournals.org/content/early/2014/09/01/ijlit.eau007.abstract
Audio at http://www.jus.uio.no/ifp/english/research/projects/nrccl/internet-governance/events/dag-2-del-2-norrm-mp3.mp3
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...AltheimPrivacy
These slides are part of a presentation given at the IAPP Europe Data Protection Congress on November 15, 2012, by, in order of presentation, Monique Altheim, James Daley and Alexander Dix. The panel was moderated by Florian Thoma.
The UK and EU Personal Data Regime After Brexit: Another Switzerland?David Erdos
These slides provide an overview of the personal data relationship between the UK and EU after Brexit. Under the Trade and Cooperation Agreement, the UK will have the closest connection with the EU here outside the European Economic Area and Switzerland. This is especially clear in the area of justice and security where there is very extensive provision for data exchange based on common standards. However, in the general area of data protection the framework only points to mutual adequacy. Even with the evolving formulation of this as “essential equivalence”, significant flexibility is retained and this may ultimately result in more substantive divergence than EU-Switzerland given the UK’s more distinct data protection approach. Common bona fide implementation of the Council of Europe’s Data Protection Convention 108+ may provide a good lodestar in the medium term and I very tentatively map out what this may could mean for default standards in the UK related to sensitive data and integrity and also specific substantive restrictions to ensure a more graduated approach and reconciliation with other competing rights.
Closed Meeting between The Chartered Institute of Patent Agents (UK) and Japan Patent Attorneys Association, September 28, 2010 (London, United Kingdom)
Gastón Mirkin, from Paolantonio & Legón Abogados, explains the differences between jurisdictions throughout Latin American countries and how software users, developers and localizers can protect themselves when working in the region.
Warrants. Wiretaps. PRTTs. Subpoenas. Section 702. 2703(d) order. National Security Letters. All Writs Act. Many in the infosec community are aware that the government has an array of legal authorities to use in investigating crimes which allow them access to user content and metadata, but few people could articulate the differences among these types of orders. This talk will review each type of legal process used by state and federal agencies to request access to various types of user data and content.
Access to competition file as a precondition of access to justiceEmanuela Matei
The information to be disclosed that I discuss about in the present paper relates to the content of the antitrust files produced by Competition Authorities in the EU. All officials working for any Competition Authority are required even after their duties have ceased, not to disclose information of the kind covered by the duty of professional secrecy, in particular information about undertakings. This information may be disclosed to other Competition Authorities in the EU and even outside the EU, based on principles such as reciprocity, comity and the condition that the duty of professional secrecy applies also for the receiver.
As known national courts may act as competition authorities since the organization of enforcement at the national level is an issue determined by the national legislation. The access of a potential claimant for antitrust damages to the public proceedings files falls within the scope of national procedural autonomy, thus the matter will be judged against the standard of effectiveness and equivalence imposed by Union law .
Bulletin - US-EU Data Privacy Safe Harbor Program InvalidatedCohenGrigsby
On October 6, 2015, the European Court of Justice ("ECJ") invalidated the safe harbor program negotiated between the United States Department of Commerce and the European Commission pursuant to which safe harbor-registered United States companies have processed personal data transferred from the EU within the United States since 2000 (the "Safe Harbor").
EU General Data Protection Regulation & Transborder Information FlowDavid Erdos
These slides are based on the talk I gave to the Wisconsin International Law Journal's Annual Symposium "Stamping Privacy's Passport? The Role of International Law in Safeguarding Individual Privacy" (Wisconsin, USA; 8 April 2016). This talk argued that European data protection's formal understanding of transborder data flow regulation (TBDF) is not only potentially very broad but has not appropriately balanced data protection against other key rights such as freedom of information and association. Many of these existing structural difficulties are exacerbated under the newly agreed General Data Protection Regulation (GDPR). In order to better reconcile the values at stake, Data Protection Authorities (DPAs) should also develop models to "authorize" low-risk TBDFs via self-certification by data controllers themselves. Member States should also make broad use of the derogations the Regulation leaves available. More generally, a contextual, risk-based interpretation of the GPDR must be developed which seeks to provide robust privacy and other individual safeguards without putting in jeopardy Europe’s other core values and liberties.
Comparing EU and Council of Europe Data Protection Standards in the Context o...David Erdos
In the event of Brexit, the UK will leave the EU Charter, the GDPR and related EU instruments. It will, however, remain committed not only to achieving EU ‘adequacy’ standard but doing this within the framework of Council of Europe’s Data Protection Convention 108+. These slides therefore explore the commonalities and contrasts between EU DP and Convention 108+. Both have a similar scope and common principles. However, Convention 108+'s transparency and sensitive data rules are considerably less stringent and there are many fewer compulsory controller discipline provisions. Whilst only modest change should be expected initially as the UK will essentially replicate the GDPR in the short-term, this less prescriptive and more flexible approach is likely to exert an influence on UK data protection should Brexit happen.
Similar to Will the GDPR Kibosh EU-US Discovery? (20)
Protecting Against Petya: Ransomware and the Future of Law Firm Cybersecurity Logikcull.com
In June, a massive cyberattack brought down one of the country's biggest law firms. DLA Piper, its systems ravaged by the Petya ransomware program, was forced to shut down its phones service, email, and internal computer network--potentially costing millions in lost income. Weeks later, the firm was still digging itself out.
Such attacks are increasingly an existential threat to firms of all sizes: the difference between being billing and nothingness. Join us as we discuss this urgent issue.
Join Logikcull and a panel of experts for lessons and best practices to be learned from the most important eDiscovery cases -- and debacles -- of the year. Seven cases will be featured. Come for the hardcore precedence. Stay for the surprise bonus lessons. Michael Simon and Timothy Lohse will host.
Logikcull Webinar: Preventing the #1 Litigation Risk Logikcull.com
Security experts have a favorite saying: data is most vulnerable when it's in motion. Discovery, unfortunately, is a process of motion, where information and documents are shared between client, counsel, third-party service providers and opposing parties. Often, this data is exchanged on physical media (i.e. hard drives, DVDs) or through insecure methods like unencyrpted email. It's a risky, time-consuming and expensive process.
And with ShareSafe from Logikcull, it has been eliminated.
Logikcull webcast 'Discovery Malpractice Is At Your Doorstep'Logikcull.com
From privilege waivers to data breach, the threat of legal malpractice related to discovery and data handling is real and, despite relative silence on the issue, pervasive. Smart litigators who have a firm grasp of their discovery obligations can protect themselves, their practices, and their clients.
Responsibilities of the office bearers while registering multi-state cooperat...Finlaw Consultancy Pvt Ltd
Introduction-
The process of register multi-state cooperative society in India is governed by the Multi-State Co-operative Societies Act, 2002. This process requires the office bearers to undertake several crucial responsibilities to ensure compliance with legal and regulatory frameworks. The key office bearers typically include the President, Secretary, and Treasurer, along with other elected members of the managing committee. Their responsibilities encompass administrative, legal, and financial duties essential for the successful registration and operation of the society.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
A "File Trademark" is a legal term referring to the registration of a unique symbol, logo, or name used to identify and distinguish products or services. This process provides legal protection, granting exclusive rights to the trademark owner, and helps prevent unauthorized use by competitors.
Visit Now: https://www.tumblr.com/trademark-quick/751620857551634432/ensure-legal-protection-file-your-trademark-with?source=share
RIGHTS OF VICTIM EDITED PRESENTATION(SAIF JAVED).pptxOmGod1
Victims of crime have a range of rights designed to ensure their protection, support, and participation in the justice system. These rights include the right to be treated with dignity and respect, the right to be informed about the progress of their case, and the right to be heard during legal proceedings. Victims are entitled to protection from intimidation and harm, access to support services such as counseling and medical care, and the right to restitution from the offender. Additionally, many jurisdictions provide victims with the right to participate in parole hearings and the right to privacy to protect their personal information from public disclosure. These rights aim to acknowledge the impact of crime on victims and to provide them with the necessary resources and involvement in the judicial process.
Military Commissions details LtCol Thomas Jasper as Detailed Defense CounselThomas (Tom) Jasper
Military Commissions Trial Judiciary, Guantanamo Bay, Cuba. Notice of the Chief Defense Counsel's detailing of LtCol Thomas F. Jasper, Jr. USMC, as Detailed Defense Counsel for Abd Al Hadi Al-Iraqi on 6 August 2014 in the case of United States v. Hadi al Iraqi (10026)
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptx
Will the GDPR Kibosh EU-US Discovery?
1. Will the GDPR Kibosh EU-US
Discovery?
November 7, 2017
2. Agenda
Background: Societe Nationale and our history of giving deference to
foreign legal interests, and then ignoring them
How GDPR Article 48 may make US-EU eDiscovery much more difficult
“So, what do I do now?” Practical advice for dealing with the uncertainty
4. 1. How GDPR Article 48 may make US-EU
eDiscovery much more difficult
5. Preface: International Legal Relations 101
• Discovery comes from Common
Law (UK) system
• Even then “Discovery in the
federal court system is far broader
than in most (maybe all) foreign
countries”
Heraeus v. Biomet, 633 F.3d 591 (7th Cir. 2011)
• EU = typically no discovery or only
through specific requests to judge
• Also the whole rest of the World
too . . . we just don’t have time
today
Image courtesy of California Globetrotter
blog
6. Preface: International Data Protection 101
• EU: current = EC 95/46 Data
Protection Directive
• EU soon = General Data
Protection Regulation (May 25,
2018)
• Many others (Russia, China, Qatar
and Japan, more) - recently
enacted or strengthened their
rules
• But again, we just have time for
EU
7. Preface: GDPR 101
• A uniform regulation (unlike DPD)
• Jaw-droppingly huge potential fines
• Broad definitions of “Personal data”
• New data subject rights, including
right to be forgotten
• Data breach notification rules
• Expansion of responsibility for
processing - important for eDiscovery
vendors who are often just
Processors
8. GDPR Article 48
Transfers or disclosures not authorised by Union law
“Any judgment of a court or tribunal and any decision of an
administrative authority of a third country requiring a controller
or processor to transfer or disclose personal data may only be
recognised or enforceable in any manner if based on an
international agreement, such as a mutual legal assistance
treaty, in force between the requesting third country and the
Union or a Member State, without prejudice to other grounds for
transfer pursuant to this Chapter.”
9. Unknown: Is the Privacy Shield a qualifying
“International Agreement?”
Transfers or disclosures not authorised by Union law
“Any judgment of a court or tribunal and any decision of an
administrative authority of a third country requiring a controller
or processor to transfer or disclose personal data may only be
recognised or enforceable in any manner if based on an
international agreement, such as a mutual legal assistance
treaty, in force between the requesting third country and the
Union or a Member State, without prejudice to other grounds for
transfer pursuant to this Chapter.”
10. Recital 115 (non-binding, but still important)
Rules in third countries contrary to the Regulation
Some third countries adopt laws, regulations and other legal acts which purport to directly
regulate the processing activities of natural and legal persons under the jurisdiction of the
Member States. This may include judgments of courts or tribunals or decisions of
administrative authorities in third countries requiring a controller or processor to transfer
or disclose personal data, and which are not based on an international agreement, such as a
mutual legal assistance treaty, in force between the requesting third country and the Union
or a Member State. The extraterritorial application of those laws, regulations and other
legal acts may be in breach of international law and may impede the attainment of the
protection of natural persons ensured in the Union by this Regulation. Transfers should only
be allowed where the conditions of this Regulation for a transfer to third countries are met.
This may be the case, inter alia, where disclosure is necessary for an important ground of
public interest recognised in Union or Member State law to which the controller is subject.
11. Discovery = Breach of GDPR?
Rules in third countries contrary to the Regulation
Some third countries adopt laws, regulations and other legal acts which purport to directly
regulate the processing activities of natural and legal persons under the jurisdiction of the
Member States. This may include judgments of courts or tribunals or decisions of
administrative authorities in third countries requiring a controller or processor to transfer
or disclose personal data, and which are not based on an international agreement, such as a
mutual legal assistance treaty, in force between the requesting third country and the Union
or a Member State. The extraterritorial application of those laws, regulations and other
legal acts may be in breach of international law and may impede the attainment of the
protection of natural persons ensured in the Union by this Regulation. Transfers should only
be allowed where the conditions of this Regulation for a transfer to third countries are met.
This may be the case, inter alia, where disclosure is necessary for an important ground of
public interest recognised in Union or Member State law to which the controller is subject.
12. “No aspect of the extension of the American legal system beyond the
territorial frontier of the United States has given rise to so much
friction as the requests for documents in investigation and litigation
in the United States.” RESTATEMENT (THIRD) OF FOREIGN RELATIONS LAW OF THE
UNITED STATES § 442, Reporters’ Notes ¶ 1 (1987).
Blocking statutes
Image courtesy of the ABA Journal of the Section of
More than 15 blocking
statutes
France
Germany
Even the UK (and they created
the common law system!)
13. Article 29 Working Party “Working Document 1/2009
on pre-trial discovery for cross border civil litigation”
Art. 29 WP = EU advisory body (name to be changed with GDPR)
Legal Holds = Processing:
“Although in the US the storage of personal data for litigation
hold is not considered to be processing, under Directive 95/46
any retention, preservation, or archiving of data for such
purposes would amount to processing.”
14. Article 29 Working Party “Working Document 1/2009
on pre-trial discovery for cross border civil litigation”
Legal Holds = potential violations of EU Data Protection laws
“Controllers in the European Union have no legal ground to
store personal data at random for an unlimited period of time
because of the possibility of litigation in the United States . . ..”
15. Just a paper tiger?
For decades, no fines or harm
done under blocking statutes
16. In Re: Advocate Christopher X, French
Supreme Court, 2008
• Complied with US court deposition request in Strauss v. Credit
Lyonnais, S.A., 2000 U.S. Dist. Lexis 38378 (E.D.N.Y. May 25,
2007).
• French attorney fined €10,000 for violating blocking statute
16
17. 2. Background: Societe Nationale and our history of
giving deference to foreign legal interests, and then
ignoring them
18. Societe Nationale Industrielle Aerospatiale
v. US Dist Ct. SD IA, 482 US 522 (1987)
“The World’s safest and most economical STOL plane” . . . .
. . . crashed in Iowa
Injured US fliers sought discovery from French manufacturers
19. Respondents move to block, claim Hague
Convention is exclusive means
US Supreme Court on blocking statutes:
“do not deprive an American court of the power to order a
party subject to its jurisdiction to produce evidence even
though the act of production may violate that statute.”
On Hague convention:
“not a pre-emptive replacement” or “first resort”
but an optional procedure used when appropriate
19
20. 5 factor comity test
Restatement (Third) of Foreign Relations Law § 442(c) (1987)
1. The importance to the … litigation of the documents or other
information requested;
2. The degree of the specificity of the request;
3. Whether the information originated in the United States;
4. The availability of alternative means of securing the information; and
5. The extent to which noncompliance with the request would
undermine interests of the United States, or compliance with the
request would undermine interests of the state where the information
is located.
21. “ . . . comity became a frivolous argument . .
.”
“For three decades . . . U.S. courts applied a balancing test to
weigh the interests of foreign countries against U.S. interests, and
ruled almost unanimously in favor of U.S. interests . . .”
Diego Zambrano, A Comity of Errors: The Rise, Fall, and Return of International Comity in
Transnational Discovery, 34 Berkeley J. Int’l Law. 157 (2016).
22. US v. Microsoft likely to make this worse
Stored Communications Act warrant (18 U.S.C. § 2703)
Microsoft produced emails on US Cloud storage, but not in
Ireland
Drew massive anger from EU – especially Ireland
Second Circuit vacated contempt order
US DoJ got Supreme Court to accept Cert.
23. 3. “So, what do I do now?”
Practical advice for dealing with the uncertainty
24. Options
A. Privacy Shield
B. MLAT
C. Binding Corporate Rules
D. Standard Contract Clauses
E. Hague Convention
F. Letters Rogatory
G. Party agreement
25. Agreement between EU and certain US agencies
Available to companies under FTC and Department of
Transportation jurisdiction (Not Telecoms or FinServ/banks)
Replaces prior Safe Harbor – invalidated by Court of Justice of
the European Union (CJEU) on suit by privacy activist Max
Schrems
A. Privacy Shield
26. EU Privacy activists have filed lawsuits - CJEU takes up Schrems’
new case from Irish High Court (with Irish DPA support)
Annual review found many problems, but “adequate” so far
WP29 will soon issue opinion – have historically had negative view
Cracked Shield?
27. 1. Notice
2. Choice
3. Onward transfer
4. Security data
5. Integrity
6. Access
7. Enforcement
7 Key principles (inherited from Safe
Harbor)
28. 1. Notice
2. Choice
3. Onward transfer
4. Security data
5. Integrity
6. Access
7. Enforcement
7 Key principles (inherited from Safe
Harbor)
29. 3. ACCOUNTABILITY FOR ONWARD
TRANSFER
“To transfer personal information to a third party acting as a
controller, organizations must comply with the Notice and Choice
Principles.
Organizations must also enter into a contract with the third-party
controller that provides that such data may only be processed for
limited and specified purposes consistent with the consent provided
by the individual and that the recipient will provide the same level
of protection as the Principles and will notify the organization if it
makes a determination that it can no longer meet this obligation.
The contract shall provide that when such a determination is made
the third party controller ceases processing or takes other
reasonable and appropriate steps to remediate.”
30. eDiscovery violates this provision
“To transfer personal information to a third party acting as a
controller, organizations must comply with the Notice and Choice
Principles.
Organizations must also enter into a contract with the third-party
controller that provides that such data may only be processed for
limited and specified purposes consistent with the consent provided
by the individual and that the recipient will provide the same level
of protection as the Principles and will notify the organization if it
makes a determination that it can no longer meet this obligation.
The contract shall provide that when such a determination is made
the third party controller ceases processing or takes other
reasonable and appropriate steps to remediate.”
31. eDiscovery really violates this provision
“To transfer personal information to a third party acting as a
controller, organizations must comply with the Notice and Choice
Principles.
Organizations must also enter into a contract with the third-party
controller that provides that such data may only be processed for
limited and specified purposes consistent with the consent
provided by the individual and that the recipient will provide the
same level of protection as the Principles and will notify the
organization if it makes a determination that it can no longer meet
this obligation.
The contract shall provide that when such a determination is made
the third party controller ceases processing or takes other reasonable
and appropriate steps to remediate.”
32. So far, nobody has gotten burned . . .
Yet
Use at your own peril?
33. B. MLAT
For requesting and obtaining evidence for criminal investigations
and prosecutions
Can be through Letters Rogatory or central authority – depending
upon the specific treaty
Need local expert help on this
34. US MLATS (EU member states in red)
Antigua and Barb.
Argentina
Australia
Austria
Bahamas
Barbados
Belize
Bermuda
Brazil
Bulgaria
Canada
China
Cyprus
Czech Rep.
Denmark
Dominica
Egypt
Estonia
France
Germany
Greece
Grenada
Hong Kong
Hungary
India
Ireland
Israel
Japan
Latvia
Liechtenstein
Lithuania
Luxembourg
Malaysia
Philippines
Poland
Romania
Russia
Saint Lucia
South Africa
St. Kitts and Nevis
St. Vin. and Gren.
Sweden
Switzerland
Trinidad and Tobago
Ukraine
United Kingdom
Venezuela
35. C. Binding Corporate Rules
Articles 46(2)(b) and 47
How do you get the
other side to sign?
(even assuming that
they are a corporation)
36. D. Standard Contract Clauses
Articles 46(2)(c) and 93(2)
How do you get the other side to
sign?
Use as evidence creates an Onward
Transfer problem
Schrems is attacking these as well –
CJEU also taken up this issue
through Irish High Court
37. E. Hague Convention on the Taking of Evidence
Abroad in Civil or Commercial Matters
Goal of many signers was to limit scope of US discovery abroad
Actively sponsored and signed by the US in 1972
Most, but not all of the EU has signed
Full list here
38. Big problem = Art. 23 reservations
“a contracting state may at the time of signature, ratification or
accession declare that it will not execute letters of request
issued for the purposes of obtaining pre-trial discovery of
documents.”
France, Germany, Spain, UK and the Netherlands plus others
in EU all use this to block US discovery
Check the official list
38
39. Essentially a way of asking politely*
39
It’s complicated: see ABA/NYSBA guidelines and forms here
Draft Letter of Request (a/k/a “Letters Rogatory”**)
Send to Central Authorities (there is a list, can use a service)
Central Authorities send to local authorities
Local authorities are supposed to compel custodian to comply
Estimated to take 2-4 months (yes, really)
* So, why hasn’t Canada signed up?
** Yes, this is confusing: Letters Rogatory predate the Convention and are usable with non-
signers
40. 40
To get good results
Likely need to help the judge
Make it easy to comply
Not be a stereotypical loud-mouth, pushy American
Be reasonable
Be specific – narrow the request as much as possible
Get help if you need it – especially local help!
But best to start with agreement, and if not agreement get a court
order
41. F. Letters Rogatory
For countries that didn’t sign the Hague
Convention
And for those with HC Art. 23 reservations
Again – is asking nicely
Many hoops to jump through – same advice
(do it right, get help, be nice, be specific!)
No compulsory aspect
Which, means that you need to expect it
to take 6-12 months (yes, really!)
42. Work it out between the parties
Get a court order if possible
Be creative
42
G. Party Agreement
45. More Resources:
See a demo of Logikcull, the powerfully simple, highly secure eDiscovery
and data management software.
For technology and eDiscovery news
and tips, interviews with judges and
practitioners, and more, sign up for
Logikcull’s blog, Closing the Loop.
Text of the GDPR (English)
Barton GDPR Compliance Group site