This presentation explores the management of international transfer of data: complex rules/selection of a transfer strategy and existing tools. The security of personal data is critical and subject to public scrutiny: this presentation looks at examples of data breaches/best practices. Plus how to anticipate the new EU data protection framework requirements.
3. Presenters
► Fabrice Naftalski ► Dr. Peter Katko
► Ernst & Young Société d’Avocats ► Ernst & Young Law GmbH
► Attorney at Law/Partner ► Attorney/Partner
► Head of IP/IT Law ► Head of IP/IT Law
► fabrice.naftalski@ey-avocats.com ► peter.katko@de.ey.com
► EuroPriSe legal expert and CIPP/E ► EuroPriSe legal expert
Page 3 Data privacy and global mobility
4. Agenda
► Data privacy in g
p y global mobility
y
► Focus 1: Management of international transfer of data:
complex rules/selection of a transfer strategy and existing
tools
► Focus 2: Security of personal data is critical and subject
to public scrutiny: examples of data breaches/best
practices
ti
► What’s next: How to anticipate the new EU data
protection framework requirements
Page 4 Data privacy and global mobility
5. Data privacy in global mobility
Page 5 Data privacy and global mobility
6. Global mobility triggers recurrent and
important personal data transfers
► International assignments involve various flows of
g
personal data*, subject to data protection regulation:
► Name, gender, address, identification card number, residence
permit number, nationality, passport number, family situation,
phone number, educational background and career experience
related data, record of performance evaluation related data, etc.
► Specific data privacy aspects related to mobility
programs:
► Processing of the data of expatriated employees
► Management of the data flows and international transfers between
the group companies
*Information that can be used to identify, contact or locate a natural person or can be linked to other sources to identify this i di id l
*I f ti th t b d t id tif t t l t t l b li k d t th t id tif thi individual.
Page 6 Data privacy and global mobility
7. Rationale for data protection
► Human rights law:
g
► Universal Declaration of Human Rights
► European Convention on Human Rights
► Charter of Fundamental Rights from 7 December 2000
► National constitutions
► EU directive
di ti
► OECD guidelines
► Consumer and security regulation (US)
C d it l ti
► Asia Pacific Economic Cooperation (APEC) framework
Page 7 Data privacy and global mobility
8. Global trend towards more data privacy
regulation
South Korea:
► Act on the
Protection of
Personal
Data 2011)
Philippines:
► Bill on data
protection
US:
based on EU-
► Consumer Privacy directive 95/46
Bill of Rights (March 2012)
► FTC ► Bill is supposed
recommendations on to d
t reduce ththe
privacy on the concerns
internet regarding an
India: outsourcing to
Costa Rica and
Colombia: ► Strives to become a Philippine
y
safe third country p
companies
► Data protection
legislation based on ► New Data Protection
the 1995 EU Data Act (regarding
Protection IT-topics) in 2011
Directive
Peru:
P Brazil:
► New Data Protection Act ► Work in progress: Data Australia and Hong Kong:
(2011) inspired by the Protection Act based on ► Intend to strengthen data
Spanish Data Protection Act the EU-directive New Zealand:
protection
and the APEC (Asia-Pacific ► Safe third country
Economic Cooperation)
Privacy Framework
Page 8 Data privacy and global mobility
9. Data privacy in the US
US-Consumer Privacy Bill of Rights
y g
► Self-commitment:
► Catalog of rights regarding consumer data protection
► Catalog of rights leads to a better protection of consumers’
privacy on the world wide web
► Goal: contribution to the improvement of the international
“interoperability” a d add t o s to t e Sa e Harbor Agreement
te ope ab ty and additions the Safe a bo g ee e t
with the EU
► Better recognition of the mutual data protection standards
► Enforcement by the F d l T d C
E f b h Federal Trade Commission (FTC)
i i
Page 9 Data privacy and global mobility
10. EU framework to protect personal data
► Legal framework in Europe:
► EU Law (Personal Data Protection Directive 95/46 and Privacy Directive
2002/58)
► Local data protection laws corresponding to Member States implementation
p p g p
► Article 29 Working Party group and National Data Protection Regulator’s soft
law
► Data protection regulators:
► Authorize certain data processing and transfers outside the EU/EEA
► Control compliance with data protection law
► Sanction breaches of th l
S ti b h f the law
► Act also as "jurisdiction" in certain countries
► Sanctions for the violation of data protection legislation:
p g
► Criminal sanctions
► Administrative sanctions including monetary penalties
► Damage to the image of the company
Page 10 Data privacy and global mobility
11. Overview of requirements and sanctions
Main EU data protection principles to comply with
p p p py
Legal basis to All personal data must:
process
Personal/
sensitive data Be processed fairly and lawfully
1
Be obtained for only one or more specified and lawful
Information
I f ti 2 purposes
Transfer
obligation
requirements
Be adequate, relevant and not excessive
3
Be accurate and kept up to date
4
Be kept no longer than necessary
5
Data subject Security Be processed in accordance with the identifiable person’s
rights measures 6 rights
Be kept secure
7
Filing
requirements Not be transferred to third parties outside of the European
8 Economic Area (EEA), unless certain conditions are met
Page 11 Data privacy and global mobility
12. Why is data privacy compliance critical when
monitoring mobility programs?
► Because organizations are more complex and global,
g p g ,
data is no more static and hosted in one place:
► Security of data is more challenging
► International data flows are more numerous
► Because employees’ data is a strategic and very
sensitive asset
iti t
► In this context, maintaining a secure and compliant
environment is a growing challenge
Page 12 Data privacy and global mobility
13. Focus 1: Management of international transfer
of data
Page 13 Data privacy and global mobility
14. Management of international transfer of data
under European Union law
► Transfer between group entities:
► Considered as a disclosure by transmission even within one Member State
► Subject to justification (need of employment, intra-group outsourcing, group
interest)
► EU Directive 95/46 was the first international instrument dealing with the
issue of the transfers of personal data to third countries:
► One stated objective of the Directive is to allow the free flow of personal data
between Member States, based on agreed-upon principles of personal data
protection
► At the same time, transfers of personal data to third countries require special
consideration
► Applicability of EU law:
► Transfer differs from mere transit. Therefore, personal data may be routed
through a third country without considering thi operation as a t
th h thi d t ith t id i this ti transfer if no
f
substantive processing operation is conducted on the data in the third country
► It involves hosting but also mere access from non-EU countries to data hosted
in the EU
Page 14 Data privacy and global mobility
15. Complex rules for the management of
international transfer of data
► EU general principles regarding data transfers:
► The data controller may not transfer personal data to a state that is not a
Member State of the EU if this state does not provide a sufficient level of
p
protection of individuals’ p
privacy, liberties and fundamental rights.
y, g
► If a third country has enacted a generally applicable privacy law that the
European Commission deems “adequate,” the country is eligible to receive
personal data from Europe (Switzerland, Isle of Man, Canada, Argentina,
Israel, Uruguay, S Switzerland, GGuernsey, European Economic Area countries) )
► If not, the following legal tools must be implemented to transfer personal data
from Europe, not country-by-country, but company-by-company:
► S f H b
Safe Harbor
► Standard contractual clauses of the EC
► Binding corporate rules
Page 15 Data privacy and global mobility
16. Strategies for international transfer of
personal data
► Lack of a so-called group privilege (often criticized by companies):
► Data exchange between affiliates is regulated under data protection laws
as a transfer between third parties
► The strategy to adopt should be determined regarding the
specificities of the company and its activity (size of the company,
number and locations of affiliates and processor, etc.):
► The EU standard contractual clauses export European principles
concerning the processing of personal data to all companies receiving the
data + : “ready-to-be-signed”
- : potentially numerous contracts to be concluded
► In th
I the case of US companies, they can agree to comply with d t
f i th t l ith data
protection laws on the European model as part of Safe Harbor self-
certification process + : self-certification process
- : only for US companies; liability before the FTC
► Important groups, in consultation with the data protection regulatory
I t t i lt ti ith th d t t ti l t
agencies, can adopt Binding Corporate Rules (BCRs) to facilitate
transfers between all entities within the group
+ : cover all data transfers within a group
- : implementation process may be complex
Page 16 Data privacy and global mobility
17. Management of international transfers of data
Focus on the BCRs
► Definition of the BCRs:
► BCRs are a set of internal guidelines, similar to a Code of Conduct, that
establishes policies for transferring personal information within the
organization and across international boundaries.
g
► BCRs benefits:
► Elimination of contracts for each transfer
► Mitigation f i k f
Miti ti of risks from data transfers to third countries
d t t f t thi d ti
► Consistency in data protection strategies and practices within the
organization
► In-house awareness of privacy issues
► A way to achieve accountability within the organization
► Implementing BCRs Circulate
Close the
EU
Designate Draft
BCRs to cooperation
a lead BCRs
relevants procedure/
DPA procedure
DPA implement
BCRs
Page 17 Data privacy and global mobility
18. Focus 2: Security of personal data is critical and
subject to public scrutiny
Page 18 Data privacy and global mobility
19. Security of personal data
Elements of context
► A highly p
g y publicized issue:
► ABC Corporation:
► External intrusion in the PlayStation Network:
► Data from approximately 77 million accounts were stolen
► Several legal actions have been engaged against ABC Corporation
► Loss of trust/damage to the image of the company
► Impressive fall in the share price
Page 19 Data privacy and global mobility
20. Security of personal data
Elements of context
► Focus on HR data:
► External intrusion:
► The “hacktivist” group called Anonymous succeeded into obtaining
and publishing a d t b
d bli hi database containing th emails and other material
t i i the il d th t i l
related to a big pharma’s employees
► Internal mistake:
► The HR of Company B accidently sent an email to 300 employees
revealing wage levels, proposed increases and comments of HR
services concerning the evaluation of the employees
Page 20 Data privacy and global mobility
21. Security of personal data
Technical and legal leading p
g g practices
► IT risk has privacy implications:
p y p
► More and more countries have or are adopting data privacy
regulations with strong security requirements:
► In th EU
I the EU, certain countries such as S i It l P t
t i ti h Spain, Italy, Portugal, G
l Germany
are very demanding in terms of security
► In the past years Mexico enacted a comprehensive privacy law such
as South Korea, Peru, Colombia or Costa Rica
► In 2011, India enacted a controversial new privacy regulation
► Breach notification requirements are emerging in many countries from
q g g y
Latin America (Brazil, Uruguay and Mexico) to Europe (draft
regulation) and Japan in the Asia-Pacific region
► Regulators will always be in a position of having to react to the
challenges new technologies present
Page 21 Data privacy and global mobility
22. Security of personal data
Technical and legal leading p
g g practices
► Questions to consider:
► Does your network architecture design route data from different countries
to a central location?
► Do you have a good knowledge of data privacy regulations in the
countries where expatriates are located or where their data is processed?
► Have the privacy regulations in the jurisdictions in which you operate
changed in the last years?
► If you outsource to countries with new or updated privacy regulations,
have you considered what impact that may have on your business in
these countries?
► If you are transferring data to countries with new or updated regulations,
have you considered the impact of those regulations on your local or
expatriated employees?
► Have you identified solutions to address compliance needs and limit the
risk of inappropriate access and exposure of personal information across
the organization?
Page 22 Data privacy and global mobility
23. Security of personal data
Technical and legal leading p
g g practices
► Tools to address compliance needs and IT risks:
p
► Cartography of security requirements in local data protection laws
► Accountability within the organization
► Improve internal monitoring and identify privacy professionals
within the organization
► Organize security and privacy audits on a regular basis
► Set up privacy impact assessment/privacy by design
► Reinforce employees’ awareness (internal policies and training of
the employees)
► Secure contractual relationship with processors
Page 23 Data privacy and global mobility
24. What’s next: How to anticipate the new EU data
protection framework requirements
Page 24 Data privacy and global mobility
25. Illustrations of the main changes provided
by the new EU regulation currently in draft version
y g y
► Increased responsibility and accountability for those processing personal data:
► Breach notifications
► Application of EU rules to companies active in the EU market (even if not established in the EU)
► “Principle of accountability”
► Obligation to appoint Data Privacy Officers
► New obligations applicable to data processors
► Simplification:
► A “one-stop-shop” for data protection: only one set of data protection rules valid across the EU
one stop shop
and one responsible data protection authority — the national authority of the Member State in
which the company has its main establishment
► Right to be foregotten
► Maximum penalty of 2% of the groupwide annual turnover
► New rules regarding transfer to third countries, consistency mechanism, role of the EC,
European Data Protection Board, supervisory authorities, etc.
► Still open f national rules on privacy i employments
for ti l l i in l t
► Still no group privilege but promotion of BCRs
Page 25 Data privacy and global mobility
26. How to anticipate the new EU data protection
framework requirements
► Practical steps to comply:
p py
► Perform a privacy audits and regular privacy impact assessment
► Perform regular training
► Appoint a data protection officer
► Implement BCRs to meet transfer and future accountability
requirements
► Stay aware of developments
Page 26 Data privacy and global mobility