SlideShare uma empresa Scribd logo

Eddankatz publicvoice globalflowsofdata

Eddan Katz
Eddan Katz

This document discusses requirements for transferring personal data to third countries under European Union law. It outlines the EU's principle of "adequate protection" that requires third countries to ensure a sufficient level of data protection. The document also examines various mechanisms for complying with this principle such as consent from data subjects, EU standard contractual clauses, binding corporate rules, and the EU-US Safe Harbor framework. It notes challenges around enforcement of these frameworks given the global nature of data flows on the internet.

1 de 14
Baixar para ler offline
Accountable Enforcement and Jurisdiction as Prerequisites for the Global Flows of Potentially Identifying Information Eddan Katz International Affairs Director Electronic Frontier Foundation The Public Voice: Global Privacy Standards for a Global World November 3, 2009 Melia Castilla Hotel - Madrid, Spain Wednesday, December 29, 2010 1
Adequate Protection for Transfer of Personal Data to Third Countries • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Chapter IV: Article 25 Principles • 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection, • 2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country. • 3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2. Wednesday, December 29, 2010 2
Inadequate Protection • 4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question. • 5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4. • 6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals. Member States Wednesday, December 29, 2010 3
Adequate Protection Countries • Switzerland • Guernsey • Hungary • Jersey • Canada • Isle of Man • Argentina Wednesday, December 29, 2010 4
Options for Compliance • Derogations • Unambiguous Consent • EU Commission Model Clauses • Member State Data Protection Authority Approval • Binding Corporate Rules Wednesday, December 29, 2010 5
Article 26(1): • (a) the data subject has given his consent unambiguously to the proposed transfer; or • (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or • (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or • (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or • (e) the transfer is necessary in order to protect the vital interests of the data subject; or • (f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation" are fulfilled in the particular case. Wednesday, December 29, 2010 6
Unambiguous Consent • Should be done anyhow • How do you differentiate between EU users and others • if to all, then contracting with everyone • jurisdiction for third countries • if to only Europeans, then requires instituting an infrastructure which Wednesday, December 29, 2010 7
Standard Contractual Clauses • 3 types of agreements • 2004 Decision • flexible auditing requirements • detailed rules of access • Data Controller to Data Controller Agreement • Alternative Data Controller to Data Controller Model Agreement • Model Data Controller to Data Processor Agreement • Geared towards larger corporations • Lack of flexibility of contract Wednesday, December 29, 2010 8
Binding Corporate Rules • Only really works for multi-national corporations • Major impact on establishing standards. • Only truly trans-national governance. Wednesday, December 29, 2010 9
EU-US Safe Harbor Principles • Notice • Choice • Enforcement • Onward Transfer • independent recourse • Security mechanisms • Data Integrity • procedures for • Access verifying business Wednesday, December 29, 2010 10
Safe Harbor Issues • Self-reporting registration • Enforcement issues - investigation of who is accountable • FTC Section 5 jurisdiction • prohibits unfair or deceptive acts or practices • affects commerce in addition to Wednesday, December 29, 2010 11
Enforcement & • US EU Safe Harbor Opinions, clear that the concern is about being accountable • Dispute Resolution processes under Safe Harbor - Data Protection Authority revenue • Data Havens and Server Farms - Regulatory Arbitrage • Web is global. If it is available somewhere, it can be available anywhere. • Why are we instituting borders? Bad for the Internet. • Points of control. Fight over balance of security & privacy goes to border guards • How do you insist on the creation of a Data Protection Authority • Part of trade negotiations Wednesday, December 29, 2010 12
Data Protection Authorities • Request pre-approval for a particular type of data transfer from each and every European Member State. • Criteria for approval is based on if “the controller adduces sufficient guarantees with respect to the protection of the privacy and fundamental rights and freedoms of individuals.” • Costs associated with providing dispute resolution procedures • Pre-approval criteria arbitrage - One DPA’s approval = default all other countries • Consortium that streamlines the process, but enables contract negotiation and oversight Wednesday, December 29, 2010 13
Harmonization risks • Regulatory Framework Friction • Risk of Lowered standards overall • Harmonize includes differentiation up & down • not sameness. important to remember • Global standard needs multilateral setting for negotiation Wednesday, December 29, 2010 14

Recomendados

Investigating cybercrime at the United Nations
Investigating cybercrime at the United NationsInvestigating cybercrime at the United Nations
Investigating cybercrime at the United Nationsblogzilla
 
Thainetizennetwork globalcybercrime 07272009
Thainetizennetwork globalcybercrime 07272009Thainetizennetwork globalcybercrime 07272009
Thainetizennetwork globalcybercrime 07272009Eddan Katz
 
A2krussia
A2krussiaA2krussia
A2krussiaEddan Katz
 
Mapping A2K Advocacy: Towards a Coalition Against ACTA
Mapping A2K Advocacy: Towards a Coalition Against ACTAMapping A2K Advocacy: Towards a Coalition Against ACTA
Mapping A2K Advocacy: Towards a Coalition Against ACTAEddan Katz
 
Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...
Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...
Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...Eddan Katz
 
Computer Crimes: An American Case Study
Computer Crimes: An American Case StudyComputer Crimes: An American Case Study
Computer Crimes: An American Case StudyEddan Katz
 
Thainetizennetwork slides day1
Thainetizennetwork slides day1Thainetizennetwork slides day1
Thainetizennetwork slides day1Eddan Katz
 
Copyrightcontraband cepe2007
Copyrightcontraband cepe2007Copyrightcontraband cepe2007
Copyrightcontraband cepe2007Eddan Katz
 

Recomendados

Investigating cybercrime at the United Nations
Investigating cybercrime at the United NationsInvestigating cybercrime at the United Nations
Investigating cybercrime at the United Nationsblogzilla
 
Thainetizennetwork globalcybercrime 07272009
Thainetizennetwork globalcybercrime 07272009Thainetizennetwork globalcybercrime 07272009
Thainetizennetwork globalcybercrime 07272009Eddan Katz
 
A2krussia
A2krussiaA2krussia
A2krussiaEddan Katz
 
Mapping A2K Advocacy: Towards a Coalition Against ACTA
Mapping A2K Advocacy: Towards a Coalition Against ACTAMapping A2K Advocacy: Towards a Coalition Against ACTA
Mapping A2K Advocacy: Towards a Coalition Against ACTAEddan Katz
 
Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...
Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...
Leveraging the INDECT Project: An Activist Strategy to Implement Privacy Ethi...Eddan Katz
 
Computer Crimes: An American Case Study
Computer Crimes: An American Case StudyComputer Crimes: An American Case Study
Computer Crimes: An American Case StudyEddan Katz
 
Thainetizennetwork slides day1
Thainetizennetwork slides day1Thainetizennetwork slides day1
Thainetizennetwork slides day1Eddan Katz
 
Copyrightcontraband cepe2007
Copyrightcontraband cepe2007Copyrightcontraband cepe2007
Copyrightcontraband cepe2007Eddan Katz
 
A2k rit
A2k ritA2k rit
A2k ritEddan Katz
 
Tacdconference actaslides
Tacdconference actaslidesTacdconference actaslides
Tacdconference actaslidesEddan Katz
 
Freecultureforum barcelona2009 acta
Freecultureforum barcelona2009 actaFreecultureforum barcelona2009 acta
Freecultureforum barcelona2009 actaEddan Katz
 
God's word to abundant life fellowship march 2011
God's word to abundant life fellowship march 2011God's word to abundant life fellowship march 2011
God's word to abundant life fellowship march 2011Abundant Life Fellowship
 
Install party
Install partyInstall party
Install partyopenensa
 
Eddankatz democratic culture_freecultureforum_slides
Eddankatz democratic culture_freecultureforum_slidesEddankatz democratic culture_freecultureforum_slides
Eddankatz democratic culture_freecultureforum_slidesEddan Katz
 
Unit 10 – God’S Will And The Church
Unit 10 – God’S Will And The ChurchUnit 10 – God’S Will And The Church
Unit 10 – God’S Will And The ChurchAbundant Life Fellowship
 
Copyright and privacy by design - what lessons have we learned?
Copyright and privacy by design - what lessons have we learned?Copyright and privacy by design - what lessons have we learned?
Copyright and privacy by design - what lessons have we learned?blogzilla
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesKarl Larson
 
Data Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesData Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesAmazon Web Services
 
Data privacy & compliance considerations on using cloud services
Data privacy & compliance considerations on using cloud servicesData privacy & compliance considerations on using cloud services
Data privacy & compliance considerations on using cloud servicesCharles Mok
 
The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?TAG Alliances
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?Chris Bullock
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor WebinarEthisphere
 
Privacy post-Snowden
Privacy post-SnowdenPrivacy post-Snowden
Privacy post-Snowdenblogzilla
 
Workshop 'Big data' Simon Hania
Workshop 'Big data' Simon HaniaWorkshop 'Big data' Simon Hania
Workshop 'Big data' Simon HaniaSURFnet
 
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...APNIC
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...AltheimPrivacy
 
Data Sovereignty
Data SovereigntyData Sovereignty
Data SovereigntySadegh Bamohabbat
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 
Gary Davis
Gary DavisGary Davis
Gary Davisdri_ireland
 

Mais conteúdo relacionado

Destaque

Tacdconference actaslides
Tacdconference actaslidesTacdconference actaslides
Tacdconference actaslidesEddan Katz
 
Freecultureforum barcelona2009 acta
Freecultureforum barcelona2009 actaFreecultureforum barcelona2009 acta
Freecultureforum barcelona2009 actaEddan Katz
 
God's word to abundant life fellowship march 2011
God's word to abundant life fellowship march 2011God's word to abundant life fellowship march 2011
God's word to abundant life fellowship march 2011Abundant Life Fellowship
 
Install party
Install partyInstall party
Install partyopenensa
 
Eddankatz democratic culture_freecultureforum_slides
Eddankatz democratic culture_freecultureforum_slidesEddankatz democratic culture_freecultureforum_slides
Eddankatz democratic culture_freecultureforum_slidesEddan Katz
 

Destaque (7)

A2k rit
A2k ritA2k rit
A2k rit
 
Tacdconference actaslides
Tacdconference actaslidesTacdconference actaslides
Tacdconference actaslides
 
Freecultureforum barcelona2009 acta
Freecultureforum barcelona2009 actaFreecultureforum barcelona2009 acta
Freecultureforum barcelona2009 acta
 
God's word to abundant life fellowship march 2011
God's word to abundant life fellowship march 2011God's word to abundant life fellowship march 2011
God's word to abundant life fellowship march 2011
 
Install party
Install partyInstall party
Install party
 
Eddankatz democratic culture_freecultureforum_slides
Eddankatz democratic culture_freecultureforum_slidesEddankatz democratic culture_freecultureforum_slides
Eddankatz democratic culture_freecultureforum_slides
 
Unit 10 – God’S Will And The Church
Unit 10 – God’S Will And The ChurchUnit 10 – God’S Will And The Church
Unit 10 – God’S Will And The Church
 

Semelhante a Eddankatz publicvoice globalflowsofdata

Copyright and privacy by design - what lessons have we learned?
Copyright and privacy by design - what lessons have we learned?Copyright and privacy by design - what lessons have we learned?
Copyright and privacy by design - what lessons have we learned?blogzilla
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesKarl Larson
 
Data Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesData Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesAmazon Web Services
 
Data privacy & compliance considerations on using cloud services
Data privacy & compliance considerations on using cloud servicesData privacy & compliance considerations on using cloud services
Data privacy & compliance considerations on using cloud servicesCharles Mok
 
The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?TAG Alliances
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?Chris Bullock
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotatedwdsnead
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor WebinarEthisphere
 
Privacy post-Snowden
Privacy post-SnowdenPrivacy post-Snowden
Privacy post-Snowdenblogzilla
 
Workshop 'Big data' Simon Hania
Workshop 'Big data' Simon HaniaWorkshop 'Big data' Simon Hania
Workshop 'Big data' Simon HaniaSURFnet
 
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...APNIC
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...AltheimPrivacy
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalValentin Korobkov
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your DataUlf Mattsson
 
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_ProvidersJon-Michael C. Brook, CISSP
 
EU Data Protection Regulation 26 June 2012
EU Data Protection Regulation 26 June 2012EU Data Protection Regulation 26 June 2012
EU Data Protection Regulation 26 June 2012Chris Marsden
 

Semelhante a Eddankatz publicvoice globalflowsofdata (20)

Copyright and privacy by design - what lessons have we learned?
Copyright and privacy by design - what lessons have we learned?Copyright and privacy by design - what lessons have we learned?
Copyright and privacy by design - what lessons have we learned?
 
Cross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property IssuesCross Border Privacy : Intellectual Property Issues
Cross Border Privacy : Intellectual Property Issues
 
Data Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud ServicesData Privacy & Compliance Considerations on Using Cloud Services
Data Privacy & Compliance Considerations on Using Cloud Services
 
Data privacy & compliance considerations on using cloud services
Data privacy & compliance considerations on using cloud servicesData privacy & compliance considerations on using cloud services
Data privacy & compliance considerations on using cloud services
 
The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?The GDPR: What About Data Stored or Transmitted Outside the EU?
The GDPR: What About Data Stored or Transmitted Outside the EU?
 
Are you preparing for GDPR?
Are you preparing for GDPR?Are you preparing for GDPR?
Are you preparing for GDPR?
 
12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated12 02-14 information security managers - unannotated
12 02-14 information security managers - unannotated
 
Safe Harbor Webinar
Safe Harbor WebinarSafe Harbor Webinar
Safe Harbor Webinar
 
Privacy post-Snowden
Privacy post-SnowdenPrivacy post-Snowden
Privacy post-Snowden
 
Workshop 'Big data' Simon Hania
Workshop 'Big data' Simon HaniaWorkshop 'Big data' Simon Hania
Workshop 'Big data' Simon Hania
 
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
33rd TWNIC IP OPM: Legal cooperation to overcome jurisdictional and territori...
 
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
Bridging U.S. Cross-Border Ediscovery Obligations and EU Data Protection Obli...
 
Data Sovereignty
Data SovereigntyData Sovereignty
Data Sovereignty
 
Wsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - finalWsgr eu data protection briefing march 20 2013 - final
Wsgr eu data protection briefing march 20 2013 - final
 
Gary Davis
Gary DavisGary Davis
Gary Davis
 
GDPR: Protecting Your Data
GDPR: Protecting Your DataGDPR: Protecting Your Data
GDPR: Protecting Your Data
 
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
2013.11.30.Brook-CSA_Congress_EU_Avoiding_US_Cloud_Providers
 
Cr4 tpp leesburg2012
Cr4 tpp leesburg2012Cr4 tpp leesburg2012
Cr4 tpp leesburg2012
 
Cr4 tpp fgv
Cr4 tpp fgvCr4 tpp fgv
Cr4 tpp fgv
 
EU Data Protection Regulation 26 June 2012
EU Data Protection Regulation 26 June 2012EU Data Protection Regulation 26 June 2012
EU Data Protection Regulation 26 June 2012
 

Eddankatz publicvoice globalflowsofdata

  • 1. Accountable Enforcement and Jurisdiction as Prerequisites for the Global Flows of Potentially Identifying Information Eddan Katz International Affairs Director Electronic Frontier Foundation The Public Voice: Global Privacy Standards for a Global World November 3, 2009 Melia Castilla Hotel - Madrid, Spain Wednesday, December 29, 2010 1
  • 2. Adequate Protection for Transfer of Personal Data to Third Countries • Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Chapter IV: Article 25 Principles • 1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection, • 2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country. • 3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2. Wednesday, December 29, 2010 2
  • 3. Inadequate Protection • 4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question. • 5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4. • 6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals. Member States Wednesday, December 29, 2010 3
  • 4. Adequate Protection Countries • Switzerland • Guernsey • Hungary • Jersey • Canada • Isle of Man • Argentina Wednesday, December 29, 2010 4
  • 5. Options for Compliance • Derogations • Unambiguous Consent • EU Commission Model Clauses • Member State Data Protection Authority Approval • Binding Corporate Rules Wednesday, December 29, 2010 5
  • 6. Article 26(1): • (a) the data subject has given his consent unambiguously to the proposed transfer; or • (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or • (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or • (d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or • (e) the transfer is necessary in order to protect the vital interests of the data subject; or • (f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation" are fulfilled in the particular case. Wednesday, December 29, 2010 6
  • 7. Unambiguous Consent • Should be done anyhow • How do you differentiate between EU users and others • if to all, then contracting with everyone • jurisdiction for third countries • if to only Europeans, then requires instituting an infrastructure which Wednesday, December 29, 2010 7
  • 8. Standard Contractual Clauses • 3 types of agreements • 2004 Decision • flexible auditing requirements • detailed rules of access • Data Controller to Data Controller Agreement • Alternative Data Controller to Data Controller Model Agreement • Model Data Controller to Data Processor Agreement • Geared towards larger corporations • Lack of flexibility of contract Wednesday, December 29, 2010 8
  • 9. Binding Corporate Rules • Only really works for multi-national corporations • Major impact on establishing standards. • Only truly trans-national governance. Wednesday, December 29, 2010 9
  • 10. EU-US Safe Harbor Principles • Notice • Choice • Enforcement • Onward Transfer • independent recourse • Security mechanisms • Data Integrity • procedures for • Access verifying business Wednesday, December 29, 2010 10
  • 11. Safe Harbor Issues • Self-reporting registration • Enforcement issues - investigation of who is accountable • FTC Section 5 jurisdiction • prohibits unfair or deceptive acts or practices • affects commerce in addition to Wednesday, December 29, 2010 11
  • 12. Enforcement & • US EU Safe Harbor Opinions, clear that the concern is about being accountable • Dispute Resolution processes under Safe Harbor - Data Protection Authority revenue • Data Havens and Server Farms - Regulatory Arbitrage • Web is global. If it is available somewhere, it can be available anywhere. • Why are we instituting borders? Bad for the Internet. • Points of control. Fight over balance of security & privacy goes to border guards • How do you insist on the creation of a Data Protection Authority • Part of trade negotiations Wednesday, December 29, 2010 12
  • 13. Data Protection Authorities • Request pre-approval for a particular type of data transfer from each and every European Member State. • Criteria for approval is based on if “the controller adduces sufficient guarantees with respect to the protection of the privacy and fundamental rights and freedoms of individuals.” • Costs associated with providing dispute resolution procedures • Pre-approval criteria arbitrage - One DPA’s approval = default all other countries • Consortium that streamlines the process, but enables contract negotiation and oversight Wednesday, December 29, 2010 13
  • 14. Harmonization risks • Regulatory Framework Friction • Risk of Lowered standards overall • Harmonize includes differentiation up & down • not sameness. important to remember • Global standard needs multilateral setting for negotiation Wednesday, December 29, 2010 14