1. European Data Protection: What’s Ahead for U.S. Companies? EU-U.S. Safe Harbor (Invalidated) EU-U.S. Privacy Shield (In Progress), and EU General Data Protection Regulation (In Progress)

2. Our presenters today 2 Lothar Determann Partner, Palo Alto +1 650 856-5533 Lothar.Determann@bakermckenzie.com Brian Hengesbaugh Partner, Chicago +1 312 861-3077 Brian.Hengesbaugh@bakermckenzie.com

3. Agenda 1.Overview on global data protection 2.EU-U.S. Safe Harbor (Invalidated) 3.EU-U.S. Privacy Shield (In Progress) 4.EU Data Protection Regulation (In Progress) a.Cross-border transfers b.Data Mapping c.Consent d.Data Protection Officer (DPO) e.Data Breach

4. 1. Overview

5. Data protection laws... Regulate the collection, use, storage, disclosure, and other processing of “personally identifiable information” or “PII” Name and other “identifiers,” and any other data that can be linked with the identified or identifiable person or device. Employees, consumers, contractors, corporate customer contacts, supplier contacts, website visitors, business partner contacts, end users, and other individuals. Two approaches to regulation globally: United States: Sector-specific (HIPAA/HITECH, GLBA/FCRA, and the like) and data-specific (SSNs, bank account, credit/debit card numbers, username/password to online account) European Union: Omnibus privacy laws applicable to all personal data, regardless of sector, category of individual, or type of personal data; local hurdles on collection and processing + additional restrictions on cross-border transfers EU tends to lead the rest of the non-US world

6. Examples of data protection issues in practice Business manifestations Cloud and sourcing Global HR databases Customer relationship management (CRM) applications Websites and mobile apps Mergers and acquisitions Compliance manifestations Whistleblower hotlines Email and internet monitoring Internal investigations E-discovery and legal demands Data security and breach notice

7. 1995 EC Data Protection Directive (95/46/EC) Omnibus regulation for all industry sectors Implemented by Member States into national data protection laws Local compliance issues (substantive + procedural) Cross-border data transfer restrictions Personal Data cannot be transferred to “foreign” jurisdiction unless “adequate” protection where received. Adequacy determinations for some countries (Argentina, Canada, Switzerland, etc.) and US organizations in Safe Harbor EC standard contractual clauses (“Model contracts”) Binding corporate rules Consent/exceptions/other derogations Jurisdictional arguments

8. 2. EU-U.S. Safe Harbor

9. Schrems decision In Schrems, the European Court of Justice (Court) invalidated the US- EU Safe Harbor Privacy Arrangement (“Safe Harbor) on October 6, 2015 Safe Harbor had served as the EC adequacy finding for the United States for fifteen years The Court specified that Safe Harbor was not adequate because of the apparent absence of sufficient protections within Safe Harbor against US government surveillance and corresponding redress for EU citizens (not “essentially equivalent”)

10. Post-Schrems developments ‒ Initial Article 29 Working Party Opinion on Schrems (Oct 16, 2015):  Transfers relying solely on Safe Harbor unlawful  Model contracts and binding corporate rules can be used at present, although under examination for concerns about government surveillance  Collective action to be considered if no resolution on “Safe Harbor 2.0” by the end of January 2016 ‒ Various individual data protection authority opinions (e.g., German data protection authorities, UK Information Commissioner, and the like). ‒ EU-US Privacy Shield (Safe Harbor 2.0) announced as agreed upon between the European Commission and the US Department of Commerce and other authorities on February 2, 2016 (ahead of WP meeting) ‒ Other developments (to be discussed after Privacy Shield overview)

11. 3. EU-U.S. Privacy Shield

12. EU-U.S. Privacy Shield Arrangement ‒ On February 29, 2016, the European Commission issued its draft decision and the US documents for the EU-US Privacy Shield Arrangement. ‒ The US-issued Privacy Shield documents are:  A commitment from the US Secretary of Commerce to devote all necessary resources to adhere fully to the requirements of the Privacy Shield  Twenty Two Privacy Shield Principles, along with Arbitration Procedures  Letters from the Federal Trade Commission and the Department of Transportation (commercial enforcement authority)  Letters from the Office of the Director of National Intelligence (ODNI) (surveillance law and policy), the Department of State (surveillance redress), and the Department of Justice (criminal law enforcement law and policy) ‒ The European Commission is now (i) evaluating the non-binding views of the Article 29 Working Party of Data Protection Authorities, the European Parliament, the European Data Protection Supervisor, and (ii) consulting with the Article 31 Member State Representatives

13. Privacy Shield – key substance points ‒ The Privacy Shield would function through a certification process by which U.S. companies agree to adhere to the Principles, including Notice, Choice, Security, Data Integrity and Purpose Limitation, Access, Accountability for Onward Transfer, and Recourse, Enforcement and Liability, and more. ‒ A few of the key substantive points include:  Enhanced notice requirements that consist of thirteen specific information points that must be notified to data subjects, including information about arbitration procedures, and liability for onward transfers to third parties  Obligations to impose contracts on data controller recipients that impose the same privacy protections as the Principles and require adherence to the terms of individual consent, subject to certain exceptions for intragroup transfers  Accountability for onward transfers to agents including assuring that disclosures are for limited and specified purposes only, taking steps to stop any inappropriate processing, and remaining responsible for the handling of the data

14. Privacy Shield – key procedural points ‒ The Privacy Shield establishes significant procedural oversight for the program. A few of the key procedural points include:  Obligations for companies to: (i) respond to individual complaints within 45 days, (ii) comply with advice of the data protection authority ("DPA") dispute resolution panel within 25 days; (iii) participate in mandatory arbitration; and (iv) provide DOC with copies of vendor agreements, human resources privacy policies, and other materials upon request.  Duties for DOC to: (i) actively update the list if an organization voluntarily withdraws or fails to complete its annual re-certification, and maintain a list of companies which no longer participate; (ii) remove companies from the list for persistent failure to comply, and require such companies to return or delete data obtained under Privacy Shield; and (iii) require companies to continue to annually certify to the DOC that it adheres to the Privacy Shield Principles, even after it has de-certified from the program, if they wish to retain such data in the US (unless they demonstrate another means to address adequacy (e.g., via standard contractual clauses or approved binding corporate rules).

15. Privacy Shield – limited transition period ‒ Privacy Shield provides a limited transition period with respect to third party contractual relationships. ‒ If an organization certifies to Privacy Shield within two (2) months following the framework's effective date (i.e., the date it is formally approved as a decision by the European Commission), then the organization will have up to nine (9) months from the date upon which they certify to bring such relationships with third parties in line with the Accountability and Onward Transfer Principle. ‒ This provides organizations with an incentive to evaluate Privacy Shield on an expedited basis, and make decisions about certification promptly. ‒ Note that there is no such formal transition or grace period with respect to Safe Harbor, as that program was invalidated by the Court of Justice of the European Union.

16. Article 29 Working Party Opinion on Privacy Shield (April 13, 2016) Commercial issues National security/law enforcement issues Overall views

17. WP29 – Overall views ‒ Privacy Shield offers "major improvements" compared to Safe Harbor ‒ "Greatly welcomes" the annual joint review of Privacy Shield ‒ Annual review process is a "key factor to the overall credibility" of Privacy Shield ‒ High level concerns  Confirmation that Privacy Shield does not replace applicable data protection law  Clarification on Privacy Shield documents

18. WP29 – Commercial issues ‒ Application of the Privacy Shield to agents/processors (lack of clarity on application of Notice/Choice principles to agents/processors) ‒ Exceptions to the Principles for statutes, regulations, or other legal obligations (should be limited to what is "justifiable in a democratic society") ‒ Data retention (should contain an express requirement) ‒ Choice (should establish more details of how and when opt-out choice options would be presented to data subjects) ‒ Onward transfers (should also evaluate the circumstances surrounding the transfers (such as the surveillance rules in a third country) ‒ Redress mechanisms (raises concerns that the different layers of redress mechanisms may be complex and difficult for data subjects to understand) ‒ Grace period for organizations that certify within two months (considers should be compliant upon certification to obtain the benefits)

19. WP29 – National security/ law enforcement ‒ Overall view that provisions on national security and law enforcement in the draft Privacy Shield adequacy decision "demonstrates that a multi-layered approach of both internal and external oversight mechanisms is in place in the U.S." ‒ Concerns about how US authorities will apply Presidential Policy Directive 28 (PPD-28), Executive Order 12333 (EO 12333), the USA Freedom Act, the Foreign Intelligence Surveillance Act, and other ‒ Generally outside the scope of private company control, but best practices to help reduce concerns include:  Confirm legal requirements before making disclosures  Narrow the scope of required disclosures where possible  Encourage use of mutual legal assistance treaties (MLATs) and other direct avenues for government data collection  Promote transparency with data subjects

20. 20 EU-U.S. Privacy Shield: Next Steps EC consideration of views of WP29, Parliament, and EDPS, and review with US DOC EC consultation with committee composed of representatives of EU member states (Article 31 Committee) Final decision by EU College of Commissioners (target July 2016) Risks of court challenges?

21. What now? ‒ No one size fits all answer ‒ For companies presently participating in Safe Harbor, consider short term solutions such as adoption of Model Contracts or other mechanisms ‒ Evaluate substantive and procedural aspects of Privacy Shield ‒ Recognize that with the coming of GDPR, other data transfer vehicles (e.g., model clauses) likely to undergo transformations ‒ Evaluate pros and cons of available options for data transfers ‒ Regardless of vehicle for cross-border transfer, there is more work to be done to comply with GDPR

22. 4. EU Data Protection Regulation — An Overview

23. 23 The GDPR – Introductory Thoughts ‒ What is the GDPR? Regulation vs. Directive ‒ First major update since 1995 ‒ What will happen to national law? ‒ Is it enacted yet? Is it final? ‒ When will it be effective? ‒ Does it apply to companies outside the EU?

24. 4a. International Data Transfers

25. a.EU Commission adequacy decision on country, state, industry b.Appropriate safeguards – SCC approved by Commission, SCC proposed by DPAs, BCRs, DPA authorization c.Derogations for specific situations, including consent International Data Transfers (Art. 44-50) 25 transfers outside EEA prohibited, unless adequacy or exceptions: processing in context of national security for member states remains excluded – no exceptions for national security of other countries territorial scope and local representative appointment recast more prescriptive rules, more bureaucratic requirements 1 2 3 4 What is new and what remains?

26. International Data Transfers 26 What is new and what remains? consent contract with data subject contract in the interest of data subject public interest legal claims interests of data subject interest balancing country/state/sector adequacy decision data processing/transfer agreements; SCC BCR, Code of Conduct, Certification Exceptions from transfer prohibitions include:

27. International Data Transfers 27 existing adequacy decisions are grandfathered 5 new adequacy decisions subject to more prescriptive conditions 6 consent subject to more prescriptive conditions 7 processors and data processing contracts subject to more prescriptive requirements 8 What is new and what remains?

28. 4b. Data Mapping

29. Data Mapping step-by-step 29 Scoping “staging the map” – prepare a project plan and the necessary tools and materials bespoke to your needs questionnaires/templates/guidance documents Information Collection via questionnaires/interviews collect all required information in order to generate a data map Consider internal and external resource required for this phase Information Analysis & Mapping based on the information collected and your specific needs, produce data flow maps and analysis to best record and visualise your organization’s data processing activities. utilise technological tools to build an overview, ascertain gaps, assess risk, track maturity

30. Data Mapping – the 5Ws of Personal Data 30 are we? are our data subjects? has access to personal data? do we keep their personal data? do we transfer personal data to? is personal data under our control? are we keeping personal data until? do we share personal data with others? Who Where Why When mechanisms do we have in place to safeguard personal data? What

31. 4c. Consent

32. 32 Art. 4(11) Recital 32 New Definition of Consent Consent must be: Freely given, specific, informed and unambiguous Given by a statement or a clear affirmative action indicating the data subject’s agreement to personal data being processed Practical examples: Ticking a box when visiting a website Choosing technical settings for information society services or other conduct clearly indicating acceptance in a particular context Pre-ticked box, silence, or inactivity should not constitute consent

33. 33 Article 7 – Conditions for consent Recitals 42 and 43 – Consent is presumed not to be freely given: New Conditions for Consent Controllers must be able to demonstrate consent Requests for consent must be intelligible and easily accessible Data subjects must be informed of the right to withdraw their consent at any time (consent must be as easy to withdraw as to give) The data subject has no genuine and free choice and is unable to refuse or withdraw consent without detriment There is a clear imbalance between data subject and controller ‘Omnibus’ (v. granular) consent is used for different data processing Contract performance or provision of service is made conditional to consent to processing unnecessary data (‘take it or leave it’)

34. 4d. Data Protection Officer

35. The controller and the processor shall designate a DPO where: the processing is carried out by a public authority or body; or the core activities consist of processing operations which, require monitoring of data subjects on a large scale; or processing on a large scale of special categories of data and data relating to criminal convictions and offences. Designation of the Data Protection Officer (Article 37) 35 Certain companies (e.g., SMEs) may be exempted unless data processing is "core activity" Core activities are primary activities (versus ancillary activities; Recital 97).

36. Room for manoeuvre in each Member State In any other cases: a DPO may or, where required by Union or Member State law, shall be designated. Currently unclear whether a voluntarily designation provides a direct benefit (possibly, free of charge consultation with authority). Designation of the Data Protection Officer (Article 37) 36 DPO may be an employee or an external person (based on a service contract). Term "Expert knowledge" is unspecified (e.g., with regard to possibly required knowledge of different Member state laws DPO requires expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in the GDPR.

37. Tasks of the Data Protection Officer (Article 39) 37 inform and advice data controller or processor as well as employees; monitor compliance with data protection laws; cooperate with and act as contact person for supervisory authorities. DPO has inter alia the following tasks:

38. 4e. Data Breach

39. Current situation Under the Data Protection Directive, data controllers should inform data subjects if their data are being used in ways the data subjects could not have foreseen On a European level, sector specific breach reporting duties exist, in particular ISPs and regulated financial services Some European countries (Germany, Spain, Netherlands) have introduced data breach notification duties already In some other countries, regulators have issued “guidance” only. Conceptually breach notification is not entirely new: No general obligation to notify data protection authorities of breach incidents involving personal data

40. What is a data breach? Personal data breach a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed “ ” not related to the quality / adequacy of the security measures any incident impacting the c.i.a. trade (Confidentiality, Integrity, Availability)

41. When to report to the DPA? (Art 33) When? without undue delay; where feasible, not later than 72 hours after having become aware of it, notify the personal data breach; If notified on > 72 hours: justification for delay is required What to include in the report? categories and approximate number of data subjects and data records concerned; contact details of DPO or alternative representative; likely consequences and measures taken to address & mitigate

42. Communicating the data subject (Article 34) –If the personal data breach is likely to result in a high risk for the rights and freedoms of individuals; When? –If the compromised data were rendered intelligible (encrypted); –If the high risk was mitigated effectively; –If the compromised data were rendered intelligible (encrypted); –If the high risk was mitigated effectively; Exemptions –Same information as in notification to DPA What? –Default: direct communication to affected data subjects –Public communication permitted if to avoid ‘disproportionate effort’ –Default: direct communication to affected data subjects –Public communication permitted if to avoid ‘disproportionate effort’ How?

43. Questions? Stay informed at www.bakerinform.com Surveillance law guide: http://datasecurity.bakermckenzie.com/ Global Privacy Handbook at: http://globalprivacymatrix.bakermckenzie.com/www.bakerinform.comhttp://datasecurity.bakermckenzie.com/ http://globalprivacymatrix.bakermckenzie.com/