Presentation on theme: "Robert L. Rothman Donald A. Cohn"— Presentation transcript:
1Contractual Solutions for Cross-Border Data Transfers: Dealing with the Practical Problems Robert L. Rothman Donald A. CohnPrivacy Associates International E. I. du Pont de Nemours and CompanyIAPP Summit, April, 2010
2PreliminariesAssume understanding of cross-border issues and available compliance alternativesFocus on practical issues involved in implementing cross-border solutions
3Purpose The Purpose Of This Presentation Is To: Point Out Problems And Complexities In Contracting With Suppliers And AffiliatesAsk How Can We Use A Contractual Approach To Satisfy Local Legal Requirements.Examine Sample Data Flows Using a HypoOffer Possible Solutions To Some Of Those Problems And Complexities
4The 4 Legs of the Privacy Stool ProportionalityRegistrationSecurityNotice & Consent To UseAdequacy Mechanism To TransferWE WILL FOCUS ON DATA TRANSFER ADEQUACY
6Examples of Where Contractual Solutions Are Used EU Standard Clause AgreementsController to Controller: two flavorsNew Controller to Processor AgreementsSafe Harbor Onward Transfer AgreementsAustraliathe recipient of the information is subject to a contract which effectively upholds principles for fair handling of the information that are substantially similar to the NPPsArgentinaAn international entity provides an adequate level of protection if it arises from contractual clauses covering the protection of personal dataJapanIsrael
7Hypo Global Enterprises, Inc., US Entity Manufactures and sells widgets through Global entities in 34 countries24 subsidiaries EU countries9 subsidiaries in non-EU countries3 JVs – a majority owned, a 50-50, and a minority ownedWants to have free transferability of employee HR data around GlobalWants to enter into world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PIWants contractual solutions
8Free Transferability of Employee Data - EU Controller to Controller Outward TransfersLet’s deal first with the controller to controller HR data.One to OneOne to ManyMany to ManyDPA's Require Bilateral Agreements Signed by Both Parties.No Variations are Accepted
9EU SCC Bilateral Agreements Global’s Non-EU EntitiesGlobal EU EntityUSARussiaJapanAustraliaNew ZealandIsraelCanadaMexicoBrazilChinaSaudi ArabiaSwitzerlandArgentinaController to Controller SCCsStandard Clause Agreements – terrible documentsHave choice of controller to controller classic or ICC version where some liability is traded off for a due diligence obligation.Note no agreements required for Switzerland and Argentina because their adequacy determinations cover HR data – but Canada’s doesn’tNeed approval from DPA in a number of countries
10EU SCC Bilateral Agreements USARussiaJapanAustraliaNew ZealandIsraelCanadaMexicoBrazilChinaSaudi ArabiaSwitzerlandArgentina24 EU Countries In which Global OperatesController to Controller SCCsGlobal will still need 264 contracts, many of which will require DPA approvalDon will address some of the difficulties in making this happen in a minute10
11EU SCC Approval or Filing Requirements Prior approval required: Austria Czech Republic Luxembourg Netherlands Poland Romania SpainFiling only required :Belgium Cyprus Denmark Finland France Greece Malta Portugal SlovakiaSlide is a bit of a generalization – have to look at specifics of each lawSome of the German Lander require approval or filing as well
12Safe Harbor Alternative Non-EU Global EntitiesEU Global EntitiesGlobal certifies for compliance with Safe Harbor for its HR Personal DataOnward Transfer AgreementsTransfers under Safe HarborSafe Harbor approach dramatically reduces the number of contracts required for EU purposes to 10However, it means that all the European personal information must be routed through the US. In other words, if Global’s Personal Director in Germany wants to send information to Japan on a German employee who is a candidate for a position in Japan, either the systems have to work so the info first goes to the US or the infor has to be sent first to the US for retransmittal to Japan. It is unlikely this latter process will work over time, and the former process, if artificial, is unlikely to be accepted by the IT world for a formalistic privacy reason.This doesn’t help at all with respect to the non-EU countries that have cross-border restrictionsthis depends on IT infrastructures.Need process before data flows change.How deal with changes?New Contract requirement If Data not flow first to US.Global USA
13Free Transferability of Employee Data - Non-EU Transfers Must additionally put in place other contracts
14Japan Requiring non-disclosure by delegatee’s employees Japanese conforming agreements must be entered among all the Global group companiesJapanese law applicable to transfers within Japan or outside of JapanSection 22 of the Personal Information Protection Act requires businesses to supervise anyone to whom it delegates handling of PI.The Act (as applicable to most businesses) is regulated by administrative guidelines promulgated by over 30 different ministries.Certain ministries have developed regulations or guidelines applicable when delegating the handling of PI.For instance, the Ministry of Health, Labor and Welfare as well as the Ministry of Economy, Trade and Industry, have promulgated guidelines with respect to the handling of PI and the oversight of suppliers (delegatees)Measures for protection of personal data taken by delegatees should be expressly defined in a contract that includes provisions :Requiring non-disclosure by delegatee’s employeesRequiring written notification of the use of sub-suppliersSpecifying disposal/destruction standardsProhibiting the use of PI outside the scope of the serviceObligating the delegatee to provide notice of security breaches
15AustraliaEmployee information not normally subject to the privacy laws. However, there is a process for voluntarily submitting to the law even when it is otherwise not applicable. Various companies have done this as part of labor agreements, including Global.Australian conforming agreements must be entered among all the Global group companiesInformation Sheet 8 issued by the Australian Office of the Federal Privacy Commissioner addresses the question of how to maintain compliance with the National Privacy Principles (NPPs) when using suppliers.Recommends that Australian suppliers too small to be covered by the law be contractually obligated to “opt-in” to coverage through the Australian DPA.Where the supplier is covered by the NPPs, contractual steps still necessary to assure compliance by both parties.No distinction between controllers and processorsNotice: the supplier’s obligation to notify data subjects of the collection and transfer of PI. Can be discharged by the customer entity under contract.Use and disclosure: to assure that the supplier uses the PI only for the primary or related purpose to that notified to the data subject, provisions in the contract should limit use by the supplier.Data Security: the purchasing entity should obligate the supplier to maintain security in line with the NPPs, even where the supplier has an independent duty to do so.In order to use a supplier located outside Australia, an Australian customer must also comply with the Australian rules for cross-border transfer, e.g.Consent of data subjectSupplier subject to a law, binding scheme or contract substantially similar to the NPPs (no approval required)The purchaser has taken reasonable steps to ensure that the PI will not be treated inconsistently with NPPs
16ArgentinaArgentine conforming agreements must be entered among all the Global group companiesArticle 25 of the Personal Data Protection Act and the corresponding Regulations regulate the provision of computerized services involving PI.A contract is required with the service provider that must:Limit the use of the PI by the supplier to the provision of the service specifiedDestroy the PI after the contract is completed, subject to certain limited exceptionsRequire the supplier to comply with the specific security provisions of Article 9 of the ActCan use a foreign supplier only with one of the following:the consent of each data subject;if the supplier is in a country the Argentine DPA has determined has “adequate” laws; orIf the Argentine DPA has determined the supplier is subject to a self-regulation system or contract covering the protection of PI.Thus contract approval required
17World-Wide Bilateral Agreement Solution to Global’s HR Transferability Problem Looks Like This:
18Bilateral Approach USA Russia Japan Australia New Zealand Israel CanadaMexicoBrazilChinaSaudi ArabiaSwitzerlandArgentina24 EU Countries In which Global OperatesGlobal will still need 372 contracts, many of which will require DPA approvalDon will address some of the difficulties in making this happen in a minute18
19Assuming Global still wants to go in this direction, what are some of the practical elements of actually getting these cross-border contractual solutions done?Form a global privacy team with representatives in each region/country where do businessForm a global legal team with in house /outside counsel for each regionNeed policies, standards, procedures on data transferNeed communications planDelegate resolution of legal requirements, registration obligations, and contractual signature issues to regional or local privacy and legal teams.Centralize compliance/auditingPiggy back on corporate electronic security organization /Make sure that Privacy Security Requirements are incorporated into Electronic and Physical Security Corporate Policies,standards, and proceduresPiggy back with procurement buyers and their lawyers to address signature of privacy related contractsUse Paralegals
20HR Solution: Global’s Administrative Issues How to identify all of Global’s entities that have to be a party to an agreement?Should each of the Joint Ventures sign?Who has authority to sign the agreement at each entity?How do you explain to those who have to sign, and others at each entity, what this is all about and why it is required?Canned presentationsStart at top of product or regional organization and enlist assistance in explaining to each entityDo web meetingGet some function with broad representation throughout the world to make local reps available to assist. Train the local reps. (eg privacy or legal)
21HR Solution: Global’s Administrative Issues What has to be done by each entity to comply with the agreements?What has to be done centrally (e.g. IT security) to allow each entity to comply?What is the process for keeping track of who has signed the agreements and for retaining the docsHow do you figure out when the agreements have to be approved by or registered with government authorities?Who actually files the agreements/applications?Follow corporate process (if there is one)? At each entity? Centrally with privacy or legal?
22HR Solution: Global’s Administrative Issues Who actually files the agreements/applications?Who keeps track of approvals received – and not received?What is the process to modify agreements when – rather than if - data flows change, rules change, corporate organization changes?question about how does one deal with the creation of new legal entities to make sure that agreements are entered into as part of the creation process.
23Is there anyway to eliminate putting all those contracts in place and still allow Global to pass HR information among its operations?1. Get Powers of Attorney from various affiliates so one person can sign for a lot of affiliates.2. Use the automation slide here3. Use the blended approach I suggested where a blend of voluntary consents ( where permitted), safe harbor, and model clauses to reduce complexity.Try to Automate the ProcessWeb basedHave Affiliates and Contractors Input “Signatures”Have Affiliates and Contractors “sign” contractsPush A button – get tailored contract for Individual data flowsProvide DPA’s with custom signed bilateral agreements, as needed.Use All Adequacy Mechanisms TogetherModel ClausesSafe HarborOpt In Voluntary Consent (where permitted)Cut Down On ComplexityMake Contractual Issues More Manageable
24Simplification Strategy 1 Consists of two parts:Global certifies for Safe Harbor to get EU data to the USAll Global entities enter into a Personal Information Safeguard Agreement (PISA)PISA would:Establish the following obligations for Participating Entities when exporting personal information:Comply with all domestic privacy laws before the transfer.Give data subjects notice about the use of the personal information.Comply with agreement rules for dealing with any proposed change of use.Comply with the agreement rules for responding to data subjects’ requests for access to their personal information.Train employees regarding their obligations.Ensure that the personal data is accurate, complete, current, and reliable for the intended use.
25Simplification Strategy 1 Establish the following obligations for Participating Entities when receiving personal data from a Participating Entity in another country:Comply with the privacy laws of the country of the receiving unit.Use the personal information only for the purposes included in the notice to the data subject.Notify and obtain approval from the transferring unit for any proposed change in the use of the personal information.Limit the transfer of the personal information to authorized parties.Comply with the PISA rules for responding to data subjects’ requests for access to their personal information.Train employees regarding their obligations.Comply with Global’s technical, physical and administrative security policies.Notify the transferring unit and Global US of any breach of security that involves personal dataComply with specified rules for responding to inquiries by government authorities and others regarding personal information.Comply with Global’s data retention.
26Simplification Strategy 1 PISA could be hard copy with “agreement opt-in” sheets signed and mailed in to Global US as the administrative entity.To increase efficiency, the PISA could be executed by an on line opt-in form that is executed by each entity under the electronic signature law of one of the US states (that would be the PISA’s governing law)The PISA as described would:Serve as an onward transfer agreement under Safe Harbor, thus allowing Global’s EU employee information to be sent to all Participating EntitiesServe as a sufficient primary legal basis for the cross border transfer of personal information from Japan, Australia and Argentina to the US, to the EU countries and to other jurisdictions with a Global presenceThis reduces the number of agreements from 372 bilateral agreements to 1 multilateral agreement plus Safe Harbor and reduces the number of government approvals for the agreements to 0.No government approvals required
28Simplification Strategy 2 Eliminate the Safe Harbor certification aspect of Strategy 1Create a PISA Heavy consisting of 2 parts:Part A is exactly the same as in Simplification Strategy 1 – General Provisions applicable to Transferors and TransfereesPart B is applicable to exports of personal data out countries with very specific requirements not covered by Part A such as an EU Controller to Controller SCC (either flavor)Each blank in the SCC and Annexes is completed by incorporating by reference a section of the PISA opt-in sheet, the document used by an entity to become bound to the PISA Heavy agreement
29PISA Heavy Structure Part I: General Rules Required Under Most Laws When a Participating Entity is acting as a Data Exporter it agrees to follow the data exporter rules in this contractWhen a Participating Entity is acting as a Data Importer it agrees to follow the data importer rules in this contractPart II: Specific Rules for Counties with Cross-Border LawsWith respect to all personal data exported from Australia, Participating Entities agree to comply with the following Australian rules. In case of a conflict with a Part I General Rule, the Australian rule shall prevail.With respect to all personal data exported from Argentina, Participating Entities agree to comply with the following Argentine rules. In case of a conflict with a Part I General Rule, the Argentine rule shall prevail.With respect to all personal data exported from an EU country, the following SCC (Controller to Controller) shall apply.The full text of the SCC is reproducedBlanks completed by incorporating by reference specific sections of the PISA Opt-in Form completed by each Participating EntityPart IIIBoilerplateExecution process
30Example: SCC Required Blanks Name (written out in full): (Exhibit B to this PISA, Opt-in Signature Page is hereby incorporated by reference)Data importerThe data importer is (please specify briefly activities relevant to the transfer): (Exhibit B to this PISA, Opt-in Signature Page, Section 2 is hereby incorporated by reference)
31Pisa Heavy Opt-in FormSection 2: Activities of Transferor related to the transfer:(Check all appropriate or fill-in if category not listed)□ Sales and Marketing□ Human Relations□ Issuing of Securities□ Public Interest□ Other (Please list and be as descriptive as possible):_____________________________________________________
32Simplification Strategy 2 Applicable law for Part B would be the law of the country of the data exporting entityPrivity of contract exists among each the Global entities:For instance, privity between EU Subsidiary 6 and non-EU Subsidiary 20 can be demonstrated by producing the Agreement, the signed opt-in sheet for Subsidiary 6 and the signed opt-in sheet for Subsidiary 20.The Controller to Controller SCC is applicable to all exports out of the EURequires approval of EU DPAs in countries where DPA’s have to review SCCs to assure a sufficient level of specificity in the annexes.
34All of this has dealt with Global’s HR information problem – a controller to controller transfer – what about Global’s entering into a world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI?EU Standard Processor AgreementMust have privity between each and every PI exporting controller (e.g. Global Spain, Global UK) and each and every third country processor (e.g. CCS US)Transfers between Non EU Entities Further Complicate MixTried Hub and Spoke – Not AcceptedSubjects controller to liability if the processor no longer exists or is insolventSome countries require approval of the agreement to see that these sections have been filled out with sufficient specificityNo clear path to automateParalegal’s Go CrazyExponential Growth of Bilateral Model AgreementsNew “Standard Clause Controller to Processor Contract”Allows service providers to furnish personal information to sub-suppliers that enter into the processor to processor contractNew Clauses Address This IssueThus, data controllers must generally enter into Standard Clause Processor Agreements with each of the prime processor’s sub-contractorsAnother Avalanche of ContractsBoth compliance and enforcement spottyGet Powers of Attorney from various affiliates so one person can sign for a lot of affiliatesTry to Automate the ProcessWeb basedHave Affiliates and Contractors Input “Signatures”Have Affiliates and Contractors “sign” contractsPush A button – get tailored contract for Individual data flowsProvide DPA’s with custom signed bilateral agreements, as needed.Use All Adequacy Mechanisms TogetherModel ClausesSafe HarborOpt In Voluntary Consent (where permitted)Cut Down On ComplexityMake Contractual Issues More Manageable