Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robert L. Rothman Donald A. Cohn

Published byRegina Stanley Modified over 9 years ago

Similar presentations

Presentation on theme: "Robert L. Rothman Donald A. Cohn"— Presentation transcript:

1 Contractual Solutions for Cross-Border Data Transfers: Dealing with the Practical Problems
Robert L. Rothman Donald A. Cohn Privacy Associates International E. I. du Pont de Nemours and Company IAPP Summit, April, 2010

2 Preliminaries Assume understanding of cross-border issues and available compliance alternatives Focus on practical issues involved in implementing cross-border solutions

3 Purpose The Purpose Of This Presentation Is To:
Point Out Problems And Complexities In Contracting With Suppliers And Affiliates Ask How Can We Use A Contractual Approach To Satisfy Local Legal Requirements. Examine Sample Data Flows Using a Hypo Offer Possible Solutions To Some Of Those Problems And Complexities

4 The 4 Legs of the Privacy Stool
Proportionality Registration Security Notice & Consent To Use Adequacy Mechanism To Transfer WE WILL FOCUS ON DATA TRANSFER ADEQUACY

5

6 Examples of Where Contractual Solutions Are Used
EU Standard Clause Agreements Controller to Controller: two flavors New Controller to Processor Agreements Safe Harbor Onward Transfer Agreements Australia the recipient of the information is subject to a contract which effectively upholds principles for fair handling of the information that are substantially similar to the NPPs Argentina An international entity provides an adequate level of protection if it arises from contractual clauses covering the protection of personal data Japan Israel

7 Hypo Global Enterprises, Inc., US Entity
Manufactures and sells widgets through Global entities in 34 countries 24 subsidiaries EU countries 9 subsidiaries in non-EU countries 3 JVs – a majority owned, a 50-50, and a minority owned Wants to have free transferability of employee HR data around Global Wants to enter into world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI Wants contractual solutions

8 Free Transferability of Employee Data -
EU Controller to Controller Outward Transfers Let’s deal first with the controller to controller HR data. One to One One to Many Many to Many DPA's Require Bilateral Agreements Signed by Both Parties. No Variations are Accepted

9 EU SCC Bilateral Agreements
Global’s Non-EU Entities Global EU Entity USA Russia Japan Australia New Zealand Israel Canada Mexico Brazil China Saudi Arabia Switzerland Argentina Controller to Controller SCCs Standard Clause Agreements – terrible documents Have choice of controller to controller classic or ICC version where some liability is traded off for a due diligence obligation. Note no agreements required for Switzerland and Argentina because their adequacy determinations cover HR data – but Canada’s doesn’t Need approval from DPA in a number of countries

10 EU SCC Bilateral Agreements
USA Russia Japan Australia New Zealand Israel Canada Mexico Brazil China Saudi Arabia Switzerland Argentina 24 EU Countries In which Global Operates Controller to Controller SCCs Global will still need 264 contracts, many of which will require DPA approval Don will address some of the difficulties in making this happen in a minute 10

11 EU SCC Approval or Filing Requirements
Prior approval required: Austria Czech Republic Luxembourg Netherlands Poland Romania Spain Filing only required : Belgium Cyprus Denmark Finland France Greece Malta Portugal Slovakia Slide is a bit of a generalization – have to look at specifics of each law Some of the German Lander require approval or filing as well

12 Safe Harbor Alternative
Non-EU Global Entities EU Global Entities Global certifies for compliance with Safe Harbor for its HR Personal Data Onward Transfer Agreements Transfers under Safe Harbor Safe Harbor approach dramatically reduces the number of contracts required for EU purposes to 10 However, it means that all the European personal information must be routed through the US. In other words, if Global’s Personal Director in Germany wants to send information to Japan on a German employee who is a candidate for a position in Japan, either the systems have to work so the info first goes to the US or the infor has to be sent first to the US for retransmittal to Japan. It is unlikely this latter process will work over time, and the former process, if artificial, is unlikely to be accepted by the IT world for a formalistic privacy reason. This doesn’t help at all with respect to the non-EU countries that have cross-border restrictions this depends on IT infrastructures. Need process before data flows change. How deal with changes? New Contract requirement If Data not flow first to US. Global USA

13 Free Transferability of Employee Data - Non-EU Transfers
Must additionally put in place other contracts

14 Japan Requiring non-disclosure by delegatee’s employees
Japanese conforming agreements must be entered among all the Global group companies Japanese law applicable to transfers within Japan or outside of Japan Section 22 of the Personal Information Protection Act requires businesses to supervise anyone to whom it delegates handling of PI. The Act (as applicable to most businesses) is regulated by administrative guidelines promulgated by over 30 different ministries. Certain ministries have developed regulations or guidelines applicable when delegating the handling of PI. For instance, the Ministry of Health, Labor and Welfare as well as the Ministry of Economy, Trade and Industry, have promulgated guidelines with respect to the handling of PI and the oversight of suppliers (delegatees) Measures for protection of personal data taken by delegatees should be expressly defined in a contract that includes provisions : Requiring non-disclosure by delegatee’s employees Requiring written notification of the use of sub-suppliers Specifying disposal/destruction standards Prohibiting the use of PI outside the scope of the service Obligating the delegatee to provide notice of security breaches

15 Australia Employee information not normally subject to the privacy laws. However, there is a process for voluntarily submitting to the law even when it is otherwise not applicable. Various companies have done this as part of labor agreements, including Global. Australian conforming agreements must be entered among all the Global group companies Information Sheet 8 issued by the Australian Office of the Federal Privacy Commissioner addresses the question of how to maintain compliance with the National Privacy Principles (NPPs) when using suppliers. Recommends that Australian suppliers too small to be covered by the law be contractually obligated to “opt-in” to coverage through the Australian DPA. Where the supplier is covered by the NPPs, contractual steps still necessary to assure compliance by both parties. No distinction between controllers and processors Notice: the supplier’s obligation to notify data subjects of the collection and transfer of PI. Can be discharged by the customer entity under contract. Use and disclosure: to assure that the supplier uses the PI only for the primary or related purpose to that notified to the data subject, provisions in the contract should limit use by the supplier. Data Security: the purchasing entity should obligate the supplier to maintain security in line with the NPPs, even where the supplier has an independent duty to do so. In order to use a supplier located outside Australia, an Australian customer must also comply with the Australian rules for cross-border transfer, e.g. Consent of data subject Supplier subject to a law, binding scheme or contract substantially similar to the NPPs (no approval required) The purchaser has taken reasonable steps to ensure that the PI will not be treated inconsistently with NPPs

16 Argentina Argentine conforming agreements must be entered among all the Global group companies Article 25 of the Personal Data Protection Act and the corresponding Regulations regulate the provision of computerized services involving PI. A contract is required with the service provider that must: Limit the use of the PI by the supplier to the provision of the service specified Destroy the PI after the contract is completed, subject to certain limited exceptions Require the supplier to comply with the specific security provisions of Article 9 of the Act Can use a foreign supplier only with one of the following: the consent of each data subject; if the supplier is in a country the Argentine DPA has determined has “adequate” laws; or If the Argentine DPA has determined the supplier is subject to a self-regulation system or contract covering the protection of PI. Thus contract approval required

17 World-Wide Bilateral Agreement Solution to Global’s HR Transferability Problem Looks Like This:

18 Bilateral Approach USA Russia Japan Australia New Zealand Israel
Canada Mexico Brazil China Saudi Arabia Switzerland Argentina 24 EU Countries In which Global Operates Global will still need 372 contracts, many of which will require DPA approval Don will address some of the difficulties in making this happen in a minute 18

19 Assuming Global still wants to go in this direction, what are some of the practical elements of actually getting these cross-border contractual solutions done? Form a global privacy team with representatives in each region/country where do business Form a global legal team with in house /outside counsel for each region Need policies, standards, procedures on data transfer Need communications plan Delegate resolution of legal requirements, registration obligations, and contractual signature issues to regional or local privacy and legal teams. Centralize compliance/auditing Piggy back on corporate electronic security organization / Make sure that Privacy Security Requirements are incorporated into Electronic and Physical Security Corporate Policies,standards, and procedures Piggy back with procurement buyers and their lawyers to address signature of privacy related contracts Use Paralegals

20 HR Solution: Global’s Administrative Issues
How to identify all of Global’s entities that have to be a party to an agreement? Should each of the Joint Ventures sign? Who has authority to sign the agreement at each entity? How do you explain to those who have to sign, and others at each entity, what this is all about and why it is required? Canned presentations Start at top of product or regional organization and enlist assistance in explaining to each entity Do web meeting Get some function with broad representation throughout the world to make local reps available to assist. Train the local reps. (eg privacy or legal)

21 HR Solution: Global’s Administrative Issues
What has to be done by each entity to comply with the agreements? What has to be done centrally (e.g. IT security) to allow each entity to comply? What is the process for keeping track of who has signed the agreements and for retaining the docs How do you figure out when the agreements have to be approved by or registered with government authorities? Who actually files the agreements/applications? Follow corporate process (if there is one)? At each entity? Centrally with privacy or legal?

22 HR Solution: Global’s Administrative Issues
Who actually files the agreements/applications? Who keeps track of approvals received – and not received? What is the process to modify agreements when – rather than if - data flows change, rules change, corporate organization changes? question about how does one deal with the creation of new legal entities to make sure that agreements are entered into as part of the creation process.

23 Is there anyway to eliminate putting all those contracts in place and still allow Global to pass HR information among its operations? 1. Get Powers of Attorney from various affiliates so one person can sign for a lot of affiliates. 2. Use the automation slide here 3. Use the blended approach I suggested where a blend of voluntary consents ( where permitted), safe harbor, and model clauses to reduce complexity. Try to Automate the Process Web based Have Affiliates and Contractors Input “Signatures” Have Affiliates and Contractors “sign” contracts Push A button – get tailored contract for Individual data flows Provide DPA’s with custom signed bilateral agreements, as needed. Use All Adequacy Mechanisms Together Model Clauses Safe Harbor Opt In Voluntary Consent (where permitted) Cut Down On Complexity Make Contractual Issues More Manageable

24 Simplification Strategy 1
Consists of two parts: Global certifies for Safe Harbor to get EU data to the US All Global entities enter into a Personal Information Safeguard Agreement (PISA) PISA would: Establish the following obligations for Participating Entities when exporting personal information: Comply with all domestic privacy laws before the transfer. Give data subjects notice about the use of the personal information. Comply with agreement rules for dealing with any proposed change of use. Comply with the agreement rules for responding to data subjects’ requests for access to their personal information. Train employees regarding their obligations. Ensure that the personal data is accurate, complete, current, and reliable for the intended use.

25 Simplification Strategy 1
Establish the following obligations for Participating Entities when receiving personal data from a Participating Entity in another country: Comply with the privacy laws of the country of the receiving unit. Use the personal information only for the purposes included in the notice to the data subject. Notify and obtain approval from the transferring unit for any proposed change in the use of the personal information. Limit the transfer of the personal information to authorized parties. Comply with the PISA rules for responding to data subjects’ requests for access to their personal information. Train employees regarding their obligations. Comply with Global’s technical, physical and administrative security policies. Notify the transferring unit and Global US of any breach of security that involves personal data Comply with specified rules for responding to inquiries by government authorities and others regarding personal information. Comply with Global’s data retention.

26 Simplification Strategy 1
PISA could be hard copy with “agreement opt-in” sheets signed and mailed in to Global US as the administrative entity. To increase efficiency, the PISA could be executed by an on line opt-in form that is executed by each entity under the electronic signature law of one of the US states (that would be the PISA’s governing law) The PISA as described would: Serve as an onward transfer agreement under Safe Harbor, thus allowing Global’s EU employee information to be sent to all Participating Entities Serve as a sufficient primary legal basis for the cross border transfer of personal information from Japan, Australia and Argentina to the US, to the EU countries and to other jurisdictions with a Global presence This reduces the number of agreements from 372 bilateral agreements to 1 multilateral agreement plus Safe Harbor and reduces the number of government approvals for the agreements to 0. No government approvals required

27 Strategy 1 Structure Safe Harbor EU Countries

28 Simplification Strategy 2
Eliminate the Safe Harbor certification aspect of Strategy 1 Create a PISA Heavy consisting of 2 parts: Part A is exactly the same as in Simplification Strategy 1 – General Provisions applicable to Transferors and Transferees Part B is applicable to exports of personal data out countries with very specific requirements not covered by Part A such as an EU Controller to Controller SCC (either flavor) Each blank in the SCC and Annexes is completed by incorporating by reference a section of the PISA opt-in sheet, the document used by an entity to become bound to the PISA Heavy agreement

29 PISA Heavy Structure Part I: General Rules Required Under Most Laws
When a Participating Entity is acting as a Data Exporter it agrees to follow the data exporter rules in this contract When a Participating Entity is acting as a Data Importer it agrees to follow the data importer rules in this contract Part II: Specific Rules for Counties with Cross-Border Laws With respect to all personal data exported from Australia, Participating Entities agree to comply with the following Australian rules. In case of a conflict with a Part I General Rule, the Australian rule shall prevail. With respect to all personal data exported from Argentina, Participating Entities agree to comply with the following Argentine rules. In case of a conflict with a Part I General Rule, the Argentine rule shall prevail. With respect to all personal data exported from an EU country, the following SCC (Controller to Controller) shall apply. The full text of the SCC is reproduced Blanks completed by incorporating by reference specific sections of the PISA Opt-in Form completed by each Participating Entity Part III Boilerplate Execution process

30 Example: SCC Required Blanks
Name (written out in full): (Exhibit B to this PISA, Opt-in Signature Page is hereby incorporated by reference) Data importer The data importer is (please specify briefly activities relevant to the transfer): (Exhibit B to this PISA, Opt-in Signature Page, Section 2 is hereby incorporated by reference)

31 Pisa Heavy Opt-in Form Section 2: Activities of Transferor related to the transfer: (Check all appropriate or fill-in if category not listed) □ Sales and Marketing □ Human Relations □ Issuing of Securities □ Public Interest □ Other (Please list and be as descriptive as possible):_____________________________________________________

32 Simplification Strategy 2
Applicable law for Part B would be the law of the country of the data exporting entity Privity of contract exists among each the Global entities: For instance, privity between EU Subsidiary 6 and non-EU Subsidiary 20 can be demonstrated by producing the Agreement, the signed opt-in sheet for Subsidiary 6 and the signed opt-in sheet for Subsidiary 20. The Controller to Controller SCC is applicable to all exports out of the EU Requires approval of EU DPAs in countries where DPA’s have to review SCCs to assure a sufficient level of specificity in the annexes.

33 Strategy 2 Structure PISA Heavy

34 All of this has dealt with Global’s HR information problem – a controller to controller transfer – what about Global’s entering into a world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI? EU Standard Processor Agreement Must have privity between each and every PI exporting controller (e.g. Global Spain, Global UK) and each and every third country processor (e.g. CCS US) Transfers between Non EU Entities Further Complicate Mix Tried Hub and Spoke – Not Accepted Subjects controller to liability if the processor no longer exists or is insolvent Some countries require approval of the agreement to see that these sections have been filled out with sufficient specificity No clear path to automate Paralegal’s Go Crazy Exponential Growth of Bilateral Model Agreements New “Standard Clause Controller to Processor Contract” Allows service providers to furnish personal information to sub-suppliers that enter into the processor to processor contract New Clauses Address This Issue Thus, data controllers must generally enter into Standard Clause Processor Agreements with each of the prime processor’s sub-contractors Another Avalanche of Contracts Both compliance and enforcement spotty Get Powers of Attorney from various affiliates so one person can sign for a lot of affiliates Try to Automate the Process Web based Have Affiliates and Contractors Input “Signatures” Have Affiliates and Contractors “sign” contracts Push A button – get tailored contract for Individual data flows Provide DPA’s with custom signed bilateral agreements, as needed. Use All Adequacy Mechanisms Together Model Clauses Safe Harbor Opt In Voluntary Consent (where permitted) Cut Down On Complexity Make Contractual Issues More Manageable

35 Questions?

Download ppt "Robert L. Rothman Donald A. Cohn"

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.

Identifying Data Protection Issues Developing Lifelong Learner Record Systems and ePortfolios in FE and HE: Planning for, and Coping with, Legal Issues.
Standing for trust and integrity OROC Congress Ethics and Accountability Lisbon, 22 October 2010 Hilde Blomme FEE Director of Practice Regulation.

Standing for trust and integrity OROC Congress Ethics and Accountability Lisbon, 22 October 2010 Hilde Blomme FEE Director of Practice Regulation.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE.

© 2005 Morrison & Foerster LLP All Rights Reserved Data Security and Incident Notification: The Impact of Foreign Law Presented April 26, 2006 to EDUCAUSE.
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
Lesson 10 GST on Import & Export Business Li, Jialong 2011-2-26.

Lesson 10 GST on Import & Export Business Li, Jialong
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Per Anders Eriksson

Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
High Technology Cooperation Group: Data Privacy The Indo-U.S. High Technology Cooperation Group November 18, 2004 www.usibc.com Privacy and Cyber Security:

High Technology Cooperation Group: Data Privacy The Indo-U.S. High Technology Cooperation Group November 18, Privacy and Cyber Security:
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Class 13 Internet Privacy Law European Privacy.

Class 13 Internet Privacy Law European Privacy.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
Employers’ Responsibilities Under HIPAA Case Study: Implementing HIPAA in the Control Group Setting The Sixth National HIPAA Summit March 28, 2003.

Employers’ Responsibilities Under HIPAA Case Study: Implementing HIPAA in the Control Group Setting The Sixth National HIPAA Summit March 28, 2003.

Similar presentations

Ads by Google