Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Published byGabriel Hunt Modified over 8 years ago

Similar presentations

Presentation on theme: "Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New."— Presentation transcript:

1 Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New York, New York April 7, 2006

2 -2- Introduction Examine the mechanisms by which personal data (personally identifiable) can be transmitted from member states of the E.U. to a third country.  A determination that the third country has adequate safeguard (including U.S. Safe Harbor).  An ad hoc or standard agreement between the data controller and the party in the third country.  Binding Corporate Rules.  Consent of the data subject.  Master Agreement.

3 -3- Introduction (cont’d) Discuss some indicators on how frequently the formal mechanisms are being employed to transfer personal data.

4 -4- E.U. Data Protection Principles E.U. and member states have created most elaborate mechanism for protection of Personal Data.  Directive 95/46/EC of 25 October 1995 On the protection of individuals regarding processing or transfer of personal data.  Directive 2002/58/EC of 12 July 2002 On processing of personal data and protection of electronic communication.  Regulation (EC) 45/2001 of 18 December 2000 On the processing of personal data by Community Institutions.  Directive 2006/__/EC On retention of data generated in the provision of electronic communications.

5 -5- E.U. Data Protection Principles (cont’d) The 25 member states adopted laws implementing the Directive.  Process took a long time. – France 2004 – Ireland still has not notified the adoption.  Laws vary widely. – Not wholly consistent with the primary Directive. – Not wholly consistent with each other.

6 -6- E.U. Data Protection Principles (cont’d)  Difference between member states. – Definition of “collection” – Jurisdiction over foreign-based websites – Definition of “personal data” – Obligation to notify data protection authorities when collection and processing occurs – Attitudes toward trans-border data flow contracts

7 -7- E.U. Data Protection Principles (cont’d) Goal  Harmonize members’ laws and provide a high level of protection to accommodate the increased cross-border data flow. – Member state laws reflect a high level of protection of personal data. – Transborder data flow from the EEA (E.U. and Norway, Liechtenstein, and Iceland) is problematic.

8 -8- E.U. Data Protection Principles (cont’d) Articles 25 and 26 of Directive 95/46/EC prescribe the conditions under which personal data may be transferred to third countries. Article 25(1) requires an E.U. Commission finding that the level of data protection in the third countries is adequate.  Argentina  Canada  Guernsey  Isle of Man  Switzerland  U.S. (Safe Harbor participant)  U.S. (Air Passenger name record)

9 -9- Safe Harbor (www.export.gov/safeharbor/)www.export.gov/safeharbor/ Became effective October 1998 after lengthy and sometimes ambiguous negotiations between the E.U. and DOC.  U.S. entities register with DOC.  U.S. entities establish a privacy policy and Safe Harbor procedure similar to but not precisely the same as the E.U. principles. – Notice of purpose of collection – Choice of disclosure to third parties – Onward transfer limitation – Reasonable security precautions – Data integrity – Access – Recourse mechanisms

10 -10- Safe Harbor (www.export.gov/safeharbor/) (cont’d)www.export.gov/safeharbor/ Advantages  All E.U. members must allow transfer pursuant to Safe Harbor.  With limited exceptions, interpretation is based on U.S. law.  Certain exceptions, such as the U.S.-oriented journalistic exceptions apply.  Self-assessment or verification of compliance is available.  FTC enforcement only after self-regulation.  Extremely simple to join. Limitations  Applies to organizations subject to the FTC or air carriers subject to DOT.  Only legitimizes transfer, any required consent to collect must still be obtained.

11 -11- Alternatives (Derogations) Article 26 provides alternative.  26(1) Transfer can occur with the unambiguous consent of the data subject, to fulfill a contract or when it is necessary for other important public policies. – Working Party 29 (WP 114, 25 November 2005) and a number of data protection authorities question whether consent can be unambiguous, particularly in employee/employer setting or when there is long-term framework for repeated transfer of data.  26(2) Authorized transfer if adequate protection is provided through contractual provision. – Ad hoc – “Standard” claims

12 -12- Alternatives (Derogations) (cont’d) Two Commission Decisions adopted standardized clauses.  Decision 2001/497/EC applies to transfer from a data controller in the EC to a data controller in third countries.  Decision 2002/16/EC applies to transfer from a data controller in the EC to data processors in third countries.  Original Standard Clauses. – Incorporate principles similar to the Privacy Directive. – Specify the relevant E.U. member laws on governing. – Ad hoc contracts require approval of relevant data protection authority.

13 -13- Alternatives (Derogations) (cont’d) Almost as soon as the standard clauses were adopted, the Commission realized that they were not going to work. Decision C (2004) 5271 was adopted.  Alternative is slightly less onerous provision.  Effective April 1, 2005.

14 -14- Alternatives (Derogations) (cont’d) Binding Corporate Rules.  A number of business organizations lobbied for adoption of approval to transfer on the basis of Binding Corporate Rules (internal).  Article 29 Working Party adopted Initial Binding Rules in 2003 and a checklist for such rules of 14 April 2005. – Approval of the binding corporate rules by a member state’s data protection authority is required. – Member states do not have to approve Binding Corporate Rules.

15 -15- Alternatives (Derogations) (cont’d) Master Agreement  Business groups like the International Chamber of Commerce continued to lobby for simplification and expedition. – Commission Staff Document SEC (2006) 95 discussed this option, but the discussion contained some of the caveats that appeared in the early discussion of Binding Corporate Rules.

16 -16- Anomaly Staff Document SEC (2006) 95 tallied contractual clauses or Binding Corporate Rule notified to the Commission.  14 ad hoc contractual clauses or Binding Corporate Rules have been notified to the Commission.  64 standard contractual clauses have been notified. – Mostly H.R. to U.S. – These agreements do not have to be notified. Safe Harbor  884 Organization on the Safe Harbor List (24 Feb 2006). – Some small percentages are not current.

17 -17- CONCLUSION Elaborate formal proceedings are not being implemented to comply with the limits on transmission. Consent (26.1) or standard contractual (26.2) clauses may be used to justify transfer. A number of entities that transfer data from the E.U. may simply be ignoring the issue.

Download ppt "Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New."

Similar presentations

Damon Greer Safe Harbor Program October 15, 2007

Damon Greer Safe Harbor Program October 15, 2007
The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR

PRIVACY ASPECTS OF RE-USE OF PSI: BETWEEN PRIVATE AND PUBLIC SECTOR
Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.

Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.
1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
INTRODUCTION INTO PRIVATE INTERNATIONAL LAW OF THE EUROPEAN UNION Marko Jovanovic, LL.M. MASTER IN EUROPEAN INTEGRATION Private International Law in the.

INTRODUCTION INTO PRIVATE INTERNATIONAL LAW OF THE EUROPEAN UNION Marko Jovanovic, LL.M. MASTER IN EUROPEAN INTEGRATION Private International Law in the.
Robert L. Rothman Donald A. Cohn

Robert L. Rothman Donald A. Cohn
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.

The European Union legal framework for clinical data access: The European Union legal framework for clinical data access: potential challenges and opportunities.
International Treaty in EU PIL

International Treaty in EU PIL
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
1980 Hague Child Abduction Convention and Brussels II bis Interaction within the EU and beyond Prof. Dr. Marta Pertegás First Secretary Hague Conference.

1980 Hague Child Abduction Convention and Brussels II bis Interaction within the EU and beyond Prof. Dr. Marta Pertegás First Secretary Hague Conference.
Per Anders Eriksson

Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
High Technology Cooperation Group: Data Privacy The Indo-U.S. High Technology Cooperation Group November 18, 2004 www.usibc.com Privacy and Cyber Security:

High Technology Cooperation Group: Data Privacy The Indo-U.S. High Technology Cooperation Group November 18, Privacy and Cyber Security:
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Similar presentations

Ads by Google