Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sarah Branam Mehmet MunurDino Tsibouris

Published byClarence Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "Sarah Branam Mehmet MunurDino Tsibouris"— Presentation transcript:

1 Sarah Branam Mehmet MunurDino Tsibouris Branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.comBranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com International Data Transfers: Strategic Considerations for Sending or Receiving Data Internationally © Copyright 2009 Tsibouris & Associates, LLC 88 E. Broad Ste. 1560, Columbus, OH 43215 © Copyright 2009 OCLC Online Computer Library Center, Inc. 6565 Kilgour Place, Dublin, Ohio 43017-3395 USA

2 International data transfers that avoid fines and injunctions require: Attention to numerous local laws and regulations, Cooperation with regulators, Proper initial collection, and Agreements with processors.

3 I.Data Protection Challenges Facing a Hypothetical Company and Concepts of EU Data Protection II.Transfers of Data from the EU using Different Methods A.EU Safe Harbor B.Standard Contractual Clauses C.Binding Corporate Rules III.Canada IV.Australia V.Enforcement Actions

4 Hypothetical Corporation Company XYZ Publicly traded Multinational corporation Headquartered in the US Sells goods online to customers around the world

5

6 ` Source: Google Maps

7

8

9

10 EU Data Protection Directive Applies to all 27 EU Member States Requires transposition to local law Protects fundamental right to privacy Comprehensive, not sectoral Prohibits transfers to third countries with inadequate protections Data Protection Authorities Article 29 Working Party

11 What law applies? Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State.

12 Concepts Data Controller: entity that determines the purposes and means of processing Processor: processes personal data on behalf of the controller Processing: any operation performed upon personal data

13 Concepts, Cont. Personal Data: any information relating to a data subject Data Subjects: identified or identifiable natural person Sensitive Personal Data: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life. Establishment: the effective and real exercise of activity through stable arrangements

14

15 Obligations of Data Controllers Provide Notice to Individuals about – the identity of the controller – the purposes and means of processing – the recipients or the types of recipients of the data Notify the DPAs Enter into Article 17 Agreements with Processors

16 Legal Bases for Processing Unambiguous consent Necessary for: – Contract – Compliance with legal obligation – Protection of the vital interests – Performance of task carried out in public interest – *Purposes of legitimate interest of the controller v. interests of data subject*

17

18 Adequacy for Transfers General Rule: Transfers to 3 rd Countries with inadequate protections prohibited – Adequacy presumed for EU Member States, Canada, Australia, Argentina, Switzerland, Israel, US Safe Harbor Exceptions: – Unambiguous consent – Standard Contractual Clauses – Binding Corporate Rules

19

20

21 Safe Harbor Agreement between US DoC and European Commission Voluntary Participation by US organizations that abide by the 7 Principles and 15 FAQs Organization must be regulated by FTC or DoT – Excludes: Banks and other Financial Institutions Non-Profits

22 Safe Harbor, Cont. Principles: – Notice – Choice – Onward Transfer – Security – Data Integrity – Access – Enforcement

23 Onward Transfer Mapping Data Flows Ensuring Adequate Notice Cloud Computing Audit Rights Negotiation of Onward Transfer Agreements

24

25

26 Standard Contractual Clauses Standard contracts that have been adopted by the European Commission for the transfer of data to countries that do not offer an adequate level of protection The contracts cannot be modified in any way, except that the parties can add additional commercial provisions

27 Standard Contractual Clauses – Cont. Controller to Processor – Data exporter: the processing and transfer has and will continue to be carried out in accordance with applicable law, instruct data importer to process only on exporter’s behalf – Data importer: processes the data only on behalf of exporter and at exporter’s instructions

28 Standard Contractual Clauses – Cont. Controller to Controller – Data exporter: data collected, processed and transferred in accordance with applicable law, used reasonable efforts to determine the data importer satisfies the legal obligations in the Clauses – Data importer: appropriate technical and organizational measures to protect data, process only for purposes in the Clauses, subject to audit by data exporter

29 Standard Contractual Clauses – Cont. Processor to Processor – Not yet established but under consideration – Would permit data processor in the EU to transfer data to a sub-processor in a country that does not offer an adequate level of protection

30 Binding Corporate Rules Corporate privacy rules that protect the processing and transfer of personal data within a global organization Purpose: Enable multi-national organizations to transfer data to intra-company locations that do not have adequate level of protection Process: Create BCR framework, complete and submit application, select lead DPA, lead DPA will liaise with other DPAs for approval

31 Binding Corporate Rules – Cont. Advantages: – Company wide solution – Flexible in form – Creates image that company respects privacy Disadvantages: – Only apply to intra-company transfers – No guidance on what to include in BCRs – Time consuming

32 Specific Data Transfer Issues HR Data Transfer – Presumed that employee cannot willingly consent Sensitive Personal Information – race, ethnic origin, sexual orientation, political opinions, religious beliefs, trade union membership – General Rule: cannot be processed Cross-Border E-Discovery – conflict of laws

33 Canada PIPEDA – Personal Information Protection and Electronic Documents Act Uses an organization - organization approach – Requires finding of “comparable level of protection” – Organizations are held accountable for the protection of personal information transferred – Not based on “adequacy” as in the EU

34 Canada, Cont. 10 Principles: – Accountability– Safeguards – Identifying Purposes– Openness – Consent– Individual Access – Limiting Collection– Accuracy – Challenging Compliance – Limiting Use, Disclosure, and Retention

35 Canada, Cont. Cross border transfer: Organization is responsible for personal information in its possession or custody, including information that has been transferred to a 3 rd party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a 3 rd party.

36 Australia Privacy Act 9 National Privacy Principles: – Collection – Openness – Use and disclosure – Identifier – Access and correction – Anonymity – Information quality and security – Sensitive information – Trans-border data flow

37 Australia, Cont. Trans-border data transfer permitted if: – Recipient is subject to law, binding scheme or contract which upholds substantially similar principles – Consent – Necessary for performance of contract between individual and organization or contract concluded in the interest of the individual between the organization and a 3 rd party

38 International Transfers, Local Consequences French court invalidates McDonald’s Sarbanes Oxley Hotline on data protection grounds French DPA fines Tyco €30,000 Spanish DPA audits Columbian call center Canadian court orders Privacy Commissioner to investigate American company

39 Conclusion International data transfers that avoid fines and injunctions require: Proper initial collection with attention to numerous local laws and regulations, Agreements with processors with attention to security, and Cooperation with regulators with attention to picking the right methods.

40 Questions & Answers Sarah Branam Mehmet MunurDino Tsibouris branams@oclc.org Mehmet.Munur@Tsibouris.com Dino@Tsibouris.combranams@oclc.orgMehmet.Munur@Tsibouris.comDino@Tsibouris.com © Copyright 2009 Tsibouris & Associates, LLC 88 E. Broad Ste. 1560, Columbus, OH 43215 © Copyright 2009 OCLC Online Computer Library Center, Inc. 6565 Kilgour Place, Dublin, Ohio 43017-3395 USA

Download ppt "Sarah Branam Mehmet MunurDino Tsibouris"

Similar presentations

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.

Data Protection & Privacy in the Information Age COMNET – Legal Frameworks for ICTs Malta 2013 Dr Antonio Ghio Dr Jeanine Rizzo.
DATA PROTECTION and Research University Research Ethics Committee – 30.05.2008 David Cauchi David Cauchi Office of the Commissioner for Data Protection.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi David Cauchi Office of the Commissioner for Data Protection.
InterParty Privacy and Security What are the implications of establishing the InterParty Network? A presentation to the final InterParty Seminar The Hague.

InterParty Privacy and Security What are the implications of establishing the InterParty Network? A presentation to the final InterParty Seminar The Hague.
Protection of Personal Data, 11.02.2011. Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection.

Protection of Personal Data, Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection.
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Data Protection.

Data Protection.
Robert L. Rothman Donald A. Cohn

Robert L. Rothman Donald A. Cohn
1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,

1 PRIVACY ISSUES IN THE U.S. – CANADA CROSS BORDER BUSINESS CONTEXT Presented by: Anneli LeGault ACC Greater New York Chapter Compliance Seminar May 19,
CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)

CSE2500 Systems Security and Privacy Week 11 Privacy Law in Australia (after 2000)
DATA PROTECTION and Research University Research Ethics Committee – 08.05.2006 David Cauchi Office of the Data Protection Commissioner.

DATA PROTECTION and Research University Research Ethics Committee – David Cauchi Office of the Data Protection Commissioner.
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;

What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Data Protection: The Law. EU & Irish Legislation Data Protection Directive 95/46/EC Electronic Privacy Directive 2002/58/EC EUROPOL etc Data Protection.

Similar presentations

Ads by Google