Contractual Solutions for Cross-Border Data Transfers: Dealing with the Practical Problems
description
Transcript of Contractual Solutions for Cross-Border Data Transfers: Dealing with the Practical Problems
Contractual Solutions for Cross-Border Data Transfers:
Dealing with the Practical Problems
Robert L. Rothman Donald A. CohnPrivacy Associates International E. I. du Pont de Nemours and Company
IAPP Summit, April, 2010
Preliminaries• Assume understanding of cross-border
issues and available compliance alternatives
• Focus on practical issues involved in implementing cross-border solutions
3
PurposeThe Purpose Of This Presentation Is To:• Point Out Problems And Complexities In
Contracting With Suppliers And Affiliates• Ask How Can We Use A Contractual
Approach To Satisfy Local Legal Requirements.
• Examine Sample Data Flows Using a Hypo• Offer Possible Solutions To Some Of Those
Problems And Complexities
The 4 Legs of the Privacy Stool
Adequacy Mechanism To Transfer
Security Notice & Consent To Use
Registration
Proportionality
WE WILL FOCUS ON DATA TRANSFER ADEQUACY
EUPII
Data Transfer
Work Councils?Country DPA's
ContractualClauses
CountriesDeemed Adequate
CustomersSupppliers
OthersVoluntaryConsent"Opt In"
BindingCorporate
Rules
Safe Harbor
Employees
CanadaArgentina
IsraelSwitzerlandIsle of Mann
Isle of GurnseyEAA Countries
Onward TransferAgreementsSafe Harbor
Principles
Model ClausesC to PC to C
Other Contracts
Annually Self CertifyNeed Processes Subject to Audit
FTC EnforcesOnly US Co's Subject
to FTC or DOT
One to OneOne to Many
Many to Many
AffiliateTransfers
27+ DPA Approvals
EU ADEQUACY MECHANISMS
FailedUSA
JapanAustralia
*Notice*Choice *Onward Transfer*Sensitive Information*Security*Data Integrity*Access By Individual*Enforcement & ADR*Verification
Examples of Where Contractual Solutions Are Used
• EU Standard Clause Agreements– Controller to Controller: two flavors– New Controller to Processor Agreements
• Safe Harbor Onward Transfer Agreements• Australia
the recipient of the information is subject to a contract which effectively upholds principles for fair handling of the information that are substantially similar to the NPPs
• ArgentinaAn international entity provides an adequate level of protection if it arises from contractual clauses covering the protection of personal data
• Japan• Israel
Hypo• Global Enterprises, Inc., US Entity• Manufactures and sells widgets through Global entities in 34 countries
–24 subsidiaries EU countries–9 subsidiaries in non-EU countries–3 JVs – a majority owned, a 50-50, and a
minority owned• Wants to have free transferability of employee HR data around Global• Wants to enter into world-wide agreement
with California Computer Services (CCS) for global web hosting involving storage of PI
• Wants contractual solutions
Free Transferability of Employee Data -EU Controller to Controller Outward Transfers
Global’s Non-EU Entities Global EU Entity
USARussiaJapanAustraliaNew ZealandIsraelCanadaMexicoBrazilChinaSaudi Arabia--------------SwitzerlandArgentina
EU SCC Bilateral Agreements
Controller to Controller SCCs
24 EU Countries In which Global Operates
EU SCC Bilateral Agreements
Controller to Controller SCCs
USA
Russia
Japan
Australia
New Zealand
Israel
Canada
Mexico
Brazil
China
Saudi Arabia
Switzerland
Argentina
Prior approval required:
Austria Czech Republic LuxembourgNetherlandsPolandRomaniaSpain
Filing only required :
BelgiumCyprus Denmark Finland France Greece Malta Portugal Slovakia
EU SCC Approval or Filing Requirements
Global USA
Global certifies for compliance with
Safe Harbor for its HR Personal Data
Safe Harbor Alternative
Transfers under Safe Harbor
Onward Transfer Agreements
EU Global EntitiesNon-EU Global Entities
Free Transferability of Employee Data -Non-EU Transfers
Japan
Australia
Argentina
World-Wide Bilateral Agreement Solution to Global’s HR Transferability
Problem Looks Like This:
24 EU Countries In which Global Operates
Bilateral ApproachUSA
Russia
Japan
Australia
New Zealand
Israel
Canada
Mexico
Brazil
China
Saudi Arabia
Switzerland
Argentina
Assuming Global still wants to go in this direction, what are some of the practical elements of actually getting these cross-border contractual solutions done?
HR Solution: Global’s Administrative Issues
• How to identify all of Global’s entities that have to be a party to an agreement?
• Should each of the Joint Ventures sign?• Who has authority to sign the agreement at each
entity?• How do you explain to those who have to sign, and
others at each entity, what this is all about and why it is required?
HR Solution: Global’s Administrative Issues• What has to be done by each entity to comply with
the agreements?• What has to be done centrally (e.g. IT security) to
allow each entity to comply? • What is the process for keeping track of who has
signed the agreements and for retaining the docs • How do you figure out when the agreements have to
be approved by or registered with government authorities?
• Who actually files the agreements/applications?
HR Solution: Global’s Administrative Issues
• Who actually files the agreements/applications? • Who keeps track of approvals received – and not
received?• What is the process to modify agreements when –
rather than if - data flows change, rules change, corporate organization changes?
Is there anyway to eliminate putting all those contracts in place and still allow Global to pass HR information among
its operations?
Simplification Strategy 1• Consists of two parts:
– Global certifies for Safe Harbor to get EU data to the US– All Global entities enter into a Personal Information Safeguard
Agreement (PISA)• PISA would:
– Establish the following obligations for Participating Entities when exporting personal information:
• Comply with all domestic privacy laws before the transfer.• Give data subjects notice about the use of the personal
information.• Comply with agreement rules for dealing with any proposed
change of use.• Comply with the agreement rules for responding to data
subjects’ requests for access to their personal information.• Train employees regarding their obligations. • Ensure that the personal data is accurate, complete, current,
and reliable for the intended use.
Simplification Strategy 1– Establish the following obligations for Participating Entities when receiving
personal data from a Participating Entity in another country:• Comply with the privacy laws of the country of the receiving unit.• Use the personal information only for the purposes included in the notice to the
data subject.• Notify and obtain approval from the transferring unit for any proposed change in
the use of the personal information.• Limit the transfer of the personal information to authorized parties.• Comply with the PISA rules for responding to data subjects’ requests for access
to their personal information.• Train employees regarding their obligations. • Comply with Global’s technical, physical and administrative security policies. • Notify the transferring unit and Global US of any breach of security that involves
personal data • Comply with specified rules for responding to inquiries by government
authorities and others regarding personal information. • Comply with Global’s data retention.
Simplification Strategy 1• PISA could be hard copy with “agreement opt-in” sheets signed
and mailed in to Global US as the administrative entity.• To increase efficiency, the PISA could be executed by an on line
opt-in form that is executed by each entity under the electronic signature law of one of the US states (that would be the PISA’s governing law)
• The PISA as described would:– Serve as an onward transfer agreement under Safe Harbor, thus
allowing Global’s EU employee information to be sent to all Participating Entities
– Serve as a sufficient primary legal basis for the cross border transfer of personal information from Japan, Australia and Argentina to the US, to the EU countries and to other jurisdictions with a Global presence
• This reduces the number of agreements from 372 bilateral agreements to 1 multilateral agreement plus Safe Harbor and reduces the number of government approvals for the agreements to 0.
• No government approvals required
PISA
Strategy 1 Structure
EU CountriesSafe Harbor
Simplification Strategy 2• Eliminate the Safe Harbor certification aspect of Strategy 1
• Create a PISA Heavy consisting of 2 parts:– Part A is exactly the same as in Simplification Strategy 1 – General
Provisions applicable to Transferors and Transferees– Part B is applicable to exports of personal data out countries with very
specific requirements not covered by Part A such as an EU Controller to Controller SCC (either flavor)
– Each blank in the SCC and Annexes is completed by incorporating by reference a section of the PISA opt-in sheet, the document used by an entity to become bound to the PISA Heavy agreement
PISA Heavy StructurePart I: General Rules Required Under Most Laws• When a Participating Entity is acting as a Data Exporter it agrees to follow the data
exporter rules in this contract• When a Participating Entity is acting as a Data Importer it agrees to follow the data
importer rules in this contractPart II: Specific Rules for Counties with Cross-Border Laws • With respect to all personal data exported from Australia, Participating Entities agree to
comply with the following Australian rules. In case of a conflict with a Part I General Rule, the Australian rule shall prevail.
• With respect to all personal data exported from Argentina, Participating Entities agree to comply with the following Argentine rules. In case of a conflict with a Part I General Rule, the Argentine rule shall prevail.
• With respect to all personal data exported from an EU country, the following SCC (Controller to Controller) shall apply. – The full text of the SCC is reproduced – Blanks completed by incorporating by reference specific sections of the PISA Opt-in
Form completed by each Participating EntityPart III• Boilerplate• Execution process
Example: SCC Required Blanks• Name (written out in full): (Exhibit B to this
PISA, Opt-in Signature Page is hereby incorporated by reference)
• Data importerThe data importer is (please specify briefly activities relevant to the transfer): (Exhibit B to this PISA, Opt-in Signature Page, Section 2 is hereby incorporated by reference)
Pisa Heavy Opt-in Form Section 2: Activities of Transferor related to the transfer:
(Check all appropriate or fill-in if category not listed)□ Sales and Marketing□ Human Relations□ Issuing of Securities□ Public Interest□ Other (Please list and be as descriptive as
possible):_____________________________________________________
Simplification Strategy 2• Applicable law for Part B would be the law of the country of the data
exporting entity• Privity of contract exists among each the Global entities:
– For instance, privity between EU Subsidiary 6 and non-EU Subsidiary 20 can be demonstrated by producing the Agreement, the signed opt-in sheet for Subsidiary 6 and the signed opt-in sheet for Subsidiary 20.
• The Controller to Controller SCC is applicable to all exports out of the EU
• Requires approval of EU DPAs in countries where DPA’s have to review SCCs to assure a sufficient level of specificity in the annexes.
Strategy 2 Structure
PISA Heavy
All of this has dealt with Global’s HR information problem – a controller to controller transfer – what about Global’s entering into a world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI?
Questions?