Contractual Solutions for Cross-Border Data Transfers:

Dealing with the Practical Problems

Robert L. Rothman Donald A. CohnPrivacy Associates International E. I. du Pont de Nemours and Company

IAPP Summit, April, 2010

Preliminaries• Assume understanding of cross-border

issues and available compliance alternatives

• Focus on practical issues involved in implementing cross-border solutions

3

PurposeThe Purpose Of This Presentation Is To:• Point Out Problems And Complexities In

Contracting With Suppliers And Affiliates• Ask How Can We Use A Contractual

Approach To Satisfy Local Legal Requirements.

• Examine Sample Data Flows Using a Hypo• Offer Possible Solutions To Some Of Those

Problems And Complexities

The 4 Legs of the Privacy Stool

Adequacy Mechanism To Transfer

Security Notice & Consent To Use

Registration

Proportionality

WE WILL FOCUS ON DATA TRANSFER ADEQUACY

EUPII

Data Transfer

Work Councils?Country DPA's

ContractualClauses

CountriesDeemed Adequate

CustomersSupppliers

OthersVoluntaryConsent"Opt In"

BindingCorporate

Rules

Safe Harbor

Employees

CanadaArgentina

IsraelSwitzerlandIsle of Mann

Isle of GurnseyEAA Countries

Onward TransferAgreementsSafe Harbor

Principles

Model ClausesC to PC to C

Other Contracts

Annually Self CertifyNeed Processes Subject to Audit

FTC EnforcesOnly US Co's Subject

to FTC or DOT

One to OneOne to Many

Many to Many

AffiliateTransfers

27+ DPA Approvals

EU ADEQUACY MECHANISMS

FailedUSA

JapanAustralia

*Notice*Choice *Onward Transfer*Sensitive Information*Security*Data Integrity*Access By Individual*Enforcement & ADR*Verification

Examples of Where Contractual Solutions Are Used

• EU Standard Clause Agreements– Controller to Controller: two flavors– New Controller to Processor Agreements

• Safe Harbor Onward Transfer Agreements• Australia

the recipient of the information is subject to a contract which effectively upholds principles for fair handling of the information that are substantially similar to the NPPs

• ArgentinaAn international entity provides an adequate level of protection if it arises from contractual clauses covering the protection of personal data

• Japan• Israel

Hypo• Global Enterprises, Inc., US Entity• Manufactures and sells widgets through Global entities in 34 countries

–24 subsidiaries EU countries–9 subsidiaries in non-EU countries–3 JVs – a majority owned, a 50-50, and a

minority owned• Wants to have free transferability of employee HR data around Global• Wants to enter into world-wide agreement

with California Computer Services (CCS) for global web hosting involving storage of PI

• Wants contractual solutions

Free Transferability of Employee Data -EU Controller to Controller Outward Transfers

Global’s Non-EU Entities Global EU Entity

USARussiaJapanAustraliaNew ZealandIsraelCanadaMexicoBrazilChinaSaudi Arabia--------------SwitzerlandArgentina

EU SCC Bilateral Agreements

Controller to Controller SCCs

24 EU Countries In which Global Operates

EU SCC Bilateral Agreements

Controller to Controller SCCs

USA

Russia

Japan

Australia

New Zealand

Israel

Canada

Mexico

Brazil

China

Saudi Arabia

Switzerland

Argentina

Prior approval required:

Austria Czech Republic LuxembourgNetherlandsPolandRomaniaSpain

Filing only required :

BelgiumCyprus Denmark Finland France Greece Malta Portugal Slovakia

EU SCC Approval or Filing Requirements

Global USA

Global certifies for compliance with

Safe Harbor for its HR Personal Data

Safe Harbor Alternative

Transfers under Safe Harbor

Onward Transfer Agreements

EU Global EntitiesNon-EU Global Entities

Free Transferability of Employee Data -Non-EU Transfers

Japan

Australia

Argentina

World-Wide Bilateral Agreement Solution to Global’s HR Transferability

Problem Looks Like This:

24 EU Countries In which Global Operates

Bilateral ApproachUSA

Russia

Japan

Australia

New Zealand

Israel

Canada

Mexico

Brazil

China

Saudi Arabia

Switzerland

Argentina

Assuming Global still wants to go in this direction, what are some of the practical elements of actually getting these cross-border contractual solutions done?

HR Solution: Global’s Administrative Issues

• How to identify all of Global’s entities that have to be a party to an agreement?

• Should each of the Joint Ventures sign?• Who has authority to sign the agreement at each

entity?• How do you explain to those who have to sign, and

others at each entity, what this is all about and why it is required?

HR Solution: Global’s Administrative Issues• What has to be done by each entity to comply with

the agreements?• What has to be done centrally (e.g. IT security) to

allow each entity to comply? • What is the process for keeping track of who has

signed the agreements and for retaining the docs • How do you figure out when the agreements have to

be approved by or registered with government authorities?

• Who actually files the agreements/applications?

HR Solution: Global’s Administrative Issues

• Who actually files the agreements/applications? • Who keeps track of approvals received – and not

received?• What is the process to modify agreements when –

rather than if - data flows change, rules change, corporate organization changes?

Is there anyway to eliminate putting all those contracts in place and still allow Global to pass HR information among

its operations?

Simplification Strategy 1• Consists of two parts:

– Global certifies for Safe Harbor to get EU data to the US– All Global entities enter into a Personal Information Safeguard

Agreement (PISA)• PISA would:

– Establish the following obligations for Participating Entities when exporting personal information:

• Comply with all domestic privacy laws before the transfer.• Give data subjects notice about the use of the personal

information.• Comply with agreement rules for dealing with any proposed

change of use.• Comply with the agreement rules for responding to data

subjects’ requests for access to their personal information.• Train employees regarding their obligations. • Ensure that the personal data is accurate, complete, current,

and reliable for the intended use.

Simplification Strategy 1– Establish the following obligations for Participating Entities when receiving

personal data from a Participating Entity in another country:• Comply with the privacy laws of the country of the receiving unit.• Use the personal information only for the purposes included in the notice to the

data subject.• Notify and obtain approval from the transferring unit for any proposed change in

the use of the personal information.• Limit the transfer of the personal information to authorized parties.• Comply with the PISA rules for responding to data subjects’ requests for access

to their personal information.• Train employees regarding their obligations. • Comply with Global’s technical, physical and administrative security policies. • Notify the transferring unit and Global US of any breach of security that involves

personal data • Comply with specified rules for responding to inquiries by government

authorities and others regarding personal information. • Comply with Global’s data retention.

Simplification Strategy 1• PISA could be hard copy with “agreement opt-in” sheets signed

and mailed in to Global US as the administrative entity.• To increase efficiency, the PISA could be executed by an on line

opt-in form that is executed by each entity under the electronic signature law of one of the US states (that would be the PISA’s governing law)

• The PISA as described would:– Serve as an onward transfer agreement under Safe Harbor, thus

allowing Global’s EU employee information to be sent to all Participating Entities

– Serve as a sufficient primary legal basis for the cross border transfer of personal information from Japan, Australia and Argentina to the US, to the EU countries and to other jurisdictions with a Global presence

• This reduces the number of agreements from 372 bilateral agreements to 1 multilateral agreement plus Safe Harbor and reduces the number of government approvals for the agreements to 0.

• No government approvals required

PISA

Strategy 1 Structure

EU CountriesSafe Harbor

Simplification Strategy 2• Eliminate the Safe Harbor certification aspect of Strategy 1

• Create a PISA Heavy consisting of 2 parts:– Part A is exactly the same as in Simplification Strategy 1 – General

Provisions applicable to Transferors and Transferees– Part B is applicable to exports of personal data out countries with very

specific requirements not covered by Part A such as an EU Controller to Controller SCC (either flavor)

– Each blank in the SCC and Annexes is completed by incorporating by reference a section of the PISA opt-in sheet, the document used by an entity to become bound to the PISA Heavy agreement

PISA Heavy StructurePart I: General Rules Required Under Most Laws• When a Participating Entity is acting as a Data Exporter it agrees to follow the data

exporter rules in this contract• When a Participating Entity is acting as a Data Importer it agrees to follow the data

importer rules in this contractPart II: Specific Rules for Counties with Cross-Border Laws • With respect to all personal data exported from Australia, Participating Entities agree to

comply with the following Australian rules. In case of a conflict with a Part I General Rule, the Australian rule shall prevail.

• With respect to all personal data exported from Argentina, Participating Entities agree to comply with the following Argentine rules. In case of a conflict with a Part I General Rule, the Argentine rule shall prevail.

• With respect to all personal data exported from an EU country, the following SCC (Controller to Controller) shall apply. – The full text of the SCC is reproduced – Blanks completed by incorporating by reference specific sections of the PISA Opt-in

Form completed by each Participating EntityPart III• Boilerplate• Execution process

Example: SCC Required Blanks• Name (written out in full): (Exhibit B to this

PISA, Opt-in Signature Page is hereby incorporated by reference)

• Data importerThe data importer is (please specify briefly activities relevant to the transfer): (Exhibit B to this PISA, Opt-in Signature Page, Section 2 is hereby incorporated by reference)

Pisa Heavy Opt-in Form Section 2: Activities of Transferor related to the transfer:

(Check all appropriate or fill-in if category not listed)□ Sales and Marketing□ Human Relations□ Issuing of Securities□ Public Interest□ Other (Please list and be as descriptive as

possible):_____________________________________________________

Simplification Strategy 2• Applicable law for Part B would be the law of the country of the data

exporting entity• Privity of contract exists among each the Global entities:

– For instance, privity between EU Subsidiary 6 and non-EU Subsidiary 20 can be demonstrated by producing the Agreement, the signed opt-in sheet for Subsidiary 6 and the signed opt-in sheet for Subsidiary 20.

• The Controller to Controller SCC is applicable to all exports out of the EU

• Requires approval of EU DPAs in countries where DPA’s have to review SCCs to assure a sufficient level of specificity in the annexes.

Strategy 2 Structure

PISA Heavy

All of this has dealt with Global’s HR information problem – a controller to controller transfer – what about Global’s entering into a world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI?

Questions?