Privacy protection in a

Globalized World

Association of Corporate Counsel

New York, 24 March 2015

1

The plan

• Bringing out the main cross-border privacy issues for in-house counsel

• Describing that reality from the point of view of regulators

• Exploring strategies for resolution

• Sharing experiences

05 May 2015 2

Key

Offices, associate officesx and facilities*

Associate firms and special alliances*

Kansas City

Edmonton

CalgaryVancouver

San Francisco

Silicon Valley

Los Angeles

PhoenixDallas

Toronto

Atlanta

MontrealOttawa

New YorkShort Hills

Washington, DCSt. Louis

Chicago

LondonMilton Keynes

Madrid

Barcelona

Paris

BrusselsBerlin

St. Petersburg

Moscow

Kyiv

Warsaw

Istanbul

PragueBratislava

Budapest

Frankfurt

BucharestZürich

Baku

AshgabatTashkent

Almaty

Algiers

Tripoli

Nouakchott

Praia

Bissau

Accra

São Tomé

Luanda

Cape Town

Maputo

Port Louis

Lusaka

Nairobi

Kampala

Kigali

Beirut

Cairo

MuscatDubai

Doha

Abu Dhabi

Singapore

Hong Kong

Beijing

Shanghai

New OrleansMiami

Boston

Amman

Riyadh

Lagos

Tbilisi

KrasnodarRostov on Don

Astana

Houston Casablanca

Minsk

Johannesburg

05 May 2015 3

A Global View

From the point of view of in-house counsel

• Photo

05 May 2015 4

In-House – A Global Privacy Analysis

• Global patchwork of privacy laws + globalized business = challenge

05 May 2015 5

• How does this come up?

• Most projects are multijurisdictional

• MasterPass – Product Development and

Expansion

• Simplify Commerce – Product

Development and Expansion

• MasterCard Datacash – Acquired UK

payment processing business

In-House – A Global Privacy Analysis

• Goal is always to understand the rights and obligations that attach to

data at point of collection and throughout lifecycle

• First, what is the business matter at hand?

• What are we doing (and where)?

• What is our role in the ecosystem?

• Who are we working with?

• Then, how does data layer in?

• Country of collection / data subject

• Entity/mechanism of collection

• Notice & consent mechanics

• Cross-border transfers

• Type of data elements collected and processed

• Nature of processing (primary and secondary uses)

• Sharing with third parties / participants in an ecosystem

05 May 2015 6

In-House – A Global Privacy Analysis

• Result of that analysis drives

• Product design

• Contract terms

• Security protocol

• Risk allocation and determination

• Analysis applies to all situations

• Acquisitions and investments

• Product development and expansion

• Contracting with customers and vendors

• Incident response

05 May 2015 7

The point of view of regulators

• Photo

05 May 2015 8

Main issues

• Asserting jurisdiction over foreign respondents

• Holding a common front across diverse legislative

frameworks

• Coordinating compliance

05 May 2015 9

The point of view of outside counsel

05 May 2015 10

Outside Counsel – A Global Privacy Analysis

Consistent policies and processes are essential to

managing privacy and data protection risk.

Why?

• High process integrity greatly minimizes operational risk.

• Speaking with a consistent voice to customers and partners builds

trust and creates accountability with business partners.

• Managing different policies within different businesses and markets

can create unmanageable compliance obligations and expectations.

05 May 2015 11

Outside Counsel – A Global Privacy Analysis

Companies have trouble driving consistent privacy

policies and practices across businesses and

geographies.

Why?

• Business Units are in silos with different leadership and strategy.

• Lack of an integrated, enterprise-wide risk management framework.

• Misperception that adopting consistent standards will lead to missed

business opportunities.

05 May 2015 12

Outside Counsel – A Global Privacy Analysis

Regulatory schemes in North America and Europe

will continue to harmonize while maintaining

substantial differences.

Why?

• The EU will adopt breach notification rules and requirements.

• The US may adopt EU-style rights, such as right to be

forgotten/obscurity.

• International data protection schemes like Canada and in Asia-Pacific

will continue to move closer to the EU approach.

05 May 2015 13

Outside Counsel – A Global Privacy Analysis

What should In-House Counsel do to stay on top of

the global complexity?

• Be knowledgeable about privacy laws in other jurisdictions.

• Attempt to rationalize requirements at a high level and drill down at a

local level.

• Ensure that you have both a short term and longer term compliance

strategy.

05 May 2015 14

Your point of view

• What are the main issues for cross border privacy law?

• What are the main strategic issues for cross border privacy

compliance?

05 May 2015 15