GOOD. SMART. BUSINESS. PROFIT.TM

T h u r s d a y, F e b r u a r y 4 t h , 1 : 0 0 E S T

Safe Harbor WebinarDATA PROTECTION UPDATE: SAFE HARBOR AND THE

PRACTICAL IMPACT FOR COMPANIES

Speakers

Robert Bond, Partner, Charles Russell Speechlys

Dennis Haist, General Counsel & Compliance Advisor, STEELE CIS

Michael Scuvee, Director Global Data Privacy, Corporate Compliance, Johnson Controls

Topics of Discussion• Available Data Transfer Solutions

• Data Protection Notifications

• Summary of Schrems vs. Data Commissioner

• Article 29 Working Party Activities

• Tuesday’s Announcement of a “political deal”

• Likelihood of Safe Harbor 2.0 or EU-US Privacy Shield Framework

• Alternative mechanisms for data transfer (Unambiguous Consent, Binding Corporate Rules, Model Clauses)

UNDERSTANDING DATA TRANSFER SOLUTIONS

Binding corporate rules – not valid in

all countriesModel

clauses

Strategies for Trans border

Data flows

Safe Harbor/Privacy Shield

Consent

Presumption of adequacy

Adequate destination

Contractual necessity

Seals and trust marks

Data Exported

Within EEA

Automatically adequate

Outside EEAWhich country/jurisdiction?

Argentina, Channel Islands,Isle of Man, Switzerland,Faroe Islands, Israel, Uruguay, New Zealand

Adequate for transfer to proceed

Canada

Mostly adequate for transfer to proceed

USA

To a signatory of the Safe Harbor/Privacy Shield principles?

Other countries

Yes NoAdequate for transfer to proceed

Do any of the other key legal grounds for transfer apply?1. Transfers using the appropriate EU Commission approved Model Transfer Terms2. Transfers subject to the use of Binding Corporate Rules3. Transfers in accordance with an approved privacy contract4. Companies that have self-assessed their adequacy (in some jurisdictions)

Yes

Adequate for transfer to take place

No

Can adequacy be presumed?

Yes NoTransfer can proceed

Legal advice required

Data Protection notifications, filings and registrations – what is this?

• More than a tick the box exercise• More than a bureacratic formality• Purpose

To assist the Data Protection Authorities (DPAs) enforce the data protection laws

• You must be fully informed to present a registration/notification

• Types of notifications: Prior registration of processing operations Prior checking of processing operations Prior notification of data transfers from EEA

to 3rd countries Notification of breaches to the DPA Notification of breaches to the data subjects Other types of notifications / requests for

authorisation

Schrems v. Data Protection Commissioner (October 6, 2015)

• Background of appeal to Court of Justice• Significant Findings of the Court

Commission finding of “adequacy” does not prevent supervisory authority of Member State from examining claim of data subject that third country does not ensure adequate level of protection (paragraph 66)

“Adequate level of protection” must require third country to ensure by its domestic law or international commitments, a level of protection of fundamental rights and freedoms essentially equivalent to that guaranteed by EU (paragraph 73)

Decision 2000/250 recognizes that national security, public interest, or law enforcement requirements have primacy over the Safe Harbor principles. (paragraph 84)

Decision 2000/520 did not state that the U.S. “ensures” an adequate level of protection by reason of its domestic law or international commitments (paragraph 97)

Decision 2000/250 fails to comply with the requirements of Article 25(6) of Directive 95/46 and is accordingly invalid.

Schrems v. Data Protection Commissioner (October 6, 2015)

• Initial Reactions Law firm clients, Data Controllers, Data Processors

• Article 29 Working Party activities since Schrems

• Expiration of “Grace period” on January 31 Latest developments-Tuesday’s Announcement of a “political

deal” on EU-US Privacy Shield framework

• Judicial Redress Act of 2015 (HR 1428)

• Privacy Shield or Safe Harbor 2.0

Data Processing contracts• The Data Controller must ensure that the Data Processor is suitable for the processing

activities having regard to the nature of the data – so due diligence is required.

• Contractual controls need to be put in place – the Data Processor may already have these, but check!

• If the Data Processor is outside the EU then the EU Model Clauses for transfers to a Data Processor should be used.

• Reliance on Safe Harbor was possible provided that the Certification was in relation to the type of personal data being transferred.

• Privacy Shield may be a new solution

• Notwithstanding the use of Model Clauses, some DPA’s require notification and deposit of the contract for approval.

• Some DPA’s have difficulty in the concept that Sensitive Data needs to be transferred to a 3rd party outside the EU.

O p e n f o r u m

Questions?

Thank You

13

30-page summary of key insights from the 2015

Ethics Quotient and World’s Most Ethical

Companies data set …A “MUST READ” for all who

want to move their programs forward.

DOWNLOAD:http://ethisphere.com/worlds-most-ethical/2015-wme-insights-series/whitepaper/

MEASUREMENT MATTERS ..NEW WHITEPAPER

This webcast and all future Ethisphere webcasts are available complimentary and on demand for BELA members. BELA members are also offered complimentary registration to Ethisphere’s Global Ethics Summit and other Summits around the world.

For more information on BELA contact:

Stefan Linssen Chief Content Officer Stefan.Linssen@ethisphere.com

Business Ethics Leadership Alliance (BELA)

8th Annual Global Ethics SummitGlobalEthicsSummit2016.com

New York City | Grand Hyatt March 9-10, 2016

Additional 15% off Discount for Webcast Attendees!

Discount code: WEBCAST

All upcoming Ethisphere events can be found at:http://ethisphere.com/events/

PLEASE JOIN US FOR

www.ethisphere.com

THANK YOU