international privacy with kevin haley
TRANSCRIPT
![Page 1: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/1.jpg)
International Privacy: New Safe Harbor Requirements
Presented by Kevin Haley Brann & Isaacson
![Page 2: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/2.jpg)
Outline• Background on European Developments
• Recent changes
• The legal landscape
• Practical takeaways
![Page 3: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/3.jpg)
Background: the EU process• European Union Governance
▫ The EU issues “directives”
setting goals that all EU member states must achieve
▫ However, individual nations decide how to achieve them, through their own legislative process
▫ Thus, these goals can be implemented very differently from country to country – some might fail to implement altogether (“cookie directive”)
![Page 4: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/4.jpg)
Background: EU privacy law• EU Data Protection
Directive (1998) ▫ Prohibits transfer of personal
data to non-EU countries that do not meet EU “adequacy” standards for privacy protection
• US/EU “Safe Harbor
Framework”: standard procedures whereby personal data could be transferred to the US
![Page 5: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/5.jpg)
Background: safe harborComponents of the Safe Harbor Framework:
• Notice: must notify individuals about purpose of data collection
• Choice: must give individuals the choice of whether their personal information will be disclosed
• Onward Transfer: if transferring information to a third party, must follow the Notice and Choice principles
• Access: individuals must have access to their personal information, which can be amended, corrected or deleted
• Security: must take reasonable precautions to protect personal information
• Data Integrity: information collected must be relevant for the purposes for which it is to be used
• Enforcement: must be a readily available independent mechanism for resolving disputes.
Source: http://www.export.gov/safeharbor/eu/eg_main_018476.asp
![Page 6: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/6.jpg)
Background: safe harbor (cont.)• The “Safe Harbor Decision” (2000)
▫ Decided that by meeting the
requirements of the Safe Harbor Framework, US companies adequately protected EU citizens’ data ▫ Allowed free flow of personal
information between all 28 EU countries and US companies in compliance with the Scheme
![Page 7: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/7.jpg)
Recent Changes: Facebook lawsuit
• “Europe v. Facebook Lawsuit” ▫ Maximillian Schrems: Austrian
privacy activist ▫ Brought challenge to Safe Harbor
Decision in European court ▫ Based on US companies’ sharing
personal data with the US government
VS.
![Page 8: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/8.jpg)
Recent Changes: safe harbor invalid
• European Court of Justice declares Safe Harbor Decision invalid (October 6, 2015)
• Cites Edward Snowden, finding that under the
framework agreement, the U.S. does not ensure adequate protection of fundamental privacy rights
• Companies can no longerrely on the Safe Harborcertification
![Page 9: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/9.jpg)
Major Changes: uncertainty
• Extremely broad ruling: ▫ Unclear how US companies can meet EU privacy requirements ▫ Threatens suspending all transfer of data to non-EU countries that violate EU privacy
rights
• Uncertainty: ▫ Provides little to no guidance on compliance going forward
▫ Unclear what data transfer mechanisms are “adequate”
▫ Unclear what rules now apply to the ~4,400 companies operating under the Safe Harbor framework standards
![Page 10: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/10.jpg)
Continuing Developments
• German data privacy authority (Schleswig-Holstein) issues position paper (10/14): ▫ Argues that after this decision, there is
effectively no mechanism for lawful transfer of data to the US
• EU working group issues statement
(10/19): ▫ “EU Model Contractual Clauses” and
“Binding Corporate Rules” can still be used to lawfully transfer data from the EU to the US
![Page 11: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/11.jpg)
The Legal Landscape• Now, EU countries’
national authorities examine whether or not US companies are in compliance with EU directives
• Some countries might be friendlier than others
![Page 12: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/12.jpg)
The Legal Landscape: reactions
Penny Pritzker, US Commerce Secretary: this ruling “puts at risk the thriving trans-Atlantic digital economy”
Facebook: “Facebook, like many thousands of European companies, relies on a number of the methods prescribed by EU law to legally transfer data to the US from Europe, aside from Safe Harbor”
Differing Reactions on Impact to US Business
![Page 13: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/13.jpg)
The Legal Landscape: enforcement• So, will the decision actually change much?
▫ What are most companies currently doing? (not much)
▫ What enforcement mechanisms exist?
▫ Who determines who is breaking the law?
▫ What can they do about it?
![Page 14: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/14.jpg)
Enforcement: Russia• New Russian Law:
▫ Any data about Russians
must be stored in Russia ▫ An attempt at actual
enforcement? ▫ How does this compare
to the EU approach?
![Page 15: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/15.jpg)
Enforcement:
• Who is the target of this decision?
• Does the EU’s concern with NSA information collection really have a connection to most US business?
• Is it just Facebook, Google, and Amazon?
![Page 16: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/16.jpg)
Practical Steps: Options• Wait and see
• If you have them, maintain Safe Harbor practices
• Review active contracts
• Update contracts/policies to comply with EU Model
Policies and Rules
• Consider using EU-based providers without affiliates in the US
![Page 17: International privacy with kevin haley](https://reader031.vdocuments.site/reader031/viewer/2022030208/58acb84d1a28ab68608b65ff/html5/thumbnails/17.jpg)
Questions?