ey human capital conference 2012: global hr - data privacy and global mobility

2012 Human Capital conference23-26 October

Data privacy and global bilitmobility

Disclaimer

► Ernst & Young refers to the global organization of member firms of E t & Y Gl b l Li it d h f hi h i t l l titErnst & Young Global Limited, each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited located in the US.Thi t ti i ©2012 E t & Y LLP All i ht d N► This presentation is ©2012 Ernst & Young LLP. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying facsimile transmission recording rekeyingincluding by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is d st but o o t s o o a y o t e ate a e e s p o b ted a d sin violation of US and international law. Ernst & Young LLP expressly disclaims any liability in connection with use of this presentation or its contents by any third party.

► The views expressed by panelists in this session are not necessarily those of Ernst & Young LLP.

Data privacy and global mobility

Presenters

► Fabrice Naftalski ► Dr. Peter Katko► Ernst & Young Société d’Avocats► Attorney at Law/Partner► Head of IP/IT Law

► Ernst & Young Law GmbH ► Attorney/Partner► Head of IP/IT Law► Head of IP/IT Law

► [email protected]► EuroPriSe legal expert and CIPP/E

► Head of IP/IT Law ► [email protected]► EuroPriSe legal expert


Agenda

► Data privacy in global mobility p y g y

► Focus 1: Management of international transfer of data:► Focus 1: Management of international transfer of data: complex rules/selection of a transfer strategy and existing tools

► Focus 2: Security of personal data is critical and subject to public scrutiny: examples of data breaches/best

tipractices► What’s next: How to anticipate the new EU data

protection framework requirementsprotection framework requirements


Data privacy in global mobility


Global mobility triggers recurrent and important personal data transfersimportant personal data transfers

► International assignments involve various flows of gpersonal data*, subject to data protection regulation:► Name, gender, address, identification card number, residence

permit number, nationality, passport number, family situation, phone number, educational background and career experiencerelated data, record of performance evaluation related data, etc.

► Specific data privacy aspects related to mobility programs:► Processing of the data of expatriated employees► Management of the data flows and international transfers between

the group companiesthe group companies

*I f ti th t b d t id tif t t l t t l b li k d t th t id tif thi i di id l


*Information that can be used to identify, contact or locate a natural person or can be linked to other sources to identify this individual.

Rationale for data protection

► Human rights law:g► Universal Declaration of Human Rights► European Convention on Human Rights► Charter of Fundamental Rights from 7 December 2000 ► National constitutions

EU di ti► EU directive► OECD guidelines

C d it l ti (US)► Consumer and security regulation (US)► Asia Pacific Economic Cooperation (APEC) framework


Global trend towards more data privacy regulationregulation

South Korea:► Act on the

Protection of Personal Data 2011)

Philippines:► Bill on data

US:► Consumer Privacy

Bill of Rights► FTC

recommendations on

protection based on EU-directive 95/46 (March 2012)

► Bill is supposed t d threcommendations on

privacy on the internet

Costa Rica and Colombia: ► Data protection

India:► Strives to become a

safe third country

to reduce the concerns regarding an outsourcing to Philippine companies

P

► Data protection legislation based on the 1995 EU Data Protection Directive

y► New Data Protection

Act (regardingIT-topics) in 2011

p

Australia and Hong Kong:► Intend to strengthen data

protection

Peru: ► New Data Protection Act

(2011) inspired by the Spanish Data Protection Act and the APEC (Asia-Pacific Economic Cooperation)

New Zealand:► Safe third country

Brazil: ► Work in progress: Data

Protection Act based on the EU-directive


Economic Cooperation) Privacy Framework

Data privacy in the USUS-Consumer Privacy Bill of Rightsy g

► Self-commitment:► Catalog of rights regarding consumer data protection► Catalog of rights leads to a better protection of consumers’

privacy on the world wide web► Goal: contribution to the improvement of the international

“interoperability” and additions to the Safe Harbor Agreement te ope ab ty a d add t o s to t e Sa e a bo g ee e twith the EU

► Better recognition of the mutual data protection standardsE f b h F d l T d C i i (FTC)► Enforcement by the Federal Trade Commission (FTC)


EU framework to protect personal data

► Legal framework in Europe:► EU Law (Personal Data Protection Directive 95/46 and Privacy Directive

2002/58)► Local data protection laws corresponding to Member States implementationp p g p► Article 29 Working Party group and National Data Protection Regulator’s soft

law► Data protection regulators:► Data protection regulators:

► Authorize certain data processing and transfers outside the EU/EEA► Control compliance with data protection law

S ti b h f th l► Sanction breaches of the law► Act also as "jurisdiction" in certain countries

► Sanctions for the violation of data protection legislation:p g► Criminal sanctions► Administrative sanctions including monetary penalties► Damage to the image of the company


► Damage to the image of the company

Overview of requirements and sanctionsMain EU data protection principles to comply withp p p p y

All personal data must:Legal basis to process

1

Be obtained for only one or more specified and lawful

Be processed fairly and lawfully

process Personal/

sensitive data

I f ti 2 purposes

3Be adequate, relevant and not excessive

Information obligationTransfer

requirements

4Be accurate and kept up to date

5Be kept no longer than necessary

6Be processed in accordance with the identifiable person’s rights

7Be kept secure

Security measures

Data subject rights

7

8Not be transferred to third parties outside of the European Economic Area (EEA), unless certain conditions are met

Filing requirements


Why is data privacy compliance critical when monitoring mobility programs?monitoring mobility programs?

► Because organizations are more complex and global, g p g ,data is no more static and hosted in one place:► Security of data is more challenging► International data flows are more numerous

► Because employees’ data is a strategic and very iti tsensitive asset

► In this context, maintaining a secure and compliant environment is a growing challengeenvironment is a growing challenge


Focus 1: Management of international transfer of dataof data


Management of international transfer of data under European Union lawunder European Union law

► Transfer between group entities: ► Considered as a disclosure by transmission even within one Member State► Subject to justification (need of employment, intra-group outsourcing, group

interest)► EU Directive 95/46 was the first international instrument dealing with the

issue of the transfers of personal data to third countries: ► One stated objective of the Directive is to allow the free flow of personal data

between Member States, based on agreed-upon principles of personal data protection

► At the same time, transfers of personal data to third countries require special considerationconsideration

► Applicability of EU law:► Transfer differs from mere transit. Therefore, personal data may be routed

th h thi d t ith t id i thi ti t f ifthrough a third country without considering this operation as a transfer if no substantive processing operation is conducted on the data in the third country

► It involves hosting but also mere access from non-EU countries to data hosted in the EU


in the EU

Complex rules for the management of international transfer of datainternational transfer of data

► EU general principles regarding data transfers:► The data controller may not transfer personal data to a state that is not a

Member State of the EU if this state does not provide a sufficient level of protection of individuals’ privacy, liberties and fundamental rights.p p y, g► If a third country has enacted a generally applicable privacy law that the

European Commission deems “adequate,” the country is eligible to receive personal data from Europe (Switzerland, Isle of Man, Canada, Argentina,

S G )Israel, Uruguay, Switzerland, Guernsey, European Economic Area countries)► If not, the following legal tools must be implemented to transfer personal data

from Europe, not country-by-country, but company-by-company:S f H b► Safe Harbor

► Standard contractual clauses of the EC► Binding corporate rules


Strategies for international transfer of personal datapersonal data

► Lack of a so-called group privilege (often criticized by companies): ► Data exchange between affiliates is regulated under data protection laws

as a transfer between third parties► The strategy to adopt should be determined regarding the► The strategy to adopt should be determined regarding the

specificities of the company and its activity (size of the company, number and locations of affiliates and processor, etc.):► The EU standard contractual clauses export European principles► The EU standard contractual clauses export European principles

concerning the processing of personal data to all companies receiving the data I th f US i th t l ith d t

+ : “ready-to-be-signed” - : potentially numerous contracts to be concluded

► In the case of US companies, they can agree to comply with data protection laws on the European model as part of Safe Harbor self-certification processI t t i lt ti ith th d t t ti l t

+ : self-certification process- : only for US companies; liability before the FTC

► Important groups, in consultation with the data protection regulatory agencies, can adopt Binding Corporate Rules (BCRs) to facilitate transfers between all entities within the group

+ : cover all data transfers within a group


+ : cover all data transfers within a group- : implementation process may be complex

Management of international transfers of dataFocus on the BCRs

► Definition of the BCRs:► BCRs are a set of internal guidelines, similar to a Code of Conduct, that

establishes policies for transferring personal information within the organization and across international boundaries.g

► BCRs benefits:► Elimination of contracts for each transfer

Miti ti f i k f d t t f t thi d t i► Mitigation of risks from data transfers to third countries► Consistency in data protection strategies and practices within the

organization► In-house awareness of privacy issues► A way to achieve accountability within the organization

► Implementing BCRs Close the ► Implementing BCRs EU cooperationprocedure/

implementBCRs

CirculateBCRs to

relevants DPA

DraftBCRs

procedure

Designate a leadDPA


BCRs

Focus 2: Security of personal data is critical and subject to public scrutinysubject to public scrutiny


Security of personal data Elements of context

► A highly publicized issue:g y p► ABC Corporation:

► External intrusion in the PlayStation Network:► Data from approximately 77 million accounts were stolen ► Several legal actions have been engaged against ABC Corporation► Loss of trust/damage to the image of the company► Loss of trust/damage to the image of the company► Impressive fall in the share price


Security of personal data Elements of context

► Focus on HR data:► External intrusion:

► The “hacktivist” group called Anonymous succeeded into obtaining d bli hi d t b t i i th il d th t i land publishing a database containing the emails and other material

related to a big pharma’s employees► Internal mistake:

► The HR of Company B accidently sent an email to 300 employees revealing wage levels, proposed increases and comments of HR services concerning the evaluation of the employees


Security of personal data Technical and legal leading practicesg g p

► IT risk has privacy implications:p y p► More and more countries have or are adopting data privacy

regulations with strong security requirements:I th EU t i t i h S i It l P t l G► In the EU, certain countries such as Spain, Italy, Portugal, Germany are very demanding in terms of security

► In the past years Mexico enacted a comprehensive privacy law such as South Korea, Peru, Colombia or Costa Rica

► In 2011, India enacted a controversial new privacy regulation► Breach notification requirements are emerging in many countries from q g g y

Latin America (Brazil, Uruguay and Mexico) to Europe (draft regulation) and Japan in the Asia-Pacific region

► Regulators will always be in a position of having to react to the► Regulators will always be in a position of having to react to the challenges new technologies present


Security of personal data Technical and legal leading practicesg g p

► Questions to consider:► Does your network architecture design route data from different countries

to a central location?► Do you have a good knowledge of data privacy regulations in the► Do you have a good knowledge of data privacy regulations in the

countries where expatriates are located or where their data is processed?► Have the privacy regulations in the jurisdictions in which you operate

changed in the last years?changed in the last years?► If you outsource to countries with new or updated privacy regulations,

have you considered what impact that may have on your business in these countries?these countries?

► If you are transferring data to countries with new or updated regulations, have you considered the impact of those regulations on your local or expatriated employees?expatriated employees?

► Have you identified solutions to address compliance needs and limit the risk of inappropriate access and exposure of personal information across the organization?


the organization?

Security of personal data Technical and legal leading practices g g p

► Tools to address compliance needs and IT risks: p► Cartography of security requirements in local data protection laws► Accountability within the organization► Improve internal monitoring and identify privacy professionals

within the organization► Organize security and privacy audits on a regular basis► Organize security and privacy audits on a regular basis► Set up privacy impact assessment/privacy by design► Reinforce employees’ awareness (internal policies and training of

the employees)► Secure contractual relationship with processors


What’s next: How to anticipate the new EU data protection framework requirementsprotection framework requirements


Illustrations of the main changes provided by the new EU regulation currently in draft versiony g y

► Increased responsibility and accountability for those processing personal data:► Breach notifications► Application of EU rules to companies active in the EU market (even if not established in the EU)► “Principle of accountability”► Obligation to appoint Data Privacy Officers► Obligation to appoint Data Privacy Officers► New obligations applicable to data processors

► Simplification:► A “one-stop-shop” for data protection: only one set of data protection rules valid across the EU► A one stop shop for data protection: only one set of data protection rules valid across the EU

and one responsible data protection authority — the national authority of the Member State in which the company has its main establishment

► Right to be foregotten► Maximum penalty of 2% of the groupwide annual turnover ► New rules regarding transfer to third countries, consistency mechanism, role of the EC,

European Data Protection Board, supervisory authorities, etc.Still f ti l l i i l t► Still open for national rules on privacy in employments

► Still no group privilege but promotion of BCRs


How to anticipate the new EU data protection framework requirementsframework requirements

► Practical steps to comply:p p y► Perform a privacy audits and regular privacy impact assessment► Perform regular training► Appoint a data protection officer ► Implement BCRs to meet transfer and future accountability

requirementsrequirements► Stay aware of developments


Questions


ey human capital conference 2012: global hr - data privacy and global mobility

Business