Cloud:Is it Legal to Use American Cloud Services in Europe?

Martha BuyerLaw Offices of Martha Buyer, PLLC

East Aurora, NYwww.marthabuyer.com

www.marthabuyer.com

www.marthabuyer.com

Difference in Perception between EU and US

• Privacy as a matter of commerce in the U.S.

• Privacy as a fundamental human right in the EU• Right to be forgotten

www.marthabuyer.com

Once data crosses international borders, where is it “safe?”

• “it depends”

• Do you know where your cloud actually is?

• Guess what? It matters.

www.marthabuyer.com

Schrems v. Data Protection Commissioner (Case C-362/14)

• What the case means• Historical context

• 2000 decision enabled U.S. companies to self-certify that company practices ensured an adequate level of protection for personal data under the EU Data Protection Directive, thus permitting the company to transfer data from the EU to the United States.

• Schrems decision holds that U.S. law does not afford adequate protection to personal data

www.marthabuyer.com

What’s happened since the decision (October, 2015)

• Data transfers from the EU to the United States trigger the provisions of the EU Data Protection Directive and may come under scrutiny.

• Many companies utilize U.S.-based cloud services• If personal data is kept outside of a U.S. jurisdiction• Knowledge of compliance regs is required• So is compliance!

www.marthabuyer.com

Companies can no longer rely on “safe harbor” self-certification.

• Entities need to independently verify that company transfers of personal data from the EU to the United States meet the level of data privacy protection considered adequate by the EU Data Protection Directive.• http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046• http://ec.europa.eu/justice/data-protection/

• The European Commission recommends that entities consider using the EU-approved standard contractual clauses, the EU-approved Binding Corporate Rules, or the enumerated derogations under which data can be transferred. 

www.marthabuyer.com

Use of Standard Contract Clauses

• two sets of standard contractual clauses for transfers from data controllers to data controllers established outside the EU/EEA

• one set for the transfer to processors established outside the EU/EEA.

• http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm

www.marthabuyer.com

FCPAForeign Corrupt Practices Act

The Foreign Corrupt Practices Act of 1977, as amended, 15 U.S.C. §§ 78dd-1, et seq. 

• The anti-bribery provisions prohibit paying foreign officials to obtain or retain business.

• Accurate accounting and adequate internal controls are REQUIRED! • jurisdiction of the FCPA is far-reaching and hinges on the use of interstate

commerce by a U.S. or foreign person.

• Aggressive Enforcement• compliance policies to maintain watch over company actors to avoid

inadvertently violating the FCPA.

• http://www.justice.gov/criminal-fraud/foreign-corrupt-practices-act

www.marthabuyer.com

More FCPA• Department of Justice is happy to offer opinions on

compliance:U.S. Department of Justice

Criminal Division, Fraud SectionAttn: FCPA CoordinatorBond Building, 4th Floor

10th and Constitution Ave., NWWashington, DC 20530-0001

Fax: 202-514-7021Email -  FCPA.Fraud@usdoj.gov

www.marthabuyer.com

Protecting the Jewels

• WISP

• Protecting data within a company’s control

• Protecting data beyond the company’s walls

www.marthabuyer.com

Thank you!

www.marthabuyer.com