recap: why we're here - dla piper/media/files/insights... · 2015-12-08 · safe harbor...
TRANSCRIPT
Safe Harbor Invalidation Next Steps:
EU Model Clauses – Do's and
Don’ts
If you cannot hear us speaking, please make sure you have called into the teleconference
number on your invite information.
US participants: 1 800 909 4756
Outside the US: +1 647 722 9108 or +44 2033000090
The audio portion is available via conference call. It is not broadcast through your computer. *This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
Monday, November 30, 2015 | 12:00 p.m. EST
WELCOME TO OUR WEBINAR
CURRENTLY SPEAKING
2
Welcome
You are on mute
A link to a recording of the webinar will be made available
Today's speakers
November 30, 2015
Carol Umhoefer
Partner, DLA Piper
Paris
Thomas Jansen
Partner, DLA Piper
Munich
CURRENTLY SPEAKING
Diego Ramos
Partner, DLA Piper
Madrid
Safe Harbor Invalidation Next Steps: EU Model Clauses 2
Recap: Why We're Here
ECJ Safe Harbor Decision and Aftermath 1
On October 6, 2015, the European Court of Justice declared the
EU-US Safe Harbor program invalid
The transfer of personal data to the US on the basis of Safe
Harbor was prohibited with immediate effect
All companies that transfer personal data based on Safe Harbor –
or use processors that transmit personal data to the US on the
basis of Safe Harbor – must immediately consider and implement
alternative transfer mechanisms
On October 16, 2015, the Article 29 Working Party announced a
grace period for enforcement until January 31, 2016. In the
meantime, model clauses and binding corporate rules are
considered valid transfer mechanisms
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 4
ECJ Safe Harbor Decision and Aftermath 2
On October 14, 2015, the Independent Centre for
Privacy Protection of the Federal State
Schleswig-Holstein (“ULD”), one of 17 Data
Protection Authorities (DPAs) in Germany,
published its position paper on the ECJ Safe
Harbor decision.
On October 26, 2015, German Federal Data
Protection Officer and the Data Protection
Authorities (DPAs) of the German Federal States
(together “Datenschutzkonferenz” – DSK) issued
a joint statement questioning the admissibility of
data transfers to the US based on model clauses
or BCRs and stating that they will not approve
new transfers based on binding corporate rules or
data export agreements.
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 5
CURRENTLY SPEAKING CURRENTLY SPEAKING
Thomas Jansen
Partner, DLA Piper
Munich
ECJ Safe Harbor Decision and Aftermath 3
On November 6, 2015, the European Commission issued a
communication on transfers from the EU to the US, including a
reaffirmation on the conditions for using model clauses:
Article 29 Working Party has stated that it will continue to analyze
the impact of the Schrems decision on model clauses
Transfers to third countries which have not been found to ensure
an adequate level of protections are permissible if the controller
adduces appropriate safeguards by means of contractual clauses
binding on the exporter and importer of the data
Parties may supplement model clauses with non-contradictory
terms
Model clauses are both more limited (applying to specific data
flows) and more broad (not limited to a specific country)
National authorities are in principle under the obligation to accept
model clauses
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model
Clauses
6
Risks of Not Acting
Breach of contracts and exposure to damages
and/or triggering of termination rights
User/customer/employee complaints made with
the controller (or processor)
User/customer/employee complaints to the
DPA
Orders and fines by DPAs (esp. Spain,
Germany)
Potential interruption of business in Europe
Potential loss of business in Europe
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 7
CURRENTLY SPEAKING CURRENTLY SPEAKING
Diego Ramos
Partner, DLA Piper
Madrid
Alternatives to Safe Harbor
Consent of data subject (legally uncertain except for one-
off transfers; often problematic in practice)
Transfers to 'white-listed' countries: Andorra,
Argentina, Australia (PNR data only), Canada (some
types of data), Faeroe Islands, Guernsey, Israel, Isle of
Man, Jersey, New Zealand, Switzerland, Uruguay
Binding Corporate Rules
Ad hoc agreements
European Commission approved 'model clauses'
(standard contractual clauses)
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 8
Using the Model Clauses
Model Clauses Pros and Cons
Cons
No flexibility on essential
terms
May also come under
scrutiny of the DPAs in the
near future
Do not address all transfer
patterns
Additional legal basis (e.g.,
consent) may be required in
some EU Member States
Acceptance/confirmation/
approval procedure in some
EU Member States
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 10
Pros
Quick and efficient
Standard template
May be used in relation to
third parties which are not
members of the group
Low cost
Selecting Model Clauses
Model clauses for the transfer of personal data to controllers
established in third countries approved by Commission Decisions in
2001 and 2004
Liability: Joint and several (2001); exporter liability in the first
instance, otherwise importer liability (2004)
Model clauses for the transfer of personal data to processors
established in third countries approved by Commission Decision in
2002; now superseded by Commission Decision of 2010
In March 2014, G29 published model clauses for the transfer of
personal data from an EU processor to a non-EU sub-processor,
but they have not been approved by the European Commission
Currently, model clauses only apply when the "exporter"
(transferor) is a controller established in the EU
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 11
Key Provisions and Hidden Risks
Third-party beneficiary clause stating that data subject has rights
under the clauses
Data exporter obligations to comply with data protection law
Data importer (controller or processor) accepts jurisdiction where
exporter established
Data importer (controller) submits to audits by exporter; data
importer (processor) submits to audits by exporter or DPA;
subprocessor submits to audits by DPA
Processor subcontracting: Subject to prior approval by the data
exporter
Need details of transfers: The nature and extent of data to be
transferred
Need to specify personal data security measures
Future-proofing contractual arrangements
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 12
Common Model Clauses Transfer Scenarios 1
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 13
Common Model Clauses Transfer Scenarios 2
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model
Clauses
14
Supplementing Model Clauses
National authorities are in principle under the obligation to accept
model clauses
Generally - the model clauses must be unchanged, i.e., they must
not be altered
Alterations will trigger additional requirements, principally
authorization by data protection authorities
Even unaltered model clauses may need approval by the data
protection authority in some countries (Belgium, France, Spain …)
Some countries (Germany, Italy, Poland, Spain …) nonetheless
require additional clauses
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 15
Focus on Model Clauses in Germany
German Federal Data Protection Officer and DPAs of the German
Federal States (together “Datenschutzkonferenz” – DSK) issued position
paper questioning validity of all methods of data transfer to US in light of
ECJ decision.
However, EU Model Clauses currently remain a valid method of data
transfer to the US and third countries. No authorization is required.
National DPAs still have authority to prohibit transfers based on EU Model
Clauses and impose fines
In such case, an affected company should appeal the DPA decision and fine to
a German court
The consent of the data subject also remains a valid basis for data
transfer, provided it is transparent, freely given, and conforms to the
conditions set forth by the DPAs
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 16
Focus on Model Clauses in Spain
Transfers based on model clauses – even identical model clauses – are not
legal per se. Unless valid data subject consent is obtained, transfer
pursuant to model clauses requires an export permit from the Spanish data
protection authority (AEPD).
Applications for seeking export permits can include model clauses-based
agreements but also any other set of clauses that meets the Spanish data
protection authority's concerns.
Typical additional requirements sought by AEPD, on top of adequate
agreements between the parties, include detailed description of security
measures to be applied, additional disclosures on staff management and even
face-to-face visits of AEPD investigators with the data importer abroad.
Entire authorization procedure may take 5/6 months.
Schrems-related enforcement is expected to start February 2016.
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 17
Other Issues
Updating privacy notices (policies, statements) that refer to
Safe Harbor
Updating contracts that require adhesion to Safe Harbor
Adapting Safe Harbor annual re-certification to model clause
audit requirements
Consulting or obtaining approval from works councils / trade
unions
Updating registrations with data protection authorities
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 18
UPDATES
19 November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses
Subscribe to our Privacy Matters blog for
regular updates
http://blogs.dlapiper.com/privacymatters/
Access our
Data Protection Laws of the World
Handbook at
www.dlapiperdataprotection.com
QUESTIONS
November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 20
[email protected] www.dlapiperdataprotection.com