Contractual Solutions for Cross-Border Data Transfers: Dealing with the Practical Problems Robert L. Rothman Donald A. Cohn Privacy Associates International E. I. du Pont de Nemours and Company IAPP Summit, April, 2010 Preliminaries • Assume understanding of cross-border issues and available compliance alternatives • Focus on practical issues involved in implementing cross-border solutions Purpose The Purpose Of This Presentation Is To: • Point Out Problems And Complexities In Contracting With Suppliers And Affiliates • Ask How Can We Use A Contractual Approach To Satisfy Local Legal Requirements. • Examine Sample Data Flows Using a Hypo • Offer Possible Solutions To Some Of Those Problems And Complexities 3 The 4 Legs of the Privacy Stool Proportionality Registration Security Notice & Consent To Use Adequacy Mechanism To Transfer WE WILL FOCUS ON DATA TRANSFER ADEQUACY Voluntary Consent "Opt In" Customers Supppliers Others Employees Binding Corporate Rules EU PII Data Transfer Countries Deemed Adequate Safe Harbor EU ADEQUACY MECHANISMS Work Councils? Country DPA's Affiliate Transfers Canada Argentina Israel Switzerland Isle of Mann Isle of Gurnsey EAA Countries Annually Self Certify Need Processes Subject to Audit FTC Enforces Only US Co's Subject to FTC or DOT Model Clauses C to P C to C Failed USA Japan Australia Onward Transfer Agreements Safe Harbor Principles One to One One to Many Many to Many Contractual Clauses Other Contracts 27+ DPA Approvals *Notice *Choice *Onward Transfer *Sensitive Information *Security *Data Integrity *Access By Individual *Enforcement & ADR *Verification Examples of Where Contractual Solutions Are Used • EU Standard Clause Agreements – Controller to Controller: two flavors – New Controller to Processor Agreements • Safe Harbor Onward Transfer Agreements • Australia the recipient of the information is subject to a contract which effectively upholds principles for fair handling of the information that are substantially similar to the NPPs • Argentina An international entity provides an adequate level of protection if it arises from contractual clauses covering the protection of personal data • Japan • Israel Hypo • Global Enterprises, Inc., US Entity • Manufactures and sells widgets through Global entities in 34 countries – 24 subsidiaries EU countries – 9 subsidiaries in non-EU countries – 3 JVs – a majority owned, a 50-50, and a minority owned • Wants to have free transferability of employee HR data around Global • Wants to enter into world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI • Wants contractual solutions Free Transferability of Employee Data EU Controller to Controller Outward Transfers EU SCC Bilateral Agreements Global’s Non-EU Entities USA Russia Japan Australia New Zealand Israel Canada Mexico Brazil China Saudi Arabia -------------Switzerland Argentina Controller to Controller SCCs Global EU Entity USA Russia EU SCC Bilateral Agreements 24 EU Countries In which Global Operates Japan Australia New Zealand Israel Canada Mexico Brazil China Saudi Arabia Switzerland Argentina Controller to Controller SCCs EU SCC Approval or Filing Requirements Prior approval required: Filing only required : Austria Czech Republic Luxembourg Netherlands Poland Romania Spain Belgium Cyprus Denmark Finland France Greece Malta Portugal Slovakia Safe Harbor Alternative Non-EU Global Entities EU Global Entities Global certifies for compliance with Safe Harbor for its HR Personal Data Onward Transfer Agreements Transfers under Safe Harbor Global USA Free Transferability of Employee Data Non-EU Transfers Japan Australia Argentina World-Wide Bilateral Agreement Solution to Global’s HR Transferability Problem Looks Like This: USA Russia Japan Australia New Zealand Israel Canada Mexico Brazil China Saudi Arabia Switzerland Argentina Bilateral Approach 24 EU Countries In which Global Operates Assuming Global still wants to go in this direction, what are some of the practical elements of actually getting these cross-border contractual solutions done? HR Solution: Global’s Administrative Issues • How to identify all of Global’s entities that have to be a party to an agreement? • Should each of the Joint Ventures sign? • Who has authority to sign the agreement at each entity? • How do you explain to those who have to sign, and others at each entity, what this is all about and why it is required? HR Solution: Global’s Administrative Issues • • • • • What has to be done by each entity to comply with the agreements? What has to be done centrally (e.g. IT security) to allow each entity to comply? What is the process for keeping track of who has signed the agreements and for retaining the docs How do you figure out when the agreements have to be approved by or registered with government authorities? Who actually files the agreements/applications? HR Solution: Global’s Administrative Issues • • • Who actually files the agreements/applications? Who keeps track of approvals received – and not received? What is the process to modify agreements when – rather than if - data flows change, rules change, corporate organization changes? Is there anyway to eliminate putting all those contracts in place and still allow Global to pass HR information among its operations? Simplification Strategy 1 • Consists of two parts: – Global certifies for Safe Harbor to get EU data to the US – All Global entities enter into a Personal Information Safeguard Agreement (PISA) • PISA would: – Establish the following obligations for Participating Entities when exporting personal information: • Comply with all domestic privacy laws before the transfer. • Give data subjects notice about the use of the personal information. • Comply with agreement rules for dealing with any proposed change of use. • Comply with the agreement rules for responding to data subjects’ requests for access to their personal information. • Train employees regarding their obligations. • Ensure that the personal data is accurate, complete, current, and reliable for the intended use. Simplification Strategy 1 – Establish the following obligations for Participating Entities when receiving personal data from a Participating Entity in another country: • Comply with the privacy laws of the country of the receiving unit. • Use the personal information only for the purposes included in the notice to the data subject. • Notify and obtain approval from the transferring unit for any proposed change in the use of the personal information. • Limit the transfer of the personal information to authorized parties. • Comply with the PISA rules for responding to data subjects’ requests for access to their personal information. • Train employees regarding their obligations. • Comply with Global’s technical, physical and administrative security policies. • Notify the transferring unit and Global US of any breach of security that involves personal data • Comply with specified rules for responding to inquiries by government authorities and others regarding personal information. • Comply with Global’s data retention. Simplification Strategy 1 • PISA could be hard copy with “agreement opt-in” sheets signed and mailed in to Global US as the administrative entity. • To increase efficiency, the PISA could be executed by an on line opt-in form that is executed by each entity under the electronic signature law of one of the US states (that would be the PISA’s governing law) • The PISA as described would: – Serve as an onward transfer agreement under Safe Harbor, thus allowing Global’s EU employee information to be sent to all Participating Entities – Serve as a sufficient primary legal basis for the cross border transfer of personal information from Japan, Australia and Argentina to the US, to the EU countries and to other jurisdictions with a Global presence • This reduces the number of agreements from 372 bilateral agreements to 1 multilateral agreement plus Safe Harbor and reduces the number of government approvals for the agreements to 0. • No government approvals required Strategy 1 Structure PISA Safe Harbor EU Countries Simplification Strategy 2 • Eliminate the Safe Harbor certification aspect of Strategy 1 • Create a PISA Heavy consisting of 2 parts: – Part A is exactly the same as in Simplification Strategy 1 – General Provisions applicable to Transferors and Transferees – Part B is applicable to exports of personal data out countries with very specific requirements not covered by Part A such as an EU Controller to Controller SCC (either flavor) – Each blank in the SCC and Annexes is completed by incorporating by reference a section of the PISA opt-in sheet, the document used by an entity to become bound to the PISA Heavy agreement PISA Heavy Structure Part I: General Rules Required Under Most Laws • • When a Participating Entity is acting as a Data Exporter it agrees to follow the data exporter rules in this contract When a Participating Entity is acting as a Data Importer it agrees to follow the data importer rules in this contract Part II: Specific Rules for Counties with Cross-Border Laws • • • With respect to all personal data exported from Australia, Participating Entities agree to comply with the following Australian rules. In case of a conflict with a Part I General Rule, the Australian rule shall prevail. With respect to all personal data exported from Argentina, Participating Entities agree to comply with the following Argentine rules. In case of a conflict with a Part I General Rule, the Argentine rule shall prevail. With respect to all personal data exported from an EU country, the following SCC (Controller to Controller) shall apply. – The full text of the SCC is reproduced – Blanks completed by incorporating by reference specific sections of the PISA Opt-in Form completed by each Participating Entity Part III • • Boilerplate Execution process Example: SCC Required Blanks • Name (written out in full): (Exhibit B to this PISA, Opt-in Signature Page is hereby incorporated by reference) • Data importer The data importer is (please specify briefly activities relevant to the transfer): (Exhibit B to this PISA, Opt-in Signature Page, Section 2 is hereby incorporated by reference) Pisa Heavy Opt-in Form Section 2: Activities of Transferor related to the transfer: (Check all appropriate or fill-in if category not listed) □ Sales and Marketing □ Human Relations □ Issuing of Securities □ Public Interest □ Other (Please list and be as descriptive as possible):___________________________________ __________________ Simplification Strategy 2 • Applicable law for Part B would be the law of the country of the data exporting entity • Privity of contract exists among each the Global entities: – For instance, privity between EU Subsidiary 6 and non-EU Subsidiary 20 can be demonstrated by producing the Agreement, the signed opt-in sheet for Subsidiary 6 and the signed opt-in sheet for Subsidiary 20. • The Controller to Controller SCC is applicable to all exports out of the EU • Requires approval of EU DPAs in countries where DPA’s have to review SCCs to assure a sufficient level of specificity in the annexes. Strategy 2 Structure PISA Heavy All of this has dealt with Global’s HR information problem – a controller to controller transfer – what about Global’s entering into a world-wide agreement with California Computer Services (CCS) for global web hosting involving storage of PI? Questions?