Contractual Solutions for Cross-Border Data Transfers: Dealing with

advertisement
Contractual Solutions for
Cross-Border Data Transfers:
Dealing with the Practical Problems
Robert L. Rothman
Donald A. Cohn
Privacy Associates International
E. I. du Pont de Nemours and Company
IAPP Summit, April, 2010
Preliminaries
• Assume understanding of cross-border
issues and available compliance
alternatives
• Focus on practical issues involved in
implementing cross-border solutions
Purpose
The Purpose Of This Presentation Is To:
•
Point Out Problems And Complexities In
Contracting With Suppliers And Affiliates
•
Ask How Can We Use A Contractual
Approach To Satisfy Local Legal
Requirements.
•
Examine Sample Data Flows Using a Hypo
•
Offer Possible Solutions To Some Of Those
Problems And Complexities
3
The 4 Legs of the Privacy Stool
Proportionality
Registration
Security
Notice & Consent To Use
Adequacy Mechanism To Transfer
WE WILL FOCUS ON DATA TRANSFER ADEQUACY
Voluntary
Consent
"Opt In"
Customers
Supppliers
Others
Employees
Binding
Corporate
Rules
EU
PII
Data
Transfer
Countries
Deemed
Adequate
Safe Harbor
EU ADEQUACY MECHANISMS
Work Councils?
Country DPA's
Affiliate
Transfers
Canada
Argentina
Israel
Switzerland
Isle of Mann
Isle of Gurnsey
EAA Countries
Annually Self Certify
Need Processes
Subject to Audit
FTC Enforces
Only US Co's Subject
to FTC or DOT
Model
Clauses
C to P
C to C
Failed
USA
Japan
Australia
Onward Transfer
Agreements
Safe Harbor
Principles
One to One
One to Many
Many to Many
Contractual
Clauses
Other
Contracts
27+ DPA
Approvals
*Notice
*Choice
*Onward Transfer
*Sensitive Information
*Security
*Data Integrity
*Access By Individual
*Enforcement & ADR
*Verification
Examples of Where Contractual
Solutions Are Used
• EU Standard Clause Agreements
– Controller to Controller: two flavors
– New Controller to Processor Agreements
• Safe Harbor Onward Transfer Agreements
• Australia
the recipient of the information is subject to a contract which effectively
upholds principles for fair handling of the information that are
substantially similar to the NPPs
• Argentina
An international entity provides an adequate level of protection if it arises
from contractual clauses covering the protection of personal data
• Japan
• Israel
Hypo
• Global Enterprises, Inc., US Entity
• Manufactures and sells widgets through
Global entities in 34 countries
– 24 subsidiaries EU countries
– 9 subsidiaries in non-EU countries
– 3 JVs – a majority owned, a 50-50, and a
minority owned
• Wants to have free transferability of employee
HR data around Global
• Wants to enter into world-wide agreement
with California Computer Services (CCS) for
global web hosting involving storage of PI
• Wants contractual solutions
Free Transferability of Employee Data EU Controller to Controller Outward Transfers
EU SCC Bilateral Agreements
Global’s Non-EU Entities
USA
Russia
Japan
Australia
New Zealand
Israel
Canada
Mexico
Brazil
China
Saudi Arabia
-------------Switzerland
Argentina
Controller to
Controller SCCs
Global EU Entity
USA
Russia
EU SCC Bilateral
Agreements 24 EU Countries In
which Global Operates
Japan
Australia
New Zealand
Israel
Canada
Mexico
Brazil
China
Saudi Arabia
Switzerland
Argentina
Controller to
Controller SCCs
EU SCC Approval or Filing Requirements
Prior approval
required:
Filing only required :
Austria
Czech Republic
Luxembourg
Netherlands
Poland
Romania
Spain
Belgium
Cyprus
Denmark
Finland
France
Greece
Malta
Portugal
Slovakia
Safe Harbor Alternative
Non-EU Global Entities
EU Global Entities
Global certifies for
compliance with
Safe Harbor for its
HR Personal Data
Onward
Transfer
Agreements
Transfers under
Safe Harbor
Global USA
Free Transferability of Employee Data Non-EU Transfers
Japan
Australia
Argentina
World-Wide Bilateral Agreement
Solution to Global’s HR Transferability
Problem Looks Like This:
USA
Russia
Japan
Australia
New Zealand
Israel
Canada
Mexico
Brazil
China
Saudi Arabia
Switzerland
Argentina
Bilateral Approach
24 EU Countries In
which Global Operates
Assuming Global still wants to go in
this direction, what are some of
the practical elements of actually
getting these cross-border
contractual solutions done?
HR Solution: Global’s Administrative Issues
• How to identify all of Global’s entities that have to
be a party to an agreement?
• Should each of the Joint Ventures sign?
• Who has authority to sign the agreement at each
entity?
• How do you explain to those who have to sign, and
others at each entity, what this is all about and why
it is required?
HR Solution: Global’s Administrative Issues
•
•
•
•
•
What has to be done by each entity to comply with
the agreements?
What has to be done centrally (e.g. IT security) to
allow each entity to comply?
What is the process for keeping track of who has
signed the agreements and for retaining the docs
How do you figure out when the agreements have to
be approved by or registered with government
authorities?
Who actually files the agreements/applications?
HR Solution: Global’s Administrative Issues
•
•
•
Who actually files the agreements/applications?
Who keeps track of approvals received – and not
received?
What is the process to modify agreements when –
rather than if - data flows change, rules change,
corporate organization changes?
Is there anyway to eliminate putting all
those contracts in place and still allow
Global to pass HR information among
its operations?
Simplification Strategy 1
• Consists of two parts:
– Global certifies for Safe Harbor to get EU data to the US
– All Global entities enter into a Personal Information Safeguard
Agreement (PISA)
• PISA would:
– Establish the following obligations for Participating Entities when
exporting personal information:
• Comply with all domestic privacy laws before the transfer.
• Give data subjects notice about the use of the personal
information.
• Comply with agreement rules for dealing with any proposed
change of use.
• Comply with the agreement rules for responding to data
subjects’ requests for access to their personal information.
• Train employees regarding their obligations.
• Ensure that the personal data is accurate, complete, current,
and reliable for the intended use.
Simplification Strategy 1
– Establish the following obligations for Participating Entities when receiving
personal data from a Participating Entity in another country:
• Comply with the privacy laws of the country of the receiving unit.
• Use the personal information only for the purposes included in the notice to the
data subject.
• Notify and obtain approval from the transferring unit for any proposed change in
the use of the personal information.
• Limit the transfer of the personal information to authorized parties.
• Comply with the PISA rules for responding to data subjects’ requests for access
to their personal information.
• Train employees regarding their obligations.
• Comply with Global’s technical, physical and administrative security policies.
• Notify the transferring unit and Global US of any breach of security that involves
personal data
• Comply with specified rules for responding to inquiries by government
authorities and others regarding personal information.
• Comply with Global’s data retention.
Simplification Strategy 1
• PISA could be hard copy with “agreement opt-in” sheets signed
and mailed in to Global US as the administrative entity.
• To increase efficiency, the PISA could be executed by an on line
opt-in form that is executed by each entity under the electronic
signature law of one of the US states (that would be the PISA’s
governing law)
• The PISA as described would:
– Serve as an onward transfer agreement under Safe Harbor, thus
allowing Global’s EU employee information to be sent to all
Participating Entities
– Serve as a sufficient primary legal basis for the cross border
transfer of personal information from Japan, Australia and
Argentina to the US, to the EU countries and to other jurisdictions
with a Global presence
• This reduces the number of agreements from 372 bilateral
agreements to 1 multilateral agreement plus Safe Harbor and
reduces the number of government approvals for the agreements
to 0.
• No government approvals required
Strategy 1 Structure
PISA
Safe Harbor
EU Countries
Simplification Strategy 2
• Eliminate the Safe Harbor certification aspect of Strategy 1
• Create a PISA Heavy consisting of 2 parts:
– Part A is exactly the same as in Simplification Strategy 1 – General
Provisions applicable to Transferors and Transferees
– Part B is applicable to exports of personal data out countries with very
specific requirements not covered by Part A such as an EU Controller
to Controller SCC (either flavor)
– Each blank in the SCC and Annexes is completed by incorporating by
reference a section of the PISA opt-in sheet, the document used by an
entity to become bound to the PISA Heavy agreement
PISA Heavy Structure
Part I: General Rules Required Under Most Laws
•
•
When a Participating Entity is acting as a Data Exporter it agrees to follow the data
exporter rules in this contract
When a Participating Entity is acting as a Data Importer it agrees to follow the data
importer rules in this contract
Part II: Specific Rules for Counties with Cross-Border Laws
•
•
•
With respect to all personal data exported from Australia, Participating Entities agree to
comply with the following Australian rules. In case of a conflict with a Part I General
Rule, the Australian rule shall prevail.
With respect to all personal data exported from Argentina, Participating Entities agree to
comply with the following Argentine rules. In case of a conflict with a Part I General
Rule, the Argentine rule shall prevail.
With respect to all personal data exported from an EU country, the following SCC
(Controller to Controller) shall apply.
– The full text of the SCC is reproduced
– Blanks completed by incorporating by reference specific sections of the PISA Opt-in
Form completed by each Participating Entity
Part III
•
•
Boilerplate
Execution process
Example: SCC Required Blanks
• Name (written out in full): (Exhibit B to this
PISA, Opt-in Signature Page is hereby
incorporated by reference)
•
Data importer
The data importer is (please specify briefly
activities relevant to the transfer): (Exhibit B
to this PISA, Opt-in Signature Page, Section 2
is hereby incorporated by reference)
Pisa Heavy Opt-in Form
Section 2: Activities of Transferor related to the
transfer:
(Check all appropriate or fill-in if category not listed)
□ Sales and Marketing
□ Human Relations
□ Issuing of Securities
□ Public Interest
□ Other (Please list and be as descriptive as
possible):___________________________________
__________________
Simplification Strategy 2
• Applicable law for Part B would be the law of the country of the data
exporting entity
• Privity of contract exists among each the Global entities:
– For instance, privity between EU Subsidiary 6 and non-EU
Subsidiary 20 can be demonstrated by producing the
Agreement, the signed opt-in sheet for Subsidiary 6 and the
signed opt-in sheet for Subsidiary 20.
• The Controller to Controller SCC is applicable to all exports out of
the EU
• Requires approval of EU DPAs in countries where DPA’s have to
review SCCs to assure a sufficient level of specificity in the annexes.
Strategy 2 Structure
PISA Heavy
All of this has dealt with Global’s HR
information problem – a controller to
controller transfer – what about
Global’s entering into a world-wide
agreement with California Computer
Services (CCS) for global web hosting
involving storage of PI?
Questions?
Download