Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Public Relations

Binding Corporate Rules and Cross

advertisement 
Presentation Overview
• Speaker introduction and short summary
• Historical Overview
• Dating Game: Safe Harbor/Model
Contracts/Binding Corporate Rules (BCR)
–
–
–
–
Hostess: Katia Bloom
Mechanism #1: EU/US Safe Harbor: Pete McGoff
Mechanism #2: BCR: K Royal
Mechanism #3: Model Clauses: Phil Lee
• Questions
Historical Overview:
EU Data Protection Directive of 1995 (DPD)
• DPD describes how organizations should best
handle, transfer and process personal
information
• An organization can only transfer data outside
of the European Economic Area (EEA) if
adequate level of protection exists for
individual’s privacy
Historical Overview: Model Contracts
• The European Commission created standard
contractual clauses (known as model contract clauses)
as a way to ensure adequate safeguards of personal
information (for purposes of Article 26(2) of the DPD)
• Clauses were created (and subsequently revised) for
controller/controller and controller/processor
relationships
• Must have a contract between each and every entity
(which, for large companies, can turn into a contract
management nightmare)
• Currently most popular option
Historical Overview: Safe Harbor
• 1995: European Commission (EC) Data Protection Directive
which prohibits transfer of personal data to countries that
do not meet EU standard for adequate data protection
• 1998-2000: US/EU Safe Harbor Framework Negotiated to
bridge gap between US and EU system of data protection
• 2000: Safe Harbor Framework finalized and eligible
companies can self-certify that they are Safe Harbor
compliant
• 2000-2013: Adoption of Safe Harbor grows and includes
over 4,000 organizations
• June 2013: Snowden leaks give EU the platform to say “We
told you so.”
Historical Overview:
Safe Harbor Post Snowden
• Prior to Snowden, EU regulators and partners were already skeptical
because there was so little Safe Harbor enforcement from the FTC (and its
limited jurisdiction over certain industries)
• Snowden causes EU regulators and partners to stop trusting the process
and if your organization is actively working with EU companies, Safe
Harbor just may not be sufficient any longer
• Future of Safe Harbor is very uncertain due to EU/US Safe Harbor reform
discussions – though hard to know actual resulting changes
• Currently, there is a suggestion that the EU's proposed General Data
Protection Regulation could include a "sunset" clause for safe harbor
Binding Corporate Rules (BCR) to the Rescue
• BCR are the EU's response to all of the down sides of the currentlyexisting solutions and attempt to overcome the aforementioned
issues by facilitating export, but also providing the kind of
accountability even the EU approves of
• Because EU data protection and privacy laws are so strict,
complying with the BCR likely means your organization complies
with data protection laws globally
• GDPR expressly promotes BCR
• BCR are designed by, and tailored for, the applicant organization so
they reflect and respect your culture, processes, and business –
they are not a regulatory-imposed solution, unlike model clauses.
• Down side: time and cost – this definitely is not a quick fix
Our Contestants
– Hostess: Katia Bloom
– Mechanism #1: EU/US Safe Harbor: Pete McGoff
– Mechanism #2: BCR: K Royal
– Mechanism #3: Model Clauses: Phil Lee rself
Question #1
• Mechanism #1, Safe Harbor, if I were a U.S. company with an online
presence, tell me why I would choose you?
• Mechanism #2, BCR, you seem a little too large of an undertaking.
Why would I choose you?
• Mechanism, #3, Model Contracts, I am probably already using you
to some extent, why and how I can stay away from Mechanisms #2
and 3?
Benefits of Each Mechanism
EU/US Safe Harbor
Binding Corporate Rules
Model clauses
• Self-certification
• Widely adopted by US
companies
• Enforced by a “known
entity” regulator
• Permits data transfers
from the EEA/CH to the
US
• Enables global data
transfers within a group
of companies
• Recognized as the “gold
standard” for data
exports – in the EEA and
beyond
• Future proofed mentioned explicitly in
proposed data reforms
• Provides a
comprehensive data
governance framework
• Available for controllers
and processors
• Very simple, tick box
solution
• Universally recognized
by all EEA DPAs
• Permits global data
exports
• Available for controllers
and processors
Question #2
•
I am surprised that all of you only mentioned the EU. I am sure that there are more
considerations than just the EU. Mechanism #2, BCR, can you speak to that?
•
Mechanism #3, Model Contracts, although you only discussed the EU, you seem
rather flexible and could apply in other countries. Please tell me more.
•
Mechanism #1, Safe Harbor, you say you are limited to the EU and US. Is there
anything about you that would help me in other countries?
Global Applicability
EU/US Safe Harbor
Binding Corporate Rules
• Straightforward process,
easy to adopt
• Good flexibility for
subcontracting data
processing
• Avoids the needs for
exponential model
contracts
• The simplest solution if
you are a US data
importer
• Can be tailored to
internal culture and
processes
• PR uplift – BCR are akin
to a data protection
trust mark
• Great relationship
building with EU DPAs
• Institutes training, audit
and compliance
structure requirements
• Recognized throughout
the EU – and beyond!
Model clauses
• Tried and trusted
solution
• Very quick and easy to
execute
• No need for regulatory
approvals
• Enables transfers
globally (not just US)
• Seldom (never?)
enforced
Question #3
• Mechanism #1 (Safe Harbor), not every relationship starts with fireworks
and flowers. How hard would I have to work to get you?
• Same question to you, Mechanism #2 (BCR).
• Mechanism #3 (Model Contract) we already have some relationship, but it
doesn’t seem to be working perfectly. What do we need to do to make
sure you are all I need?
Challenges
EU/US Safe Harbor
Binding Corporate Rules
Model clauses
• Currently going through
process of reform –
uncertain what
outcome will be
• Uncertain future under
EU General Data
Protection Regulation
• Strictly speaking, a
“controller-only”
solution
• Not available to
financial services
clients, telecoms
networks or NFPs
• Not a process to be
undertaken lightly
• Time commitment –
authorization typically
around 18 months.
• Resource commitment–
organization needs to
live up to its BCR
commitments!
• Model clauses require a
contract “per export”.
Often leads to tens (if
not hundreds) of
contracts
• Very commercially
unfriendly – strict
restrictions on
subcontracting, some
joint and several liability
• Do not deliver
compliance in practice –
tick box solution.
Question #4
• If you are chosen, you have to learn how to live within
my company, from executives down to front-line
people. How do we build that relationship and would it
take a long time?
Implementing
EU/US Safe Harbor
• Two approaches to selfcertification: sign up to
Safe Harbor and then
bring practices into
compliance; or full
audit, remediation and
then certification.
• Former is quick, cheap
and easy – but the
source of current
concerns about Safe
Harbor
• Latter almost as costly
as BCR, but with fewer
benefits
Binding Corporate Rules
Model clauses
• Mutual Recognition
• A tick box solution –
process means approval
sign the contract and
by a single authority
you are done
binding in nearly all EU • Meant to implement
Member States
the contractual
• BCR implementation
requirements – but who
requires creation of
does this in practice?
privacy compliance
• Any modification to the
team, training program
model clauses can
and audit schedule.
trigger DPA review and
• Flexible - can be
approval requirements
implemented for all
data or just some data
(e.g. customer data but
not HR data)
Question #5
• I am going to ask the same question to all
three. If I wanted to take you home to meet
my executives, what would they not like about
you?
Detractors
EU/US Safe Harbor
• EU Parliament and EU
Commission consider it
“Not So Safe Harbor”
• Concerns that selfcertification
commitments aren’t
lived up to in practice
• Limited enforcement to
date a source of
criticism
• Equally mistrusted by
EU customers
(particularly German
customers) and privacy
groups alike
Binding Corporate Rules
Model clauses
• Considered the “gold
• Privacy professionals
standard” in the EU – by
not fans – burdensome
regulators and
to administer and do
customers alike
not deliver real
• Historically, have had a
compliance (though
bad reputation for
loved by EU regulators,
complex and expensive
whatever their limited
approval process
practical effect)
• A rarer solution in
• Very unpopular
practice, so uneducated
amongst cloud suppliers
EU customers may still
due to subcontracting
push for safe harbor or
restrictions and need
model clauses.
for exponential
contracts
Question #6
• Let’s talk about sensitive stuff, especially
sensitive data. What can you handle and how?
Sensitive Data
EU/US Safe Harbor
Binding Corporate Rules
Model clauses
• Can be used to transfer
sensitive information
• Explicit opt-in required
for transfers to a third
party or re-purposing
• Not clear what is
“sensitive” for Safe
Harbor purposes – uses
the term “sensitive
information” rather
than EU term of
“sensitive personal
data”
• Can be used to transfer
sensitive data
• No express
requirements for
sensitive data, save that
it must be processed in
accordance with EU
standards
• Can be used to transfer
sensitive data
• Data exporter must
inform individuals their
data being sent to a
processor in an ‘unsafe’
country
• Onward transfers to
third parties generally
require consent
Question #7
• I also want to know if I choose you, would we
party with any of the other data laws?
Interoperability
EU/US Safe Harbor
• Allows data transfers
from the EU and
Switzerland
• Beyond that, limited
global interoperability –
an “inbound” data
transfer solution only
Binding Corporate Rules
Model clauses
• A global solution – BCR • Permits data transfers
meet and exceed most
from EU to anywhere in
countries’ data
the world
protection
• Envisages only one way
requirements
transfer flows – from EU
• Ensure high standard of
to RoW, not the other
protection for data
way around
transfers from EU to
RoW and by and
between RoW countries
• Compatibility with APEC
Cross-Border Privacy
Rules (BCR for Asia-Pac)
Question #7
• Let’s be brutally frank here: are you expensive,
what is the most expensive part about you,
and how can I save costs?
Costs and Effort
EU/US Safe Harbor
Binding Corporate Rules
Model Clauses
• Depends on whether
• A commitment in terms • Very cheap
take the ‘certify now /
of time, cost and
• Standard form contract,
fix later’ or ‘fix now /
resource
populate the annex
certify later’ approach
• Typical budget about
(describing data,
• Simply submitting a Safe
US$220, 000, depending
processing etc.), sign
Harbor certification is
on efficiency and “lead
and you are done
minimal cost – little
authority”
paperwork involved
• Timescale for
• Real expense is in audit
authorization around 18
to bring practices in line
months start to finish
with safe harbor
commitments –
depending on size of
organization, can be $$$
Question #8
• Again, to all three of you: if I tell you that I am
a small company with an online presence,
would that change any of your answers – and
you can speak to any of the topics we have
touched on. Would my size make a difference?
(and be careful, I have delicate feelings).
Large vs. Small Company
EU/US Safe Harbor
• Solution equally viable
for large and small
companies
• Commonly used by US
start-ups – like “home
grown” solution and
sold by their US counsel
• Administratively much
simpler than model
clauses
Binding Corporate Rules
Model Clauses
• Solution geared towards • Really only works well
high growth or blue
for small companies
chip businesses due to
• Large companies need
time and resource
exponential number of
commitments
model contracts to
• But process getting
meet their data transfer
simpler and BCR are
needs
becoming more
• Impossible to use in a
attractive to smaller
cloud environment!
companies as doubts
about Safe Harbor
persist
Question #9
• If we were in a relationship and broke the
rules, who would we have to answer to and
what could they do to punish me?
Enforcement
EU/US Safe Harbor
• Enforcement by FTC
• >20 cases of
enforcement to date –
and most in 2014!
• Enforcement by EU
DPAs for HR data
• Need for third party
dispute resolution
provider
Binding Corporate Rules
Model clauses
• Enforcement by EU
DPAs
• Individuals have thirdparty rights as well
• Processors can be held
liable for breaches by
their controller (but
very unlikely)
• Internal complaints
procedure intended to
resolve most complaints
– so seldom (never?)
brought to attention of
DPA
• No known DPA
enforcement to date
• Enforcement by EU
DPAs
• Individuals have thirdparty rights as well
• Some model clauses
include joint and several
liability provisions
• Processors can be held
liable for breaches by
their controller (but
very unlikely)
• Seldom (never?)
enforced in practice
Question #10
• This is your last chance to impress me. If I met
you on an elevator and knew nothing about
you, how would you introduce yourself to me?
Experiences
Box: EU/US Safe Harbor certified, undergoing
BCR application
Align: Successfully closed dual
controller/processor BCR application
It’s Time to Pick the Winner!
• To the audience: are there any questions you
want answered that would help me make the
right choice?
Related documents
SEMINOLE COUNTY PUBLIC SCHOOLS
SEMINOLE COUNTY PUBLIC SCHOOLS
America: The Story of Us
America: The Story of Us
North Prairie Alumni Scholarship Application
North Prairie Alumni Scholarship Application
From Isolation to WWII Notes Key questions: What was the effect of
From Isolation to WWII Notes Key questions: What was the effect of
Animal Related Ordinances
Animal Related Ordinances
APUSH Reading Guide: Chapter 34 Thought Provokers: Complete
APUSH Reading Guide: Chapter 34 Thought Provokers: Complete
Download
advertisement