307 - Preparing for EU 2015 Data Protection Rules Gary Chun, Senior Corporate Counsel, Covance Inc. Laura Hamady, Assistant General Counsel Privacy, eCommerce & Retail, Levi Strauss & Co. Mark Diamond, President & CEO, Contoural, Inc. Tom Mighell, Senior Consultant, Contoural, Inc. Legal Information Is Not Legal Advice Contoural provides information regarding business, compliance and litigation trends and issues for educational and planning purposes. However, legal information is not the same as legal advice -- the application of law to an individual or organization's specific circumstances. Contoural and its consultants do not provide legal advice. Clients should consult with competent legal counsel for professional assurance that our information, and any interpretation of it, is appropriate to each client's particular situation. EU Data Protection Directive EU DP Directive (1995) Personal data Controller and Processor – where data is processed in the EU Transfers of personal data outside the EU Model clause agreements and US Safe Harbor Different laws within Europe and different DPAs and standards 2012 – draft EU DP regulation Privacy Principles notice purpose consent security disclosure access accountability Ongoing negotiations between EU Parliament Counsel and Commission Expected adoption in 2015 Expected enforcement in 2017 Who Are You • US Company? • US Company with EU Affiliates? What Should You Already Be Doing to Comply with Current Requirements? • Privacy Policy and Procedures • Privacy Governance Organization • Training for Employees • Privacy Notices • Information Security • Audit Procedure • Breach Response Process Proposed Changes to EU Data Protection Regulation • Directive to regulation – harmonize regulations across the EU • Extends to all foreign companies processing data of EU residents • Incorporate privacy by design • Significant penalties – up to 5% of annual worldwide turnover (revenues) • Notification of data breaches • Data Protection Officer • Right to be forgotten/erasure What’s Driving the Changes? • Desire to harmonize regulations across the EU – the Directive relies on individual countries to enact laws, the regulation will be consistent across boarders • The 1995 Directive isn’t up to date with current technology • Unhappiness on EU side for Safe Harbor • Concern about privacy standards and abuses in other territories • Protectionism Estimated Timeline for Regulation Implementation 2014 Negotiations on Amendments Finalize Regulation 2015 Regulation Becomes Law 2016 2017 Member States have 2 years from enactment to bring regulation into effect Right to Be Forgotten New Article 17: The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data…. Who is the controller? Does this apply to third parties? Non-European companies must apply EU rules when offering services to European consumers Burden of proof reversed – now burden on the controller to prove data is still relevant Balance against freedom of expression and the press Google Spain v AEPD and Mario Costeja Gonzále (2014) • González lodged complaint with Spanish Data Projection Agency asking that link to a newspaper article about him be removed • European Court of Justice ruled that an internet search engine must consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name • Ruling related solely to allowing people to request that their names not show up in search results when the information is “inadequate, irrelevant or no longer relevant.” • Google and other providers creating processes to allow individuals to have links to their names removed • Proposed EU Data Protection Regulation would be much more broadly interpreted Be Prepared for Right to be Forgotten and Subject Access Requests • Establish a chain of command – Train customer service and any other employees who may receive such requests • Understand where the data is – Which databases, which backups, etc. • Create a response timeline – Be able to respond quickly What Do You Need to Know? • What data you have? • PII? Sensitive PII? • How you receive the data you have? • Directly from the data subjects? From a third party? • Whose data you have? • Who are your data subjects? • Who can access the data? • What access controls are in place? • Where the data is stored? • Cloud? Servers? File Shares? BYOD? • How long data is kept? • Is there a record retention schedule in place? What Do You Need to Do? • Locally (in the EU) • Binding Corporate • Local filings Rules • Local Notices • SCC/Model Clauses • Safe Harbor • US HQ • Rest of the World • Make sure that you have made all currently required disclosures and that they are accurate • Follow current regulations until the Regulation is finalized and implemented – the one-stop shop principal is controversial Understanding Data Practices Internal audits Identify data collection points Locate databases Map data flows Creating a Data Map A Data Map is an inventory of the data sources that inform prevention activities. It tells you what you have, where it is, and who is responsible for managing it. Common types of data maps include: Application & Infrastructure eDiscovery Records & Content Management Compliance Privacy & Sensitive Information A Data Map may be a document, a diagram, a database, or an application. The Future of Safe Harbor • Recent calls for suspension by EU – complaints about lack of US enforcement and oversight • Self-Certification is not trusted – perception vs. reality? • EU recommendations for improving Safe Harbor – Transparency, Redress, Enforcement, Access by US Authorities • Prediction: Safe Harbor will survive • But see “Schrems vs. Facebook” – is Safe Harbor incompatible with European human rights standards? Impact on Binding Corporate Rules • Expressly validated by Draft Regulation • Strong backing by EU data protection authorities • Safe Harbor under increasing strain, and even model contracts are scrutinized more • Binding Corporate Rules (BCRs) are now more familiar to companies and consumers • BCRs are easier to get than before – 1218 months vs. 4 years Impact on Data Transfer Agreements What is happening with data transfer agreements? The Draft Regulation offers 3 data transfer solutions: • Adequate Countries • Appropriate Safeguards (like BCRs, SCCs, Safe Harbor) • Clearly Defined Specific Situations (such as during an investigation) Impact on Storing Data in the Cloud • Data residency requirements apply to cloud storage • Cloud solutions need to support: Data residency Appropriate security controls Ability to search for PII within individual documents Support better metadata Vendors are often Part of the Gap Does the vendor have a Records Retention Policy that is enforced? What does the Service Level Agreement with the vendor say regarding record retention? Has the vendor been audited by internal self-audit or external regulatory authority regarding its data privacy protections? Does the vendor have a written Information Security Program applicable to all records potentially subject to privacy regulations? Does the vendor have U.S. Safe Harbor Certification? Conflict or Inconsistency with Other Regulations within the EU EMA policy on clinical trial data transparency Delayed to Oct 2 meeting (*need to update based on meeting) Considering impact on R&D and industry concerns Need to protect patient data and commercial confidential information May be inconsistent with the scope of the consent in informed consent forms Conflict or Inconsistency with Jurisdictions Outside the EU Revelations of massive government surveillance is a major source of conflict with non-EU countries, particularly the US • US Patriot Act Dissatisfaction with US safe harbor • Encryption restrictions in territories (Russia) Impact of Dealing with Data Breaches New Regulation: Notice of a data breach must be disclosed to the supervisory authority within 24 hours of detection if feasible. What You Should do NOW: • Update (or create) your Breach Notification Process • Conduct a data protection audit – identify potential weaknesses • Assess / enhance detection and response capabilities Best Practice for Breach Response: • Isolate compromised systems • Preserve relevant information • Required disclosure(s) • Investigate cause of breach and remediate Is It Time to Rethink Your Privacy Strategy? What do I need to update or change? • Follow local laws until Regulation passes • Consider holding off on BCRs – you may need to start the process over, and the Regulation will likely make the process easier • Remember that the Regulation isn’t final yet • Get serious about information governance Privacy by Design Article 23: The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed. • Safeguards built into products/services • Privacy-friendly default settings (Hello, Facebook) • Collaboration with IT • Duty to remediate existing systems? Addressing the Middle Data Privacy Compliance Gap Security Policies Unstructured Data on File Shares, Cloud, SharePoint Data Extracts Key Application Monitoring and Breach Response Paper Records Employee BYOD Documents to Third-Party Vendors Breach Response Plan Making Everything Right, Preparing for the Regulation Policies – Updating your policies Clean Up – fix any problems that present themselves in audits and create strict access controls Train People – create data privacy trainings Processes – Subject Access Requests, Right to be Forgotten Audit – create a team to monitor and audit compliance with the procedures you create Privacy by Design – Design forward to incorporate your knowledge Documentation – practices need to be established to provide guidance on how to handle data in accordance with the EU directive Is It Time for Information Governance? • Ensure Records Policies are up to date Records • Harmonize records policies with Disposition privacy policies Discovery • Strengthen legal hold processes Privacy • Better manage data with a data placement strategy • Leveraging data map develop defensible disposition processes • Develop a “Culture of Compliance” through Information Governance Behavior Change Management • Rolling out a Policy and Procedures with no Change Management is not enough Additional Resources ACC Docket Magazine October 2014 Issue Building a Business Case for an Information Governance Program ARMA Information Management Magazine October 2014 Issue All In One: Creating a Super Data Map and Schedule Free Recorded Webinars at www.contoural.com Preparing for the EU 2015 Data Protection Rules: What You Need to Know Taking a Metrics Approach to Information Governance Creating a Records Management Project Plan ACC Information Governance eGroup Join the discussion Thank You and Questions • Gary Chun, Senior Corporate Counsel, Covance Inc. • Laura Hamady, Assistant General Counsel Privacy, eCommerce & Retail, Levi Strauss & Co. • Mark Diamond, President & CEO, Contoural, Inc. • Tom Mighell, Senior Consultant, Contoural, Inc.