Gary Chun, Senior Corporate Counsel, Covance Inc.

Laura Hamady, Assistant General Counsel Privacy, eCommerce & Retail, Levi Strauss & Co.

Mark Diamond, President & CEO, Contoural, Inc.

Tom Mighell, Senior Consultant, Contoural, Inc.

307 - Preparing for EU 2015 Data Protection Rules

Legal Information Is Not Legal AdviceContoural provides information regarding business, compliance and litigation trends and issues for educational and planning purposes. However,  legal information is not the same as legal advice -- the application of law to an individual or organization's specific circumstances. Contoural and its consultants do not provide legal advice. Clients should consult with competent legal counsel for professional assurance that our information, and any interpretation of it, is appropriate to each client's particular situation.

EU DP Directive (1995) Personal data Controller and Processor – where data is

processed in the EU Transfers of personal data outside the EU Model clause agreements and US Safe Harbor Different laws within Europe and different DPAs

and standards

EU Data Protection Directive

Privacy Principlesnotice

purpose

consent

security

disclosure

access

accountability2012 – draft EU DP regulation

Ongoing negotiations between EU Parliament Counsel and Commission

Expected adoption in 2015

Expected enforcement in 2017

Who Are You

• US Company?• US Company with EU Affiliates?

What Should You Already Be Doing to Comply with Current Requirements?

• Privacy Policy and Procedures

• Privacy Governance Organization

• Training for Employees

• Privacy Notices

• Information Security

• Audit Procedure

• Breach Response Process

• Directive to regulation – harmonize regulations across the EU

• Extends to all foreign companies processing data of EU residents

• Incorporate privacy by design• Significant penalties – up to 5% of annual

worldwide turnover (revenues)• Notification of data breaches• Data Protection Officer• Right to be forgotten/erasure

Proposed Changes to EU Data Protection Regulation

What’s Driving the Changes?

• Desire to harmonize regulations across the

EU – the Directive relies on individual countries

to enact laws, the regulation will be consistent

across boarders• The 1995 Directive isn’t up to date with current

technology• Unhappiness on EU side for Safe Harbor• Concern about privacy standards and abuses in other

territories• Protectionism

Estimated Timeline for Regulation Implementation

2014 2015 2016 2017

Negotiations on Amendments

Finalize Regulation

Regulation Becomes Law

Member States have 2 years from enactment to bring regulation into effect

Right to Be ForgottenNew Article 17:

The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, and to obtain from third parties the erasure of any links to, or copy or replication of that data….

Who is the controller? Does this apply to third parties?

Non-European companies must apply EU rules when offering services to European consumers

Burden of proof reversed – now burden on the controller to prove data is still relevant

Balance against freedom of expression and the press

Google Spain v AEPD and Mario Costeja Gonzále (2014)

• González lodged complaint with Spanish Data Projection Agency asking that link to a newspaper article about him be removed

• European Court of Justice ruled that an internet search engine must consider requests from individuals to remove links to freely accessible web pages resulting from a search on their name

• Ruling related solely to allowing people to request that their names not show up in search results when the information is “inadequate, irrelevant or no longer relevant.”

• Google and other providers creating processes to allow individuals to have links to their names removed

• Proposed EU Data Protection Regulation would be much more broadly interpreted

Be Prepared for Right to be Forgotten and Subject Access

Requests• Establish a chain of command

– Train customer service and any other employees who may receive such requests

• Understand where the data is– Which databases, which backups, etc.

• Create a response timeline– Be able to respond quickly

What Do You Need to Know?• What data you have?

• PII? Sensitive PII?

• How you receive the data you have?• Directly from the data subjects? From a third party?

• Whose data you have?• Who are your data subjects?

• Who can access the data?• What access controls are in place?

• Where the data is stored?• Cloud? Servers? File Shares? BYOD?

• How long data is kept?• Is there a record retention schedule in place?

What Do You Need to Do? • Locally (in the EU)

• Local filings• Local Notices• Safe Harbor

• US HQ• Rest of the World• Make sure that you have made all currently required

disclosures and that they are accurate• Follow current regulations until the Regulation is finalized

and implemented – the one-stop shop principal is controversial

• Binding Corporate Rules

• SCC/Model Clauses

Understanding Data Practices

Internal audits

Identify data collection points

Locate databases

Map data flows

Creating a Data MapA Data Map is an inventory of the data sources that inform prevention activities. It tells you what you have, where it is, and who is responsible for managing it.

Common types of data maps include:

Application & Infrastructure eDiscoveryRecords & Content ManagementCompliancePrivacy & Sensitive Information

A Data Map may be a document, a diagram, a database, or an application.

The Future of Safe Harbor

• Recent calls for suspension by EU – complaints about lack of US enforcement and oversight

• Self-Certification is not trusted – perception vs. reality?

• EU recommendations for improving Safe Harbor – Transparency, Redress, Enforcement, Access by US Authorities

• Prediction: Safe Harbor will survive

• But see “Schrems vs. Facebook” – is Safe Harbor incompatible with European human rights standards?

Impact on Binding Corporate Rules

• Expressly validated by Draft Regulation

• Strong backing by EU data protection authorities

• Safe Harbor under increasing strain, and even model contracts are scrutinized more

• Binding Corporate Rules (BCRs) are now more familiar to companies and consumers

• BCRs are easier to get than before – 12-18 months vs. 4 years

What is happening with data transfer agreements?

The Draft Regulation offers 3 data transfer solutions:• Adequate Countries• Appropriate Safeguards (like BCRs, SCCs,

Safe Harbor)• Clearly Defined Specific Situations (such as

during an investigation)

Impact on Data Transfer Agreements

• Data residency requirements apply to cloud storage• Cloud solutions need to support:

Data residency Appropriate security controls Ability to search for PII within individual documents Support better metadata

Impact on Storing Data in the Cloud

Vendors are often Part of the Gap

Does the vendor have a Records Retention Policy that is enforced? What does the Service Level Agreement with the vendor say regarding record

retention? Has the vendor been audited by internal self-audit or external regulatory authority

regarding its data privacy protections? Does the vendor have a written Information Security Program applicable to all

records potentially subject to privacy regulations? Does the vendor have U.S. Safe Harbor Certification?

EMA policy on clinical trial data transparencyDelayed to Oct 2 meeting (*need to update based on

meeting)Considering impact on R&D and industry concernsNeed to protect patient data and commercial

confidential informationMay be inconsistent with the scope of the consent in

informed consent forms

Conflict or Inconsistency with Other Regulations within the EU

Revelations of massive government surveillance is a major source of conflict with non-EU countries, particularly the US

Conflict or Inconsistency with Jurisdictions Outside the EU

• US Patriot Act Dissatisfaction with US safe harbor

• Encryption restrictions in territories (Russia)

What You Should do NOW:• Update (or create) your

Breach Notification Process• Conduct a data protection

audit – identify potential weaknesses

• Assess / enhance detection and response capabilities

Impact of Dealing with Data Breaches

Best Practice for Breach Response:• Isolate compromised systems• Preserve relevant information• Required disclosure(s)• Investigate cause of breach and

remediate

New Regulation: Notice of a data breach must be disclosed to the supervisory authority within 24 hours of detection if feasible.

What do I need to update or change?• Follow local laws until Regulation passes• Consider holding off on BCRs – you may

need to start the process over, and the Regulation will likely make the process easier

• Remember that the Regulation isn’t final yet

• Get serious about information governance

Is It Time to Rethink Your Privacy Strategy?

Privacy by Design

• Safeguards built into products/services• Privacy-friendly default settings (Hello,

Facebook)• Collaboration with IT• Duty to remediate existing systems?

Article 23: The controller shall implement mechanisms for ensuring that, by default, only those personal data which are necessary for the purposes of the processing are processed.

Addressing the Middle

Breach Response Plan

Security Policies

Key Application Monitoring and Breach Response

Data Privacy Compliance

Gap

Employee BYOD

Data ExtractsUnstructured Data on File Shares,

Cloud, SharePoint

Paper Records

Documents to Third-

PartyVendors

Policies – Updating your policies

Clean Up – fix any problems that present themselves in audits and create strict access controls

Train People – create data privacy trainings

Processes – Subject Access Requests, Right to be Forgotten

Audit – create a team to monitor and audit compliance with the procedures you create

Privacy by Design – Design forward to incorporate your knowledge

Documentation – practices need to be established to provide guidance on how to handle data in accordance with the EU directive

Making Everything Right, Preparing for the Regulation

Discovery

Disposition

Privacy

Records

Is It Time for Information Governance?• Ensure Records Policies are up to date• Harmonize records policies with

privacy policies• Strengthen legal hold processes• Better manage data with a data

placement strategy• Leveraging data map develop defensible disposition

processes• Develop a “Culture of Compliance” through

Information Governance Behavior Change Management• Rolling out a Policy and Procedures with no Change

Management is not enough

Additional Resources

Free Recorded Webinars at www.contoural.com Preparing for the EU 2015 Data Protection Rules: What You Need to Know Taking a Metrics Approach to Information Governance Creating a Records Management Project Plan

ACC Information Governance eGroupJoin the discussion

ARMA Information Management Magazine October 2014 Issue All In One: Creating a Super Data Map and Schedule

ACC Docket Magazine October 2014 Issue Building a Business Case for an Information Governance Program

Thank You and Questions

• Gary Chun, Senior Corporate Counsel, Covance Inc.

• Laura Hamady, Assistant General Counsel Privacy, eCommerce & Retail, Levi Strauss & Co.

• Mark Diamond, President & CEO, Contoural, Inc.

• Tom Mighell, Senior Consultant, Contoural, Inc.