Recap: Why We're Here - DLA Piper/media/Files/Insights... · 2015-12-08 · Safe Harbor Invalidation Next Steps: EU Model Clauses – Do's and Don’ts If you cannot hear us speaking,

Safe Harbor Invalidation Next Steps:

EU Model Clauses – Do's and

Don’ts

If you cannot hear us speaking, please make sure you have called into the teleconference

number on your invite information.

US participants: 1 800 909 4756

Outside the US: +1 647 722 9108 or +44 2033000090

The audio portion is available via conference call. It is not broadcast through your computer. *This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.

Monday, November 30, 2015 | 12:00 p.m. EST

WELCOME TO OUR WEBINAR

CURRENTLY SPEAKING

2

Welcome

You are on mute

A link to a recording of the webinar will be made available

Today's speakers

November 30, 2015

Carol Umhoefer

Partner, DLA Piper

Paris

Thomas Jansen

Partner, DLA Piper

Munich

CURRENTLY SPEAKING

[email protected] or

[email protected]

Diego Ramos

Partner, DLA Piper

Madrid

Safe Harbor Invalidation Next Steps: EU Model Clauses 2

Recap: Why We're Here

ECJ Safe Harbor Decision and Aftermath 1

On October 6, 2015, the European Court of Justice declared the

EU-US Safe Harbor program invalid

The transfer of personal data to the US on the basis of Safe

Harbor was prohibited with immediate effect

All companies that transfer personal data based on Safe Harbor –

or use processors that transmit personal data to the US on the

basis of Safe Harbor – must immediately consider and implement

alternative transfer mechanisms

On October 16, 2015, the Article 29 Working Party announced a

grace period for enforcement until January 31, 2016. In the

meantime, model clauses and binding corporate rules are

considered valid transfer mechanisms

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses 4


On October 14, 2015, the Independent Centre for

Privacy Protection of the Federal State

Schleswig-Holstein (“ULD”), one of 17 Data

Protection Authorities (DPAs) in Germany,

published its position paper on the ECJ Safe

Harbor decision.

On October 26, 2015, German Federal Data

Protection Officer and the Data Protection

Authorities (DPAs) of the German Federal States

(together “Datenschutzkonferenz” – DSK) issued

a joint statement questioning the admissibility of

data transfers to the US based on model clauses

or BCRs and stating that they will not approve

new transfers based on binding corporate rules or

data export agreements.


CURRENTLY SPEAKING CURRENTLY SPEAKING

Thomas Jansen

Partner, DLA Piper

Munich


On November 6, 2015, the European Commission issued a

communication on transfers from the EU to the US, including a

reaffirmation on the conditions for using model clauses:

Article 29 Working Party has stated that it will continue to analyze

the impact of the Schrems decision on model clauses

Transfers to third countries which have not been found to ensure

an adequate level of protections are permissible if the controller

adduces appropriate safeguards by means of contractual clauses

binding on the exporter and importer of the data

Parties may supplement model clauses with non-contradictory

terms

Model clauses are both more limited (applying to specific data

flows) and more broad (not limited to a specific country)

National authorities are in principle under the obligation to accept

model clauses

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model

Clauses

6

Risks of Not Acting

Breach of contracts and exposure to damages

and/or triggering of termination rights

User/customer/employee complaints made with

the controller (or processor)

User/customer/employee complaints to the

DPA

Orders and fines by DPAs (esp. Spain,

Germany)

Potential interruption of business in Europe

Potential loss of business in Europe


CURRENTLY SPEAKING CURRENTLY SPEAKING

Diego Ramos

Partner, DLA Piper

Madrid

Alternatives to Safe Harbor

Consent of data subject (legally uncertain except for one-

off transfers; often problematic in practice)

Transfers to 'white-listed' countries: Andorra,

Argentina, Australia (PNR data only), Canada (some

types of data), Faeroe Islands, Guernsey, Israel, Isle of

Man, Jersey, New Zealand, Switzerland, Uruguay

Binding Corporate Rules

Ad hoc agreements

European Commission approved 'model clauses'

(standard contractual clauses)


Using the Model Clauses

Model Clauses Pros and Cons

Cons

No flexibility on essential

terms

May also come under

scrutiny of the DPAs in the

near future

Do not address all transfer

patterns

Additional legal basis (e.g.,

consent) may be required in

some EU Member States

Acceptance/confirmation/

approval procedure in some

EU Member States


Pros

Quick and efficient

Standard template

May be used in relation to

third parties which are not

members of the group

Low cost

Selecting Model Clauses

Model clauses for the transfer of personal data to controllers

established in third countries approved by Commission Decisions in

2001 and 2004

Liability: Joint and several (2001); exporter liability in the first

instance, otherwise importer liability (2004)

Model clauses for the transfer of personal data to processors

established in third countries approved by Commission Decision in

2002; now superseded by Commission Decision of 2010

In March 2014, G29 published model clauses for the transfer of

personal data from an EU processor to a non-EU sub-processor,

but they have not been approved by the European Commission

Currently, model clauses only apply when the "exporter"

(transferor) is a controller established in the EU


Key Provisions and Hidden Risks

Third-party beneficiary clause stating that data subject has rights

under the clauses

Data exporter obligations to comply with data protection law

Data importer (controller or processor) accepts jurisdiction where

exporter established

Data importer (controller) submits to audits by exporter; data

importer (processor) submits to audits by exporter or DPA;

subprocessor submits to audits by DPA

Processor subcontracting: Subject to prior approval by the data

exporter

Need details of transfers: The nature and extent of data to be

transferred

Need to specify personal data security measures

Future-proofing contractual arrangements


Common Model Clauses Transfer Scenarios 1


Common Model Clauses Transfer Scenarios 2

November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model

Clauses

14

Supplementing Model Clauses

National authorities are in principle under the obligation to accept

model clauses

Generally - the model clauses must be unchanged, i.e., they must

not be altered

Alterations will trigger additional requirements, principally

authorization by data protection authorities

Even unaltered model clauses may need approval by the data

protection authority in some countries (Belgium, France, Spain …)

Some countries (Germany, Italy, Poland, Spain …) nonetheless

require additional clauses


Focus on Model Clauses in Germany

German Federal Data Protection Officer and DPAs of the German

Federal States (together “Datenschutzkonferenz” – DSK) issued position

paper questioning validity of all methods of data transfer to US in light of

ECJ decision.

However, EU Model Clauses currently remain a valid method of data

transfer to the US and third countries. No authorization is required.

National DPAs still have authority to prohibit transfers based on EU Model

Clauses and impose fines

In such case, an affected company should appeal the DPA decision and fine to

a German court

The consent of the data subject also remains a valid basis for data

transfer, provided it is transparent, freely given, and conforms to the

conditions set forth by the DPAs


Focus on Model Clauses in Spain

Transfers based on model clauses – even identical model clauses – are not

legal per se. Unless valid data subject consent is obtained, transfer

pursuant to model clauses requires an export permit from the Spanish data

protection authority (AEPD).

Applications for seeking export permits can include model clauses-based

agreements but also any other set of clauses that meets the Spanish data

protection authority's concerns.

Typical additional requirements sought by AEPD, on top of adequate

agreements between the parties, include detailed description of security

measures to be applied, additional disclosures on staff management and even

face-to-face visits of AEPD investigators with the data importer abroad.

Entire authorization procedure may take 5/6 months.

Schrems-related enforcement is expected to start February 2016.


Other Issues

Updating privacy notices (policies, statements) that refer to

Safe Harbor

Updating contracts that require adhesion to Safe Harbor

Adapting Safe Harbor annual re-certification to model clause

audit requirements

Consulting or obtaining approval from works councils / trade

unions

Updating registrations with data protection authorities


UPDATES

19 November 30, 2015 Safe Harbor Invalidation Next Steps: EU Model Clauses

Subscribe to our Privacy Matters blog for

regular updates

http://blogs.dlapiper.com/privacymatters/

Access our

Data Protection Laws of the World

Handbook at

www.dlapiperdataprotection.com

QUESTIONS


[email protected] www.dlapiperdataprotection.com

Documents

Recap: Why We're Here - DLA Piper/media/Files/Insights... · 2015-12-08 · Safe Harbor Invalidation Next Steps: EU Model Clauses – Do's and Don’ts If you cannot hear us speaking,