Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.Latham & Watkins operates worldwide as a limited liability partnership organized under the laws of the State of Delaware (USA) with affiliated limited liability partnerships conducting the practice in the United Kingdom, France, Italy and Singapore and as affiliated partnerships conducting the practice in Hong Kong and Japan.
The Law Office of Salman M. Al-Sudairi is Latham & Watkins’ associated office in the Kingdom of Saudi Arabia. © Copyright 2015 Latham & Watkins. All Rights Reserved.
THURSDAY 15 OCTOBER 2015 | LONDON
SAFE HARBOR: STAYING ALIVE?Stewart Dresner
Chief Executive, Privacy Laws & Business
Ulrich WuermelingPartner, Latham & Watkins
Gail CrawfordPartner, Latham & Watkins
Jennifer ArchiePartner, Latham & Watkins
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
CRITIQUE OF SAFE HARBOR
Page 2
1999/2000 - PL&B conducted a research project for the European Commission on the “adequacy” of the US/EU Safe Harbor. Results: Several weaknesses.
Safe Harbor a pragmatic EU/US political compromise.
The next two slides are by Galexia – www.galexia.com - a consultancy and Safe Harbor analyst.
Its evidence contributed to most FTC prosecutions.
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
A VERY BRIEF SAFE HARBOR REFORM AND ENFORCEMENT TIMELINE
Page 3
20002000 20022002 20042004 20082008 20092009 20112011 20122012 20132013 20142014 20152015
LaunchLaunch Second EC ReviewSecond EC Review FTC action against 6 false claimants
FTC action against 6 false claimants
FTC substantive action against
MySpace
FTC substantive action against
MySpace
• FTC action against 14 false claimants)
• FTC action against TRUSTe
• FTC action against 14 false claimants)
• FTC action against TRUSTe
First EC ReviewFirst EC Review
• Snowden! • Third EC Review• Future of Privacy
Forum Review
• Snowden! • Third EC Review• Future of Privacy
Forum Review
• FTC action against 2 false claimants
• Europe v Facebook at the European Court of
Justice
• FTC action against 2 false claimants
• Europe v Facebook at the European Court of
JusticeGalexia ReviewGalexia Review
FTC substantive action against Facebook and
FTC substantive action against Facebook and
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
AN ALTERNATIVE HISTORY – BASED ON AN ISSUES ANALYSIS
Page 4
Information broker cases RESOLVED
Notice and consent cases RESOLVED
National security issues PENDING
Fine print exclusions LOST
Dispute resolution is not independent LOST
Consumers ‘threatened’ with mediation fees PENDING
Dispute resolution is not affordable RESOLVED
False trustmark claims RESOLVED
False claims (by non-members) PENDING
False claims (by former members) RESOLVED
No public privacy policy RESOLVED
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
QUESTION 1
Page 5
US: The US-EU Safe Harbor has been seen in Europe as a rather weak regulatory mechanism to enable the personal data to keep flowing from the EU to the US while several other countries, such as Canada, Switzerland, Israel and New Zealand, have been subject to close scrutiny to win their adequacy status. For years the Department of Commerce was under-resourced in its attempts to regulate the Safe Harbor. The FTC has in recent years been taking a more active enforcement role.
Why did the FTC take so long to get started on active enforcement? How active is the Department of Commerce in its supervisory role now?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
QUESTION 2
Page 6
EU: From the start of the US-EU programme 15 years ago, the European Commission was aware of the weaknesses in the Safe Harbor system.
Why did the European Commission take so long before presenting the US with its list of areas for improvement?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
QUESTION 3
Page 7
US and EU: Last year, the EU presented the US with a list of 13 Safe Harbor areas which it wanted to be improved.
What are they and what are the results of the negotiations?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
QUESTION 4
Page 8
EU: Is the European Commission considering extending the Safe Harbor programme to other large countries, such as India and Brazil where an “adequate” data protection law could be far in the future?
If so, which countries?
If not, why not?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
QUESTION 5
Page 9
US: Is the US considering extending the Safe Harbor programme to other countries with comprehensive data protection/privacy laws?
If so, which countries?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
THE FUTURE FOR THE SAFE HARBOR?
Page 10
1. What is the decision of the Court of Justice of the European Union?
2. How will the European Commission, the EDPS and the EU Art. 29 DP Working Party respond?
3. Will modified US-EU and US-Swiss Safe Harbor programmes continue in the future?
4. What are companies’ options for the transfers of personal data to 3rd countries?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
Page 11
Schrems vs. Facebook
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
12
SCHREMS VS. FACEBOOK
2011• Guest Student Santa Clara University (California)• Speech of Facebook lawyer• Schrems files 22 complaints to Irish Data Protection Commissioner
2012• Formation of „europe-v-facebook.org“ Verein
2013• 23rd complaint to Irish Data Protection Commissioner• Irish Data Protection Commissioner dismisses complaints as being „frivolous and
vexatious”
2014
• Application for judicial review of the to the Irish Data Protection Commissioners dismissal of complaint 23rd to the Irish High Court
• Irish High Court requests preliminary ruling to the Court of Justice of the European Union
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
Court of Justice of the European Union
Maximilian Schrems vs. Data Protection Commissioner
Case C-362/14
6 October 2015
13
THE JUDGMENT
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
How supervisory authority shall act:1. examine the case2. apply remedies for breach of instrument3. engage in legal proceedings if validity of Decision is in question4. reference to Court of Justice to evaluate validity of Decision
14
RULING 1: DECISION DOES NOT PREVENT EXAMINING
Supervisory authority may „examine“ caseSupervisory authority may „examine“ case
Only the Court can declare a Decision invalidOnly the Court can declare a Decision invalid
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
Court saw no need to examine the Safe Harbor principles!15
RULING 2: SAFE HARBOR DECISION 2000/520 INVALID
Article 1 invalidCommission must duly state reasons, but “did not state”
Article 1 invalidCommission must duly state reasons, but “did not state”
Article 2 invalidDenying national supervisory authority powerArticle 2 invalidDenying national supervisory authority power
Articles 2 and 3 invalidDue to invalidity of Articles 1 and 3Articles 2 and 3 invalidDue to invalidity of Articles 1 and 3
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
16
NEXT STEPS IN THE CASE
Back to the Irish High Court
Hearing scheduled for20 October 2015
Irish Data Protection Commissioner examines the complaint
?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
Does Safe Harbor still provide adequate protection? Not decided by the Court
Requirements
• no legislation permitting public authorities access on a generalised basis• legal remedies against access by public authorities
17
CONSEQUENCES FOR SAFE HARBOR FRAMEWORK
Safe HarborDecision
Safe HarborDecision
Safe Harbor Certification
Safe Harbor Certification
INVALIDINVALID VALIDVALID
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
18
CONSEQUENCES FOR SAFE HARBOR AND OTHER INSTRUMENTS
Adequate SafeguardsAdequate
Safeguards
Model ContractsModel Contracts
Binding Corporate RulesBinding Corporate Rules
Others’Derogations
Others’Derogations
ConsentConsent
Performance of a contract with or in the interest of the data subject
Performance of a contract with or in the interest of the data subject
Public interest and legal claims Public interest and legal claims
Vital interests of the data subject Vital interests of the data subject
Transfer from a registerTransfer from a register
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
19
THE RISK OF ENFORCEMENT
for
investigation remedies liability sanctions
in
European Union United States
against
data exporter data importer
Action by
supervisory authorities data subjects consumer groups competitors
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
20
EXPECTED DEVELOPMENTS
• plenary session on 15 October 2015• joint statement? • plenary session on 15 October 2015• joint statement?
Article 29 Working Party
• withdrawal of authorizations?• orders to discontinue data export?• fines?
• withdrawal of authorizations?• orders to discontinue data export?• fines?
Supervisory Authorities
• finalization of Safe Harbor negotiation?• revision of other Decisions?• finalization of Safe Harbor negotiation?• revision of other Decisions?
European Commission
• changes in US legislation? • changes in US legislation? United States Government
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
Page 21
That’s all very well….
but what do we do now?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
22
CONSEQUENCES FOR SAFE HARBOR AND OTHER INSTRUMENTS
Adequate Safeguards
Model ContractsModel Contracts
Binding Corporate RulesBinding Corporate Rules
Others’ Derogations
ConsentConsentPerformance of a contract
with or in the interest of the data subjectPerformance of a contract
with or in the interest of the data subject
Public interest and legal claims Public interest and legal claims
Vital interests of the data subject Vital interests of the data subject
Transfer from a registerTransfer from a register
Operational Change
EU data centres?EU data centres?
Alternative vendors?Alternative vendors?
AnonymisationAnonymisation
Make own assessment of adequacy?
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
THE ELEPHANT IN THE ROOM…
23
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
MODEL CLAUSES
24
Controller to Controller Model Clauses 2004
Controller to Processor Model Clauses 2010
Controller to Controller Model Clauses 2001
Lawenforcement
Clause 2(i) no disclosure to a data controller in third country unless it notifies data importer and third party ensures adequate protection, signs model clauses or data subjects are allowed to object. Clause 2(c) data importer has no reason to believe in the existence of any local laws that would have a substantial adverse effect on the guarantees provided for under these clauses. Also see clause 2(b) but has a carve out for where persons are required to access data by law.
Clause 5(d) requires data importer to notify data exporter of any legally binding request for disclosure by a law enforcement authority unless otherwise prohibited. Clause 5(b) data importer has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter.
Section 6 of the principles states that onward transfer to another controller is only permissible if information is provided to the data subject and new controller adheres to the clauses. Clause 5(a) data importer has no reason to believe in the existence of local laws which prevent him fulfilling his obligations under the contract or have a “substantial adverse effect” on the guarantees in the contract. Where he does become aware, he will notify the change to the data exporter.
Sub-Processing
Clause 2(b) must have in place procedures so that a third party it authorizes to access data (including processors) shall be obligated to process it only on instructions from data importer.
Clause 5(h)/ Clause 11 Sub-processing prohibited unless prior written consent of data exporter is obtained and copy of sub-processing agreement sent to data exporter.
Data importer must put in place a written agreement imposing the same obligations on the sub-processor as are imposed on the data importer.
No clear rules on appointment of data processors by data importers.
Liability Clause 3(a) Each party is liable to the other (and to data subjects) for damages it causes by breach of the clauses. Liability limited to actual damage suffered. Punitive damages excluded.
Data subject to ask data exporter to enforce rights against data importer; data subject can take direct action if data exporter does not enforce.
Clause 6 Any data subject who suffers damage resulting from breach is entitled to compensation from the data exporter, or data importer (where data exporter ceases to exist or becomes insolvent)
Data subject may only claim against sub-processor where data importer and data exporter have ceased to exist in law or become insolvent.
Clause 6 Data exporter and data importer are jointly and severally liable for damage to data subject.
Optional indemnity which provides that if one party is held liable for a violation by the other party, the latter will indemnify the first party for any cost, charge, damages, expenses or loss.
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved. 25
MODEL CLAUSES - ADMINISTRATIVE BURDEN
UK Co
Fr Co
De Co
Ch Co
US Co
US Sub
Mex Sub
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
STRUCTURING THE MODEL CLAUSES
Intra-group Agreements: Agency; Deed of adherence.
Onward transfers?
Use of PoAs
Still need prior approval many countries e.g. Austria, Belgium, France, Luxembourg, Norway, Malta and Spain
Notification of clauses in others e.g. Greece, Romania and Liechtenstein
What is “unamended form”?
Level of detail in schedules
Unilateral declarations?
26
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
DATA PROCESSORS
Safe Harbor Certified
UK CoUK Co Irish DP US ParentTos IPP DP to DP Model
Clauses
DC to DP
DC– DP between US entity and EU customers
DP to DP Model Clauses under consideration by Art. 29
Ability to adapt DC – DP 2010? Get customer to warrant they
have consents? Build EU data centres?
27
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
US ONLINE PROVIDER
End Users
US Co
UK Co
Tos and PP
Was US Safe Harbor Certified
Sales Agent Does EU law apply?
Consent
Transfer “necessary” for the purpose of contract
How do you deal with existing data?
Can UK Sales Agent sign model clauses with US Co?
What are the data flows?28
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
CONSENT
Freely given and fully informed
Can be withdrawn
Not buried in Privacy policy
Positive indication of intent
Can employees or existing users of a service give valid consent?
Similarly – can you rely on a transfer being necessary for the purpose of contract if you do not clearly disclose you are a US company?
29
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
OWN ASSESSMENT OF ADEQUACY?
Conduct a risk assessment• Nature of data – impact of unauthorised access to data? Country of origin?
• Nature of processing
• Period for which data will be used
• Country of importer – level of protection under local law
• Security
Can you take into account:• Safe Harbor Principles?
• Adapted Model Clauses
• Internal rules (not signed off as BCRS)
DPA position varies
No clear guidance….
30
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
31
SCHREMS VS. FACEBOOK
Next few weeks
20th
October
6-12 months
2-4 years
2017/2018
Article 29 Working Party Guidance / DPAs• Likely to issue guidance and remediation period• Can they agree approach?• DPAs will then likely write to certain companies and ask them how they comply
Irish High Court reconsiders Facebook Case – 20th Oct• Look at specifics of Facebook transfers
Discussions on SH2 continue
Schrems or others mount new challenges• Challenge to other mechanisms?• Class actions
New Data Protection Regulation
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
CHECKLIST (PENDING ART. 29 WP GUIDANCE…)
32
1. Map data flows (if not already done)2. Identify where you rely on Safe Harbor Intra-group transfers US vendors US partners Sub-processors
3. Verify if other derogations apply? Consent Transfer is “necessary” for a contract Other
4. Add Model Contracts where appropriate DC to DC, DC to DP or DP to DP? Consider structure Consider signing mechanism
5. Inform stakeholders Sales representatives Customers Employees
6. Registrations, approvals and notification with DPAs Review current registrations, approvals and
notifications Add or amend approvals with DPAs
7. Review privacy policies, notices and consents8. Identify, review and amend internal documentation
Policies and procedures e.g. procurement guidelines for vendors, data sharing policies
Form agreements and clauses that allow reliance on Safe Harbor
9. Consider impact on current projects M&A Technology
10. Identify future risks and initiate strategic discussions given possible period of instability
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
YOUR CONTACTS
33
Partner, Washington, D.C.Latham & Watkins
T: +1.202.637.2205E: [email protected]
Jennifer Archie
Partner, LondonLatham & Watkins
T: +44.20.7710.3001 E: [email protected]
Gail Crawford
Partner, Frankfurt Latham & Watkins
T: +49.69.6062.6502 E: [email protected]
Ulrich Wuermeling
Chief Executive, LondonPrivacy Laws & Business
T: +44.20.8868.9200E: [email protected]
Stewart Dresner
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2015 Latham & Watkins. All Rights Reserved.
34