Upload
silvester-reed
View
213
Download
0
Tags:
Embed Size (px)
Citation preview
THE CHOICES WE MAKE THAT MATTER –International Data Privacy/Protection
JILL L. UREY, ASSISTANT GENERAL COUNSEL
MID-ATLANTIC CIO FORUM
NOVEMBER 20, 2014
Agenda
1. Overview of Glatfelter
2. Data Privacy/Protection Introduction
3. European Union Requirements
4. Non-EU Highlights
5. Trends
6. Tips and Guidance
7. Questions
2
Glatfelter products are marketed in over 90 countries around the world3
GLATFELTER – Global supplier of choicefor fiber-based engineered products
Founded in 1864; Publicly traded on the NYSE as GLT
Annual sales of $1.8 billion; 4,400 employees worldwide
Manufacturing Facilities: U.S., Germany, U.K., Canada, France, Philippines
Sales / Representative Offices: U.S., Germany, France, U.K., China, Russia
Specialty Papers
Feminine Hygiene #1
Adult Incontinence #1
Specialty Wipes/Towels #2
Trade Book Publishing#1
Carbonless Products#1
Postal Applications#1
Playing Cards#1
Greeting Cards#2
Tea Bags/Coffee Filters #1
Nonwoven Wallcovering #1
Composite Laminates #1
Battery Pasting Papers #1
Metallized Products #2
Composite Fibers
Advanced AirlaidMaterials
GLATFELTER – Leading Positions in Niche Markets
4Total net sales of $1.8 billion
Supplier of Choice to a Well Respected Customer Base5
Random House
Specialty Papers Composite Fibers Advanced Airlaid Materials
GLATFELTER – Strong Relationships with Global Customers
6
Introduction to Data Privacy/Protection
PERSONAL DATA
Any information that identifies or can be used to identify an individual:
Name Address E-mail Phone Number ID Number Date of Birth Health Information Banking Information Marital Status, etc.
Data Privacy/Protection Laws regulate the Processing of Personal Data
PROCESSING
Includes the following: Collection Use Storage Sharing Transmission Alteration Deletion
European Union Data Protection
• EU Data Protection Directive (95/46/EC)• Article 29 Working PartyLaws:
• The collection, processing and use of Personal Data is banned unless an exception applies.
• Data Subjects have the right to know why and how their Personal Data is collected and processed.
Principles:
• Consent of Data Subject• Legal Obligation or Public Interest• Performance of Contract• Protection of Vital Interests of Data
Subject• Legitimate Interests of Data Collector
Exceptions:
7
EU Data Protection – Personal Data Transfers Outside the EU
Safe Harbor Certification
1. Joint EU Commission and US Department
of Commerce Program
2. Companies certify compliance with EU
data protection standards
3. Annual certification for employee personal data and third party personal data
Corporate Binding Rules
1. Internal rules/policies of company meeting EU data protection standards
2. Approved by relevant EU member’s Data Protection Authority
3. Approval times vary
8
EU Data Protection - Controllers and Processors
Controller
(inside EU)
Controller
(inside and outside EU)Processor
(inside and outside EU)
9
Data Transfers:
Statutory Justification
Data Subject Consent
Data Processing Agreement
Safe Harbor Certification OR Corporate Binding Rules
Standard Contractual Clauses
EU Data Protection – Additional Member States’ Requirements
Co-Determination Rights
Data Protection Officers
Individual Employee Consent
Consultation with Works Councils
Declaration filing with the Data Protection Authority (CNIL)
Notification to U.K. Information Commissioner
10
Germany
France
United Kingdom
Highlights of Non-EU Data Protection Requirements
Data Transfer AgreementExplicit Consent from
Data Subjects
National and Provincial LawsData Transfer Agreements/Sharing
ProtocolsEmployee Notification of International Transfers
Written Consent from Data SubjectsNotification to Russian State
Regulator if Processing Customer Data
11
China
Canada
Russia
Trends – Enforcement News
· BRAZIL: Telecom company fined $1.59 million for violating users privacy.• HONG KONG: Privacy Commissioner condemns
employment agencies from collecting personal data for job applicants via blind recruitment advertisements.
· U.K.: An individual awarded nominal damages for emotional distress due to data breach.
• IRELAND: Successfully prosecuted individual directors of a company for disclosures of personal data without the consent of the data controller.
12
Trends – EU Cookie Audits
13
EU ePrivacy (“Cookie”) Directive
Users must be informed about the use of cookies on a company’s website
Users have the right to consent to cookies prior to use
Exception for cookies that are strictly necessary to delivery of an on-line service
Jurisdictional split on consent: Express vs. Implied
Cookie sweeps and audits
Trends – Proposed EU Data Protection Revisions
Prior authorization of a national data protection authority required before personal data may be transferred to non-EU country.
Fines increased to the greater of €100 million or 5% of annual worldwide turnover.
Data Subjects have right to demand erasure of personal data.
Internet service providers processing personal data must receive explicit consent from the data subject.
14