THE CHOICES WE MAKE THAT MATTER –International Data Privacy/Protection

JILL L. UREY, ASSISTANT GENERAL COUNSEL

MID-ATLANTIC CIO FORUM

NOVEMBER 20, 2014

Agenda

1. Overview of Glatfelter

2. Data Privacy/Protection Introduction

3. European Union Requirements

4. Non-EU Highlights

5. Trends

6. Tips and Guidance

7. Questions

2

Glatfelter products are marketed in over 90 countries around the world3

GLATFELTER – Global supplier of choicefor fiber-based engineered products

Founded in 1864; Publicly traded on the NYSE as GLT

Annual sales of $1.8 billion; 4,400 employees worldwide

Manufacturing Facilities: U.S., Germany, U.K., Canada, France, Philippines

Sales / Representative Offices: U.S., Germany, France, U.K., China, Russia

Specialty Papers

Feminine Hygiene #1

Adult Incontinence #1

Specialty Wipes/Towels #2

Trade Book Publishing#1

Carbonless Products#1

Postal Applications#1

Playing Cards#1

Greeting Cards#2

Tea Bags/Coffee Filters #1

Nonwoven Wallcovering #1

Composite Laminates #1

Battery Pasting Papers #1

Metallized Products #2

Composite Fibers

Advanced AirlaidMaterials

GLATFELTER – Leading Positions in Niche Markets

4Total net sales of $1.8 billion

Supplier of Choice to a Well Respected Customer Base5

Random House

Specialty Papers Composite Fibers Advanced Airlaid Materials

GLATFELTER – Strong Relationships with Global Customers

6

Introduction to Data Privacy/Protection

PERSONAL DATA

Any information that identifies or can be used to identify an individual:

Name Address E-mail Phone Number ID Number Date of Birth Health Information Banking Information Marital Status, etc.

Data Privacy/Protection Laws regulate the Processing of Personal Data

PROCESSING

Includes the following: Collection Use Storage Sharing Transmission Alteration Deletion

European Union Data Protection

• EU Data Protection Directive (95/46/EC)• Article 29 Working PartyLaws:

• The collection, processing and use of Personal Data is banned unless an exception applies.

• Data Subjects have the right to know why and how their Personal Data is collected and processed.

Principles:

• Consent of Data Subject• Legal Obligation or Public Interest• Performance of Contract• Protection of Vital Interests of Data

Subject• Legitimate Interests of Data Collector

Exceptions:

7

EU Data Protection – Personal Data Transfers Outside the EU

Safe Harbor Certification

1. Joint EU Commission and US Department

of Commerce Program

2. Companies certify compliance with EU

data protection standards

3. Annual certification for employee personal data and third party personal data

Corporate Binding Rules

1. Internal rules/policies of company meeting EU data protection standards

2. Approved by relevant EU member’s Data Protection Authority

3. Approval times vary

8

EU Data Protection - Controllers and Processors

Controller

(inside EU)

Controller

(inside and outside EU)Processor

(inside and outside EU)

9

Data Transfers:

Statutory Justification

Data Subject Consent

Data Processing Agreement

Safe Harbor Certification OR Corporate Binding Rules

Standard Contractual Clauses

EU Data Protection – Additional Member States’ Requirements

Co-Determination Rights

Data Protection Officers

Individual Employee Consent

Consultation with Works Councils

Declaration filing with the Data Protection Authority (CNIL)

Notification to U.K. Information Commissioner

10

Germany

France

United Kingdom

Highlights of Non-EU Data Protection Requirements

Data Transfer AgreementExplicit Consent from

Data Subjects

National and Provincial LawsData Transfer Agreements/Sharing

ProtocolsEmployee Notification of International Transfers

Written Consent from Data SubjectsNotification to Russian State

Regulator if Processing Customer Data

11

China

Canada

Russia

Trends – Enforcement News

· BRAZIL: Telecom company fined $1.59 million for violating users privacy.• HONG KONG: Privacy Commissioner condemns

employment agencies from collecting personal data for job applicants via blind recruitment advertisements.

· U.K.: An individual awarded nominal damages for emotional distress due to data breach.

• IRELAND: Successfully prosecuted individual directors of a company for disclosures of personal data without the consent of the data controller.

12

Trends – EU Cookie Audits

13

EU ePrivacy (“Cookie”) Directive

Users must be informed about the use of cookies on a company’s website

Users have the right to consent to cookies prior to use

Exception for cookies that are strictly necessary to delivery of an on-line service

Jurisdictional split on consent: Express vs. Implied

Cookie sweeps and audits

Trends – Proposed EU Data Protection Revisions

Prior authorization of a national data protection authority required before personal data may be transferred to non-EU country.

Fines increased to the greater of €100 million or 5% of annual worldwide turnover.

Data Subjects have right to demand erasure of personal data.

Internet service providers processing personal data must receive explicit consent from the data subject.

14

Tips and Guidance

Assessment

Technology

Documentat

ion

Communicati

on

15

Thank you!

Questions?

16