© Copyright 2015 by K&L Gates LLP. All rights reserved.

Webinar: US-EU Safe Harbor Framework Declared Invalid Bruce Heiman (Washington DC) Ignasi Guardans (Brussels) Etienne Drouard (Paris)

What happened?

1 klgates.com

The Schrems Case (Ruling C-362/14)

klgates.com 2

* 9/25/13 Irish DPA receives complaint from citizen on FB transferring his data to US DPA • States it has no right to verify data transfer, only EC can, based on EC

Decision 2000/520 (Safe Harbor decision) • Schrems takes DPA to Irish High Court

* 7/17/14: Irish High Court asks the CJEU for preliminary ruling • Is the Irish DPA bound by the EC findings on protections of data transfer to a

3rd state? • Can the DPA carry its own investigation?

* 10/6/15: CJEU ruling C-362/14 • EC decision 2000/520 can be reviewed and challenged at national level by

DPAs and courts • But only the CJEU can declare it void • EU Court reviews it, and declares it void

Why Is 2000/520 Declared Invalid? (= What’s the test for a valid one?) Transfers of data can only be allowed IF 3rd country ensures

“adequate level of protection”: measured according to non-exhaustive list of circumstances

The European Commission must assess level of protection of the 3rd country According to laws & practice. Reliability check: effective detection & supervision mechanisms in

case of infringement But EC acknowledges that:

National security, public interest, or law enforcement requirements have primacy over the safe harbor principles

No legal protection: data subjects have no administrative or judicial means of redress (FTC only for commercial disputes)

3 klgates.com

Why Is 2000/520 Declared Invalid? (= What’s the test for a valid one?) Derogations to protection of personal data can apply only if

“strictly necessary”. Not the case: no objective criterion determining limits of access by public authorities and its use for purposes that are “specific, strictly restricted, justifying the interference”

“Generalized” storage of and access to personal data by authorities compromise the “essence of the fundamental right for private life”

Effective judicial review is inherent to existence of rule of law The EC failed to prove “that US in fact ensures adequate level of

protection”: Decision 2000/520 establishing equivalent “adequate level of protection” is invalid

4 klgates.com

Essentially, Two Issues Make Safe Harbor Invalid These two issues will make a new agreement acceptable in the EU: US Government has access to personal information “without

limitation” EC had already raised concerns that access is beyond what is “strictly

necessary and proportionate” to protect national security EU citizens cannot pursue legal remedies to access and correct

data EC had already raised concerns that there is “no administrative or

judicial means of redress” for access and ability to rectify or erase data

klgates.com 5

Who May Be Impacted?

‘Personal Data’ Under the EU Framework Directive 95/46

Article 2.a) “[…] Any information relating to an identified or identifiable natural

person (‘data subject’) […], directly or indirectly, […] by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

Whereas 26 “[…] account should be taken of all the means likely reasonably to be

used either by the controller or by any other person to identify the said person.”

Opinions from the “Article 29 Working Party” http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-

recommendation/index_en.htm

klgates.com 7

Are You Subject to EU-US Data Transfer Regulations?

klgates.com 8

Your company or group of companies is composed of: YES NO 1. A US company 1.1. with personnel, and/or subsidiaries, and/or affiliates, and/or holding/mother

company in the EU

1.2. using technical infrastructures (including e.g. servers) or service providers located in Europe

1.3. with commercial partners located in Europe (wholesalers, retailers, distributors, licensees…)

2. An EU company 2.1. with personnel, and/or subsidiaries and/or affiliates, and/or holding/mother

company in the United States 2.2. using technical infrastructures (including e.g., servers) or service providers

located in the United States

2.3. with commercial partners located in the United States (wholesalers, retailers, distributors, licensees…)

3. A US company operating services entirely from the United States and/or a non-EU country, directed at customers in Europe (draft EU Regulation)

Who May Be Impacted in Practice? Note:

Situations listed hereafter should be read with the following assumption: “… for the processing of personal data, browsing and localization data, or

behavioral data, which may relate, directly or indirectly, to an individual (employee, customer, etc.)”

klgates.com 9

Which US Companies May Be Impacted? Safe harbor certified US companies. Non-safe harbor certified US companies:

that are not bound by group-wide “Binding Corporate Rules” (“BCR”). that have not executed EU-compliant data transfer agreements with:

their EU mother company, sister companies, affiliates, contractors, subcontractors, service providers, business partners

that receive or access personal data from the EU without: the data subjects’ consent to the transfer to the US

klgates.com 10

Which EU Companies May Be Impacted? EU companies sending data to US mother company, sister companies, affiliates, contractors, subcontractors, service providers, business partners

EU companies sharing databases with their US mother company, sister companies or affiliates

without any EU-compliant data transfer agreement in place without any BCR in place without the data subjects’ consent

klgates.com 11

What Are the Risks?

Popular Solutions Under the Current EU Laws Execute EU-compliant data transfer agreements

Model clauses from the EU Commission Description of data, purposes and security measures Amend existing notifications with the data protection authority (“DPA”) re.

grounds for data transfer

Implement group-wide “Binding Corporate Rules” Binding list of data protection commitments Approval of the BCRs by the competent DPAs One representative EU entity liable before competent DPAs

All group entities liable before the representative EU entity

Obtain consent from data subjects Explicit, specific, freely given, discretionary, waivable… Impracticable?

klgates.com 13

Data Transfer Assessment

Data Transfer Assessment Perform a data transfer audit

Data transfers tailored checklist IT/Commercial/outsourcing contracts review

Look for references to “safe harbor” Look for data transfer agreements

Classify and prioritize Intra-group transfers Transfers to clients Transfers to contractors or subcontractors

Assess the most effective and practicable legal solution, following the priorities previously defined

klgates.com 15

Example of Data Transfers Standard Check List (US)

klgates.com 16

We are a US company and we do: YES NO

Access/extract HR data from our European-based affiliates

Access/extract CRM data from our European-based affiliates

Access/extract accounting data from our European-based affiliates

Implement a global anti-money-laundering and/or SOX compliance framework from the United States

Enforce and control a global IT policy from the United States

Draw statistics about our European employees/customers based on any of the following: health conditions, race, ethnicity, trade union membership, criminal offenses or allegations, religion, sexual orientation

Consolidate/assess a biometric database (e.g., fingerprint, hand shape, iris) for employee access control or other purposes

Consolidate/access a genetic database

Operate a global active directory including our European employees

Operate data centers in the EU

Outsource data hosting in the EU

Host data from our EU affiliates

Host data from our EU service providers

Operate global IT infrastructures from the United States

Example of Data Transfers Standard Check List (EU)

klgates.com 17

We are a European company and we do: YES NO

Use global IT services, tools and/or servers provided by our US affiliate/mother company

Outsource IT services to subcontractors in the United States

Outsource IT infrastructures to subcontractors in the United States

Outsource hosting activities to subcontractors in the United States

Outsource medical analysis to subcontractors in the United States

Share our database with our affiliates/mother company in the United States

Provide our subcontractors in the US with accesses to our EU database Provide information related to health conditions, race, ethnicity, trade union membership, criminal offenses or allegations, religion, sexual orientation, to our mother company in the United States for statistical purposes

Share an online recruiting tool and database with our affiliates/sister companies/mother company in the United States

Outsource biometric security services to subcontractors in the United States

Benefit from biometric security services provided and managed / operated by our mother company in the United States

EU Next Moves

Policy / Regulatory Follow-up in the European Union

klgates.com 19

EC VP Franz

Timmermans

EC Commissioner

Verá Jurovà

European Parliament

LIBE Committee

Article 29 Working Party

US Next Moves

Will a US-EU Safe Harbor 2.0 Provide Relief From the ECJ/EU Privacy Regulation Storms?

klgates.com 21

Safe Harbor 2.0 Negotiations Were in Final Stage… Impact of 2013 Snowden disclosures (June 2013) EC’s 13 Recommendations for Improvement (November 2013)

Transparency Redress

Increased FTC enforcement (January 2014) Key Issue Recommendation 13 – National Security exception

“Strictly necessary or proportionate” Note parallel initiative – EU-US umbrella agreement

Protection framework for data transfers for law enforcement purposes EU citizens should have same privacy rights and remedies available to US

persons

klgates.com 22

Enforcement Access by U.S. Authorities

Need to address two prongs of ECJ decision USG unrestricted access to information

PRISM program disbanded Section 215 bulk collection of telephone

meta data ended (USA Freedom Act) ? Final resolution of “strictly necessary and

proportionate” EU citizens ability to access and correct data

Judicial Redress Act (H.R. 1428) Legislative prospects

klgates.com 23

Commerce Secretary Pritzker Reaction “Since 2000, the Safe Harbor Framework has proven to be critical to protecting privacy on both sides of the Atlantic and to supporting economic growth in the United States and the EU. We are deeply disappointed in today’s decision…” “For the last two years, we have worked closely with the European Commission to strengthen the U.S.-EU Safe Harbor Framework, with robust and transparent protection, including clear oversight by the Department of Commerce and strong enforcement by the U.S. Federal Trade Commission.” “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible.”

klgates.com 24

Q&A With K&L Gates Presenters

klgates.com 25

Bruce J Heiman Partner, Public Policy and Law – Washington DC +1.202.661.3935 bruce.heiman@klgates.com Ignasi Guardans Partner, Public Policy and Law – Brussels +32.(0)2.336.1949 ignasi.guardans@klgates.com Etienne Drouard Partner, Privacy, Data Protection and Information Management – Paris +33.(0)1.58.44.15.12 etienne.drouard@klgates.com