Category

Binding Corporate Rules/BCR

09 February 2016

EU-U.S. Privacy Shield | What Next? – Webinar Recording

On February 2, 2016, the European Commission announced that an agreement had been reached regarding a new framework for the transfer of data to the U.S.: the EU-U.S. Privacy Shield. According to Vice-President of the European Commission, Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, who made the announcement, the new arrangement reflects the requirements set out by the Court of Justice of the European Union in Maximillian Schrems v. Data Protection Commissioner (C-362-14), and is due to come into force within three months. On February 5, Sidley and DataGuidance presented a live webinar to investigate the new agreement featuring Sidley partners William Long, who advises on European privacy law, Maarten Meulenbelt, who advises on EU regulatory affairs, and Alan Charles Raul, co-leader and founder of Sidley’s Privacy, Data Security and Information Law practice.

EmailPrintShare
03 February 2016

Article 29 Working Party Confirms that EU Standard Contractual Clauses and Binding Corporate Rules are Still Valid – for the Time-Being

The Article 29 Working Party has confirmed in a statement that EU Standard Contractual Clauses and Binding Corporate Rules are still valid data transfer mechanisms for the time being. The announcement was made following a meeting held to discuss the consequences of the Court of Justice of the European Union’s (“CJEU“) decision invalidating the US-EU Safe Harbor Framework and just one day after the European Commission announced that a political agreement had been reached on a new framework, the “EU-US Privacy Shield”.

(more…)

EmailPrintShare
25 January 2016

Essentially Equivalent: A Comparison of the Legal Orders for Privacy and Data Protection in the European Union and United States

In a milestone decision on transatlantic data protection, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems case, declaring the Commission decision on the EU-U.S. Safe Harbor agreement invalid. The CJEU declared that such a decision requires a finding that the level of protection of fundamental rights and freedoms in the laws and practices of the third country is “essentially equivalent” to that guaranteed within the EU. Given the CJEU’s decision, the Commission and data protection authorities are now called upon to examine the legal order in the U.S. and compare its level of protection to that within the EU.

This report provides a roadmap and resource for this comparison. Following the analysis laid out by the CJEU in Schrems, it shows how privacy values deeply embedded in U.S. law and practice have resulted in a system of protection of fundamental rights and freedoms that meets the test of essential equivalency.

Click here to view the executive summary.

Click here to view the full report.

EmailPrintShare
17 March 2014

European Parliament Votes to Approve New EU Data Protection Regulation and Immediate Suspension of Safe Harbor

The European Parliament has voted in a plenary session on March 12, 2014 to fully endorse the draft EU Data Protection Regulation (the Regulation) and the draft EU resolution calling for the immediate suspension of Safe Harbor (the Resolution), both of which were adopted previously by the European Parliament’s Civil Liberties Committee (the LIBE Committee).

According to the European Commission’s press release “today’s plenary vote means the position of the Parliament is now set in stone and will not change even if the composition of the Parliament changes following the European elections in May.”

(more…)

EmailPrintShare
10 January 2014

European Parliament’s Civil Liberties Committee Report calls for immediate suspension of Safe Harbor

A draft report by the European Parliament’s Civil Liberties Committee (the LIBE Committee) indicates that it is attempting to fundamentally alter the existing compliance mechanisms for transferring personal data from Europe. The recently leaked draft is dated December 23, 2013 and expresses the LIBE Committee’s response to the U.S. NSA surveillance programs, surveillance in various EU Member States and the impact on EU citizen’s fundamental rights and on transatlantic cooperation (the Report).

(more…)

EmailPrintShare
15 January 2013

Business Concern over Amendments to Proposed EU Data Protection Regulation

The European Parliament’s Civil Liberties Committee has published its draft report on the proposed EU Data Protection Regulation that is causing concern for many corporations. http://www.europarl.europa.eu/meetdocs/2009_2014/documents/libe/pr/922/922387/922387en.pdf.

The report sets out amendments to the draft EU data protection regulation published by the European Commission last January (the “Regulation”)
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf.

Despite being one of the most lobbied pieces of European legislation, many will be disappointed that as amended the draft Regulation still imposes very significant burdens on businesses that are in the EU, or which are outside the EU but offer goods or services to EU customers, with fines of up to 2% of annual worldwide turnover.

Although there has been considerable debate on the proposed Regulation, there is still time for those concerned to make their views known to the European legislature. A summary of the main elements of the proposed regulation as amended by the Committee are set out below.

Scope of Regulation and Enforcement

  • The Regulation will apply expansively to all global businesses, including any Internet company with more than 500 European customers. To be specific, it would apply to “data controllers” established in the EU or operating from outside the EU where the processing activities are aimed at the offering of goods or services to individuals in the EU irrespective of whether payment is required. A data controller outside the EU will need to appoint a representative in the EU if it processes personal data of 500 or more individuals a year, irrespective of whether payment is required for the goods or services.
  • For the first time, the regime will directly affect software and hardware development. So called “producers” (i.e. hardware and software developers) that produce systems to process personal data must take measures to ensure data protection compliance when designing systems.
  • Provisions for fines of up to 2% of annual worldwide turnover for violations of the Regulation remain, although additional criteria are proposed that would be taken into account by Data Protection Authorities (DPA) when determining the administrative sanction.
  • There are a number of amendments to strengthen the position on collective redress: Bodies or associations acting in the public interest would be able to go to court on behalf of data subjects to seek damages and damages will now also be permitted for non-pecuniary loss such as distress.

International Data Transfers

  • Transfers of personal data from the EU to countries that are not deemed to provide an adequate level of protection (such as the United States) should be on the basis of binding legal instruments (such as Binding Corporate Rules and the EU’s standard contractual clauses). The ability of the European Commission to decide that a particular industry sector provides an adequate level of protection (such as the U.S. healthcare industry) has also been rejected.
  • The U.S.-EU Safe Harbor and other previous adequacy decisions as well as decisions relating to standard contractual clauses will remain in force for only two years after the Regulation takes effect. This may lead to companies needing to assess whether their prior compliance efforts remain valid.
  • International investigations will become significantly more complicated. An important new provision will require that a controller’s representative must notify the DPA and obtain an authorization for transfer pursuant to the requests or orders of a court, tribunal or authority of any country outside the EU.

Consent, Legitimate Interest and Data Protection Notices

  • Compliance will also become more complex given that consent may not be available in the employment context. Although the report emphasizes the importance of consent, it adds the condition that consent should not be valid if there is a significant imbalance between the position of the data controller and the data subject (i.e. the individual) remaining in the Regulation. However, incentives are also included for data controllers to use pseudonymous data (e.g. key coded) for which lighter consent obligations will apply.
  • More detail is also provided on when it is possible for a data controller to rely on the legitimate interest ground to process personal data with the controller required to publish why it believes its interests override those of the data subject. The legitimate interests of the data controller include enforcement of legal claims.
  • Data protection policies are to be communicated using multi-layered formats and icons with full information available on request. Data subjects also have a right to be informed about the disclosure of their personal data to a public authority.

Right to be Forgotten, Data Portability and Profiling

  • The Right to be Forgotten (i.e. to have personal data erased) remains in the Regulation but has been amended so data controllers would no longer have to take reasonable steps to contact third parties to request them to erase copies of the data if the personal data has been transferred or made public based on legal grounds (such as legitimate interest).
  • The Right to Data Portability (i.e. to obtain a copy of the data being processed and to move the data to another platform) has been merged with the Right of Subject Access (i.e. the right for confirmation whether personal data is being processed). The Right of Subject Access has also been amended so data subjects now have a right to be informed if their personal data has been disclosed to public authorities.
  • Targeted Internet advertising could also face significant impacts. Profiling will only be permitted with the data subject’s consent or based on an express statutory provision.

Documentation, Impact Assessments, Security and DPOs

  • The requirement in the proposed Regulation for data controllers and processors to retain detailed documentation on the processing has been merged with the requirement to provide information to individuals about how their personal data are processed. The exemption on small businesses employing less than 250 persons from having to retain such documentation has been removed.
  • In the case of a security breach the period to notify the DPA is extended from 24 to 72 hours while the obligation to notify data subjects has also been extended to require that information be included regarding the rights of the data subject including redress.
  • The obligation to appoint a Data Protection Officer (DPO) has been amended so a DPO is required where a legal entity processes personal data on more than 500 persons. The DPO must be a direct report to the head of management, such as the CEO, and the minimum appointment of the DPO is also extended from 2 years to 4 years. The DPO will also have an obligation to report suspected breaches to the DPA.
  • The requirement to carry out data protection impact assessments where data involves specific risks (such as health data and data on children) remains as does the obligation to seek the views of data subjects. However, instead of having to consult with a DPA it is now proposed that a data controller can consult with their DPO.

Life Sciences and Scientific Research

  • Importantly the report provides a comment that processing of sensitive data (e.g. health data) for the purposes of historical, statistical and scientific research are “not considered as urgent or compelling as public health or social protection.” This is of particular concern for the life sciences industry and other industries carrying out research including academic research.
  • The provisions in the Regulation on processing of sensitive data (including health data) for the purposes of historical, statistical and scientific research are also amended to provide that such processing shall only be permitted with the consent of the data subject, but Member States may legislate for exceptions to the requirement of consent for research that serves an exceptionally high public interest, if that research cannot possibly be carried out otherwise. The amendments go on to provide that “The data in question shall be anonymized, or if that is not possible for the research purposes, pseudonymized under the highest technical standards, and all necessary measures shall be taken to prevent re-identification of the data subjects.” The possibility of EU Member States determining when scientific research is permitted, where consent has not been obtained, will also be of concern to the life sciences industry.

New One Stop Shop, Codes of Conduct and Certification Schemes

  • A modified ‘one stop shop’ approach to regulation is proposed under which a DPA is competent to supervise processing operations within its territory or affecting data subjects resident in its territory. Where the processing activities of a controller or processor are established in more than one EU Member State or affecting data subjects in several Member States, the authority of the Member State of the main establishment of the data controller will be the lead authority acting as a single contact point for the controller or processor.
  • Some of the powers of the European Commission to adopt delegated acts (i.e. to provide more detailed requirements) for certain provisions have been removed.
  • Industry Codes of Conduct and data protection certification schemes are encouraged with a formal procedure required to be set down for the issue and withdrawal of a data protection seal or mark and to ensure the independence of the issuing organization.

The next steps in the EU legislative timetable include: (i) February 27, 2013: deadline for tabling amendments by MEPs on the Civil Liberties Committee; (ii) end of April 2013: vote by the Civil Liberties Committee; and (iii) from May 2013 on: (depending on progress in the EU’s Council of Ministers) negotiations between European Parliament, the Council and the Commission (the so called “Trilogue”).

For further details on the proposed EU Data Protection Regulation, please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com). Edward McNicholas (emcnicholas@sidley.com) in Washington, D.C. is also available to assist U.S. companies in addressing the potential conflicts between U.S. and EU requirements.

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000.

Prior results do not guarantee a similar outcome.

EmailPrintShare
10 January 2013

EU Data Protection Authorities approve use of Binding Corporate Rules for Processors

The European data protection authorities (DPAs), represented by the Article 29 Working Party, have launched a Binding Corporate Rules (BCRs) regime for processors. Processors can implement these BCRs from 1 January 2013. BCRs are internal codes of conduct that are legally enforceable for data protection and security and, once approved by DPAs, provide a legal basis for transfer of personal data from the EU.

BCRs had previously been restricted to use by businesses when acting as data controllers (i.e. determine the purpose for which and manner in which personal data are processed) such as a company transferring its own employee data internationally. Although welcomed by many in respect of data controller initiated transfers, the DPAs were criticised for not making BCRs available to data processors that process personal data on behalf of data controllers. The new BCRs for processors should now prove popular for a wide range of international service providers, that act as data processors, such as cloud providers, outsourcing providers, payment processors, data and document storage companies, alertline providers, and many other companies in different industries. The BCRs will be enforceable against the data processor by individuals who suffer damage as a result of a breach of the BCRs and by the data controller.

Data controllers are increasingly requiring their vendors and service providers to provide evidence of data protection compliance, and adoption of BCRs by processors will provide comfort to controllers. Similarly, data processors will be able to use processor BCRs as a way of demonstrating to their customers strong commitment to data protection and so can form part of their customer value proposition. Processor BCRs may also be seen as having advantages over other existing international data transfer solutions, such as use of the EU’s standard form data transfer agreements, known as Model Contracts, which can require data processors to have hundreds of Model Contracts with their customers.

The application procedure for BCRs for processors will be based on the same process as for BCRs for data controllers. The process involves submitting an application form to a lead national DPA in the EU. Once approved by the lead DPA the BCRs will be automatically recognised by many other DPAs due to a system of mutual recognition. In a Working Document (WP195) published in June 2012 the Article 29 Working Party provided a checklist that offers guidance as to which issues should be dealt with in BCRs and what to present to DPAs in the application form including:

  • a description of the data transfers and scope of the BCRs;
  • be binding through reference to BCRs in the service agreement;
  • grant third party beneficiary rights to individuals in the event that the data controller goes out of business or becomes insolvent;
  • provide that the EU data processor accepts responsibility for the acts of other members of the group or breaches by external sub-processors outside the EU;
  • give details of the existence of a suitable training programme, complaint handling process and creation of a network of privacy officers;
  • provide for data protection audits on a regular basis with DPAs having a right of access to the results of the audit together with a duty to co-operate with DPAs; and
  • set out a process for updating the BCRs.

According to the EU’s Article 29 Working Party, BCRs for processors will bring benefits to both data processors and data controllers “Once a BCR for processors is approved it can be used by the controller and processor, thereby ensuring compliance with EU data protection rules without having to negotiate the safeguards and conditions each and every time when a contract is entered into.” BCRs for processors will also increase confidence among customers of data processors while providing a way for customers and data processors to overcome international data-transfer limitations under EU data protection laws.

For further details on BCRs for processors please contact William Long (wlong@sidley.com) or John Casanova (jcasanova@sidley.com).

 

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

EmailPrintShare
27 January 2012

New EU Data Protection Regulation Announced

The official proposal for an EU Regulation on Data Protection was released in Brussels on Wednesday 25 January 2012 (the “Regulation”). The Regulation, which will replace the existing EU data protection regime, will have a significant impact on almost every business either established in the EU or that has EU customers. The proposed Regulation will now be discussed in detail over the next few months as it goes through the European legislative process and is set to be adopted in 2014. The main implications of the proposed Regulation are summarised below.

  • Greater Enforcement – fines can be imposed of up to 2% of the annual worldwide turnover of a business for failure to comply with the proposed Regulation. In addition, supervisory authorities will be able to impose a temporary or definitive ban on processing personal data, enter premises and suspend data flows to a recipient in a third country or to an international organisation.
  • Class Actions – any organisation which aims to protect the data protection rights of individuals, such as consumer organisations, can make complaints to supervisory authorities and bring class actions on behalf of individuals for non-compliance, even without the consent of those affected.
  • Application to Non European Businesses – the proposed Regulation will apply to businesses established in the EU and importantly to non-European businesses that process personal data of individuals residing in the EU where the processing activities are related to offering goods or services to such individuals or the monitoring of their behaviour.
  • Accountability – businesses will be required to adopt policies and implement measures to demonstrate compliance with the requirements in the proposed Regulation. This will include keeping a detailed record of all forms of data processing and carrying out data protection impact assessments. This will lead to significant compliance costs for affected businesses. Privacy by design measures must also be implemented to ensure, for example, that data is not collected or retained beyond the minimum necessary.
  • Data Protection Impact Assessments – the proposed Regulation introduces a new requirement for impact assessments to be conducted where the processing is likely to present specific risks, such as the processing of health data. As part of the assessment the views of the individuals whose data are being processed need to be obtained.
  • Data Protection Notifications – while the requirement in some EU Member States for data controllers to notify their Data Protection Authority in respect of their data processing activities will be abolished, businesses will be required to consult the relevant supervisory authority prior to the processing of personal data where a data protection impact assessment is required. Where the supervisory authority considers that the assessment insufficiently identifies or mitigates risks it can prohibit the intended processing. Where a data controller or processor is established in more than one EU Member State then the competent authority is where the controller or processor has its main establishment.
  • Information Security – the proposed Regulation requires data controllers and processors to implement appropriate technical and organisational security measures after having carried out an evaluation of data privacy risks. Moreover, data security breaches will have to be notified to the relevant supervisory authority without undue delay and “where feasible” no later than 24 hours after having become aware of it. The proposed Regulation specifies that when the breach notification is not made within 24 hours a reasoned justification must be provided to the relevant supervisory authority. The breach will have to be communicated to the individual without undue delay when the breach is likely to adversely affect the protection of the personal data or the privacy of the individual.
  • Consent – the proposed Regulation places the legal burden on the data controller to prove that the individual has given consent and gives an individual a right to withdraw their consent at any time. The Regulation also significantly restricts reliance on consent “where there is a significant imbalance between the position of the data subject and the controller.”
  • Data Protection Officers – businesses with over 250 employees will be required to appoint a data protection officer who will have to have “expert knowledge” of data protection law and practices. The appointment which must be for a term of at least two years should be notified to the relevant supervisory authority and the public. The proposed Regulation also provides that businesses may appoint a single data protection officer for a corporate group.
  • Increased Rights of Individuals – businesses must have transparent and easily accessible data protection policies and provide information using clear and plain language. An individual also has a right to correct his or her personal data and, importantly for social media, a right to data portability (i.e. to transfer his or her personal data to another provider) and will have a right to be forgotten (i.e. to have his or her personal data erased) which will be complex to apply in practice.
  • Transfer of Personal Data from the EU – the proposed Regulation maintains the restriction under the current Data Protection Directive of transferring personal data to countries outside the EU that are not considered to provide an adequate level of protection including the United States. The Regulation provides that one of the main solutions to permit such international transfers is the adoption of Binding Corporate Rules, which are a set of data protection rules adopted by an international corporate group that meet EU requirements and must be approved by a lead supervisory authority. Significantly, the proposal confirms that that specific sectors of a country could be deemed adequate – perhaps paving the way for recognition of the United States health, communications and financial sectors.

The proposed Regulation will certainly be subject to lengthy discussion and revision by the Council of Ministers and the European Parliament before it is finally adopted and becomes law. However, it is clear that whatever the final form of the Regulation it will have a significant impact on businesses worldwide, increase compliance costs and enforcement actions and will therefore require a new approach to data protection.

If you have any questions regarding this update, please contact:

London

John Casanova
jcasanova@sidley.com
+44 20 7360 3739

William Long
wlong@sidley.com
+44 20 7360 2061

Washington, D.C.

Ed McNicholas
emcnicholas@sidley.com
+1 (202) 736 8010

Alan Raul
araul@sidley.com
+1 (202) 736 8477


 

This Sidley update has been prepared by Sidley Austin LLP for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300 and One South Dearborn, Chicago, IL 60603, 312.853.7000. Prior results do not guarantee a similar outcome.

EmailPrintShare
09 December 2011

First Look: Leaked Draft of New EU Data Protection Regulation Suggests Significant Impacts for Global Businesses

A draft of a new EU Regulation on Data Protection to replace the existing EU Data Protection Directive was released un-officially earlier this week. The draft Regulation once adopted will have a significant impact on virtually all businesses established in the EU, or who carry on business with the EU, introducing significant internal compliance requirements and fines that range up to 5% of worldwide turnover.

In an article published by the Bureau of National Affairs, John Casanova and William Long of the London office of Sidley Austin and Alan Raul and Ed McNicholas of the Sidley Washington office provide their initial analysis of this significant new EU development. For further information on this development and other EU data protection requirements please contact John Casanova or William Long and for counseling in relation to US privacy issues please contact Alan Raul or Ed McNicholas.

Reproduced with permission from Privacy & Security Law Report, Vol. 10 PVLR No. 48, 12/12/2011. Copyright 2011 by The Bureau of National Affairs, Inc. (800-372-1033) http://www.bna.com

View Article

EmailPrintShare
25 September 2003

EU Data Protection: “Binding Corporate Rules” as an Alternative to the “Safe Harbor” for Multinationals that Transfer Data to the U.S.

Global corporations with offices or customers in the European Union should be aware of the latest European Union proposal for compliance with its Data Protection Directive 95/46/EC with respect to internal transfers of information among members of the same corporate group. Interested parties will be submitting comments through September 30, 2003.

View Alert.

EmailPrintShare
XSLT Plugin by BMI Calculator