International Privacy Law - What is at Stake for the US?
Transcript of International Privacy Law - What is at Stake for the US?
-
International Privacy LawWhat is at Stake for the US?
CLE Seminar for In-House CounselJune 8, 2016Chicago, Illinois
Sam FiferPartnerDentonsChicago+1 312 876 [email protected]
Chantal BernierCounselDentonsOttawa+1 613 783 [email protected]
-
Part IPrivacy troubleshooting for corporate counsel- Main trends, legal issues and strategies
2
Chantal BernierCounselDentonsOttawa+1 613 783 [email protected]
-
1. Trends
2. Legal issues
3. Strategies
3
Answer: U.S. business ability to receive foreignpersonal data
-
Trends
4
-
Privacy Concerns are jumping:
Nearly 50% Americans curtail their activities online (NTIA)
Cross border data flows increases
Worldwide spending on public cloud expected to grow by 19.4% (IDC)
Privacy standards are rising: new European General Data ProtectionRegulation(2018) expands to foreign business and raises the bar
A quick guide to the EU Data Protection ReformDentons 2015
5
A field heating up
-
Legal issues
6
-
1995 European Directive on Data Protection
No transfer outside EEA except
To an adequate state or
With approved legal clauses or
With individual consent
The US Europe divide
Adequacy status
The invalidation of Safe Harbor
The attempts to a EU-US Privacy Shield
Safe Harbor: EU Court Decision
Dentons 2015
7
1. Restrictions on Cross border data flows
-
Canada Personal Information Protection and Electronic Documents Act :transfer outside Canada allowed with
Comparable level of protection and
Notification to individual
Mexican law: transfer outside of Mexico allowed with
Notice and consent and
Comparable level of protection
A Map of Data Residency Requirements
Dentons 2016
8
Cross border data flows
-
2013 OECD Guidelines governing the Protection of Privacy andTransborder Flows of Personal Data (2013):
Fee flow with sufficient safeguards
International Data Transfers-
A Short Chronology
Dentons 2016
9
Recommendations on cross border data flows
-
Microsoft v DoJ (Ireland case), currently U.S. Court of Appeal for theSecond Circuit:
U.S. jurisdiction on US business records held abroad
U.S. Supreme Court approval of changes to Rule 41(b):
Allowing search and seizure warrants outside of the district ofauthority
10
2. Spread of extraterritorial reach2.1. From the US
-
New General Data Protection Regulation in Europe
Extending to any organizations offering goods and services in Europe
Worldwide impact of the right to be forgotten
The CNIL-Google showdown
Clarification of domestic laws
Privacy Dynamics in Latin America
Privacy Law and Business 2015
11
2.2 From other countries
-
Increased information exchange
Arrangements for joint cooperation
Coordinated investigations among regulators
The example of WhatsApp
Co-operation a big focus for privacy enforcement
Law Times 2015
12
3. Enforcement cooperation among regulators
-
Strategies
13
-
Localisation of data: Microsoft. Amazon, Google, are opening datacentres in Europe and in adequate States for example, Canada
Meeting the highest standards:
Shopify introduces individual consent to store consumer data in the US
American Express, Hewlett Packard, GE, adopt European BindingCorporate Rules
Motorola has a mix of instruments including European model clauses
14
A few public examples
-
Understand the cultural and legal differences behind domestic privacy law
Aim at highest common denominator for global privacy compliance
Establish contact with the regulator when rolling out into a new country
Tips form a Former Privacy Regulator
Canadian Privacy Law Review
December 2014
15
and a few tips from a former regulator
-
Part IIBig Data - It's a Big Deal
16
Sam FiferPartnerDentonsChicago+1 312 876 [email protected]
-
1.Regulatory Environment
2.Privacy and Advertising
3.How to Avoid Data Breaches
4.How to Respond to Breaches
5.How to Plan Ahead
17
Topics
-
18
Data Collection and Data Science
Aidan MacAllan, House of Cards,Netflix Original Series
-
Data scientists, like Aidan, "bring structure tolarger quantities of formless data and makeanalysis possible." The Sexiest Job of the 21stCentury, Harvard Business Review (2012).
Aidan used domestic surveillance data topull the names of thousands of peopleaffected by gun violence so that campaigncould make targeted phone calls toencourage citizens to urge their lawmakersto support the First Lady's legislation
Ironically, companies, like Netflix, sift throughdata collected regarding consumers (i.e., likes,dislikes, and streaming history) to craft newproducts, like House of Cards, and promoteother ones; for more details on this, see:
http://www.bigwisdom.net/blog/2016/03/13/4-big-data-lessons-from-house-of-cards/
19
Data Collection and Data Science
Aidan MacAllan, House of Cards,Netflix Original Series
-
Regulatory EnvironmentCompliance
20
-
The Ever-Evolving Risks Regarding Data Collection
The multi-layer uneven overlap between the various US federal, state,and industry statutes and regulations has created a high duty of care forcompanies that collect, process, store, or handle personal information
Many countries have higher standardsthan the US with higher penalties.
Companies that hire third-partyservice providers (vendors) are in manycases required by various laws to ensurethose service providers properlyprotect personal information.
Privacy: ever-growing complexity, higher and higher stakes
21
-
Embodied in Article 8 of EuropeanConvention on Human Rights
Considered a Moral Issue
Privacy Right Equal to Free Speech
Comprehensive Approach
Data Protection Directive 95/46/EC
European General Data ProtectionRegulation?
22
Privacy European Approach
Privacy is a Fundamental Human Right
-
US Privacy is Judicially Created Under a "Penumbra" of ConstitutionalRights under the 1st, 3rd, 4th, 5th and 9th Amendments
Selective Sector-based Federal Legislation
Healthcare, Finance, Children
Many bills pending GPS Legislation (3 different pending bills)
Federal Trade Commission Enforcement
(Coming Attraction: FTC Data Security Conference at Northwestern on June 15 --Ask me for Details if you are interested)
Varying State Laws
California requires owners of personal information to "implement and maintainreasonable security procedures and practices appropriate to the nature of theinformation.; AB 83 would include biometrics and location
23
Privacy US Approach
Free Speech Almost Always Trumps Privacy
-
Varying State Laws (continued)
Massachusetts and Nevada enacted strong privacy regulations, including certaindata encryption requirements
The Massachusetts regulations require covered entities to require that outsideservice providers maintain appropriate security measures
In 2015, 33 different pieces of state law legislation were introduced
Only three states Alabama, New Mexico and South Dakota do not currently have a law requiring consumer notification of security breaches involving personalinformation
Common law of privacy has been around for more than a century Section 652 ofthe Second Restatement of the Law of Torts relates to invasion of privacy ingeneral and Section 652D governs the public disclosure of private facts: One whogives publicity to a matter concerning the private life of another is subject toliability to the other for invasion of his privacy, if the matter publicized is of akind thata) would be highly offensive to a reasonable person, and
b) is not of legitimate concern to the public.
24
Privacy US ApproachFree Speech Almost Always Trumps Privacy
-
Obstacles to Data TransfersBetween EU and US
US Protections not Adequate
Example: Edward Snowden
Additional Assurances Required
EU/US Safe Harbors
Model Clauses for Data Protection
Binding Corporate Rules
No Restrictions on US to EUTransfers
Data is Property of Collector
Collector Free to Use as it Sees Fit
25
Practical Effects of Conflicting ApproachesThe Downsides of a Borderless Society
-
EU/US Safe Harbors
Self-certification that privacy protections are in place andadhered to
Model Clauses for Data Protection
Contractual provisions that ensure processors and sub-processors maintain privacy protections
Binding Corporate Rules
Allow multinational companies to make intra-organizationaltransfers in compliance with EU law
Most flexible but most expensive
Only 12 Nation/States currently qualify as "safe" to the EU
26
EU to US Data Sharing Choices
The Downsides of a Borderless Society
-
Example: UK requires detailed notice of how employees can bemonitored. US does not.
A Simplified Global Compliance Plan Can Reduce Costs, ImproveAdoption of Innovations if committed.
Requires focused and strategic consideration of multinational complianceissues
Development of flexible framework can address todays requirements andadapt to future changes
27
Harmonization Challenges
One Size Fits All is Difficult to Achieve
-
EU Data Protection Authorities Say:Privacy Shield needs more work
The Article 29 Working Party (Art 29WP)has not approved Privacy Shield in itscurrent form, which is supposed to replacethe now defunct Safe Harbor
The single most notable asserted defect inPS is a virtually complete lack of trust, bythe EU, of the USs ability to refrain frommass surveillance
Fear as a driver of US nationalsurveillance policy is getting in the way ofco-operation with the EU
28
Harmonization Challenges
What About Privacy Shield?