With the current focus on the coming into effect of the EU General Data Protection Regulation, one could (almost) be forgiven for forgetting about the question of international data flows. However, given the political and legal developments currently affecting the future of international data transfers, that would be a very serious strategic mistake. Legitimising data globalisation remains a top business priority in our uber-digitised world. The coming of age of cloud-based services, the continuous advance of mobile communications and the push by developed and developing countries to reach a global market have made international data transfers more essential than ever. At the same time, the level of regulation affecting those transfers is becoming more impenetrable and politically charged. Against this background, what are the issues that need to be taken into account to develop a solid global data flows legal strategy?
To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.
Earlier this week, Bret Cohen and Sian Rudgard from the Hogan Lovells Privacy & Cybersecurity practice were interviewed as follows by Varonis’ The Inside Out Security Blog about data security requirements in the EU General Data Protection Regulation.
Part 9 of Future-Proofing Privacy: Future-Proofing Privacy: International Data Transfers 2.0. The Data Protection Directive and the Regulation both impose restrictions on the transfer of personal data by EU based businesses (whether those businesses are data controllers or data processors) to destinations outside the EEA. These restrictions, however, have not been uniformly implemented by EU Member States. In some Member States additional requirements apply, such as prior notification to or approval by the local DPA, particularly where companies wish to rely on EU Model Clauses or BCRs. This approach is essentially set to continue
with some variations.
Following the announcement by the European Commission of the newly agreed EU-US Privacy Shield, the missing piece of the jigsaw was the Article 29 Working Party’s stance on the adequacy of the existing mechanisms in place—in particular, standard contractual clauses and binding corporate rules. So after two days of intense discussions, the Working Party has issued a statement with its latest position, which is the follow up to their original reaction to the invalidation of Safe Harbor last October. The bottom line: the Working Party still does not view US government surveillance laws as sufficiently protective of privacy—a position which calls all transfers of personal data to the US in question, regardless of the methods used to legitimise the transfer—but they will reconsider this position in light of the Privacy Shield in the coming months.
The EU’s Article 29 Working Party issued a statement today on the recent Schrems decision invalidating the adequacy of the EU-U.S. Safe Harbor framework, emphasizing that affected businesses should start to put in place legal and technical solutions in a timely manner to meet EU data protection standards. The statement gave a January 2016 deadline for companies to come into compliance with the ruling, at which point EU data protection authorities would be “committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.” In response, we publish here a high-level analysis of the possible options available for companies—including the EU Standard Contractual Clauses, Intra-Group Agreements and other ad-hoc contracts, Binding Corporate Rules, Safe Harbor 2.0, and consent—and the pros and cons of choosing each one.
Hogan Lovells’ leading Privacy and Information Management practice will actively participate at this week’s IAPP Global Privacy Summit 2015. Enclosed is a listing of events in which our lawyers will be featured.
Ask any data protection officer or privacy counsel what tops their list of trepidations and engaging global data services’ vendors will be up there. The combination of security threats and burdens, restrictions on international data transfers and data-hungry law enforcement authorities has turned delegating any data processing or storage operations to cloud service providers into an unnerving proposition. This is unfortunate given all the practical benefits and crucial role of cloud computing for the world’s economy and the information society. If we add to this the incessant scrutiny of Safe Harbor and the growing distrust surrounding technology giants which is part of the legacy of the post-Snowden era, things are not looking very rosy for the global guardians of our information. It needs not be this way.
Whilst the reform of the EU data protection framework continues its tortuous course in Brussels’ corridors of power, privacy pros in the real world are doing their best to cope with the current uncertainty. One of the ever-present sources of concern for those with data-related operations in Europe is how to overcome the restrictions affecting international data transfers in a cost-effective, sustainable and effective manner. In reality, there are many paths to follow, but choosing the right one is not always obvious—each case is different, and limited resources and time constraints often add an unwelcome degree of stress and complexity to the process.
On April 19, the European Union’s Article 29 Working Party adopted Explanatory Document WP204 on processor Binding Corporate Rules (BCRs). Processor BCRs provide a new avenue for data controllers to transfer EU personal data to processors (such as cloud service providers) located in third countries not considered to ensure an adequate level of protection under the 1995 EU Data Protection Directive. The Article 29 Working Party, noting the success of controller BCRs and citing the “growing interest of industry in such a tool,” provided initial guidance on processor BCRs in June 2012 through Working Document WP195 (which we previously covered here). WP195 presented a “toolbox” that laid out the criteria for approval of processor BCRs, as well as explanatory notes on the content expected in the processor BCRs. As of January 1, 2013, the EU began accepting applications for approval of processor BCRs.
The Article 29 Working Party on 6 June 2012 adopted Working Paper WP 195 as a new “toolbox” with recommendations for Binding Corporate Rules (BCRs) for data processors.
Are BCRs the key to global interoperability? Some think so at the IAPP London conference. This post discusses opinions from conference presenters — will BCRs will become more and more popular as corporations implement new accountability measures, or will they fade under the weight of continued bureaucracy?
Although the European Commission was expected to release its overhaul of the 1995 Data Protection Directive (95/46/EC) next month, some of the details of those changes emerged earlier than expected this week. In this post, we summarize the many key changes between the Data Protection Directive and the Commission’s draft Data Protection Regulation.
Hogan Privacy and Data Security Co-Chair Chris Wolf recently gave an interview on recent developments under the EU-US Safe Harbor to Nymity that was published in its free online newsletter. The interview is accessible through this blog entry.