Post on 22-Nov-2014
description
2012 Human Capital conference23-26 October
Data privacy and global bilitmobility
Disclaimer
► Ernst & Young refers to the global organization of member firms of E t & Y Gl b l Li it d h f hi h i t l l titErnst & Young Global Limited, each of which is a separate legal entity. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited located in the US.Thi t ti i ©2012 E t & Y LLP All i ht d N► This presentation is ©2012 Ernst & Young LLP. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying facsimile transmission recording rekeyingincluding by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Ernst & Young LLP. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is d st but o o t s o o a y o t e ate a e e s p o b ted a d sin violation of US and international law. Ernst & Young LLP expressly disclaims any liability in connection with use of this presentation or its contents by any third party.
► The views expressed by panelists in this session are not necessarily those of Ernst & Young LLP.
Data privacy and global mobilityPage 2
Presenters
► Fabrice Naftalski ► Dr. Peter Katko► Ernst & Young Société d’Avocats► Attorney at Law/Partner► Head of IP/IT Law
► Ernst & Young Law GmbH ► Attorney/Partner► Head of IP/IT Law► Head of IP/IT Law
► fabrice.naftalski@ey-avocats.com► EuroPriSe legal expert and CIPP/E
► Head of IP/IT Law ► peter.katko@de.ey.com► EuroPriSe legal expert
Data privacy and global mobilityPage 3
Agenda
► Data privacy in global mobility p y g y
► Focus 1: Management of international transfer of data:► Focus 1: Management of international transfer of data: complex rules/selection of a transfer strategy and existing tools
► Focus 2: Security of personal data is critical and subject to public scrutiny: examples of data breaches/best
tipractices► What’s next: How to anticipate the new EU data
protection framework requirementsprotection framework requirements
Data privacy and global mobilityPage 4
Data privacy in global mobility
Data privacy and global mobilityPage 5
Global mobility triggers recurrent and important personal data transfersimportant personal data transfers
► International assignments involve various flows of gpersonal data*, subject to data protection regulation:► Name, gender, address, identification card number, residence
permit number, nationality, passport number, family situation, phone number, educational background and career experiencerelated data, record of performance evaluation related data, etc.
► Specific data privacy aspects related to mobility programs:► Processing of the data of expatriated employees► Management of the data flows and international transfers between
the group companiesthe group companies
*I f ti th t b d t id tif t t l t t l b li k d t th t id tif thi i di id l
Data privacy and global mobilityPage 6
*Information that can be used to identify, contact or locate a natural person or can be linked to other sources to identify this individual.
Rationale for data protection
► Human rights law:g► Universal Declaration of Human Rights► European Convention on Human Rights► Charter of Fundamental Rights from 7 December 2000 ► National constitutions
EU di ti► EU directive► OECD guidelines
C d it l ti (US)► Consumer and security regulation (US)► Asia Pacific Economic Cooperation (APEC) framework
Data privacy and global mobilityPage 7
Global trend towards more data privacy regulationregulation
South Korea:► Act on the
Protection of Personal Data 2011)
Philippines:► Bill on data
US:► Consumer Privacy
Bill of Rights► FTC
recommendations on
protection based on EU-directive 95/46 (March 2012)
► Bill is supposed t d threcommendations on
privacy on the internet
Costa Rica and Colombia: ► Data protection
India:► Strives to become a
safe third country
to reduce the concerns regarding an outsourcing to Philippine companies
P
► Data protection legislation based on the 1995 EU Data Protection Directive
y► New Data Protection
Act (regardingIT-topics) in 2011
p
Australia and Hong Kong:► Intend to strengthen data
protection
Peru: ► New Data Protection Act
(2011) inspired by the Spanish Data Protection Act and the APEC (Asia-Pacific Economic Cooperation)
New Zealand:► Safe third country
Brazil: ► Work in progress: Data
Protection Act based on the EU-directive
Data privacy and global mobilityPage 8
Economic Cooperation) Privacy Framework
Data privacy in the USUS-Consumer Privacy Bill of Rightsy g
► Self-commitment:► Catalog of rights regarding consumer data protection► Catalog of rights leads to a better protection of consumers’
privacy on the world wide web► Goal: contribution to the improvement of the international
“interoperability” and additions to the Safe Harbor Agreement te ope ab ty a d add t o s to t e Sa e a bo g ee e twith the EU
► Better recognition of the mutual data protection standardsE f b h F d l T d C i i (FTC)► Enforcement by the Federal Trade Commission (FTC)
Data privacy and global mobilityPage 9
EU framework to protect personal data
► Legal framework in Europe:► EU Law (Personal Data Protection Directive 95/46 and Privacy Directive
2002/58)► Local data protection laws corresponding to Member States implementationp p g p► Article 29 Working Party group and National Data Protection Regulator’s soft
law► Data protection regulators:► Data protection regulators:
► Authorize certain data processing and transfers outside the EU/EEA► Control compliance with data protection law
S ti b h f th l► Sanction breaches of the law► Act also as "jurisdiction" in certain countries
► Sanctions for the violation of data protection legislation:p g► Criminal sanctions► Administrative sanctions including monetary penalties► Damage to the image of the company
Data privacy and global mobilityPage 10
► Damage to the image of the company
Overview of requirements and sanctionsMain EU data protection principles to comply withp p p p y
All personal data must:Legal basis to process
1
Be obtained for only one or more specified and lawful
Be processed fairly and lawfully
process Personal/
sensitive data
I f ti 2 purposes
3Be adequate, relevant and not excessive
Information obligationTransfer
requirements
4Be accurate and kept up to date
5Be kept no longer than necessary
6Be processed in accordance with the identifiable person’s rights
7Be kept secure
Security measures
Data subject rights
7
8Not be transferred to third parties outside of the European Economic Area (EEA), unless certain conditions are met
Filing requirements
Data privacy and global mobilityPage 11
Why is data privacy compliance critical when monitoring mobility programs?monitoring mobility programs?
► Because organizations are more complex and global, g p g ,data is no more static and hosted in one place:► Security of data is more challenging► International data flows are more numerous
► Because employees’ data is a strategic and very iti tsensitive asset
► In this context, maintaining a secure and compliant environment is a growing challengeenvironment is a growing challenge
Data privacy and global mobilityPage 12
Focus 1: Management of international transfer of dataof data
Data privacy and global mobilityPage 13
Management of international transfer of data under European Union lawunder European Union law
► Transfer between group entities: ► Considered as a disclosure by transmission even within one Member State► Subject to justification (need of employment, intra-group outsourcing, group
interest)► EU Directive 95/46 was the first international instrument dealing with the
issue of the transfers of personal data to third countries: ► One stated objective of the Directive is to allow the free flow of personal data
between Member States, based on agreed-upon principles of personal data protection
► At the same time, transfers of personal data to third countries require special considerationconsideration
► Applicability of EU law:► Transfer differs from mere transit. Therefore, personal data may be routed
th h thi d t ith t id i thi ti t f ifthrough a third country without considering this operation as a transfer if no substantive processing operation is conducted on the data in the third country
► It involves hosting but also mere access from non-EU countries to data hosted in the EU
Data privacy and global mobilityPage 14
in the EU
Complex rules for the management of international transfer of datainternational transfer of data
► EU general principles regarding data transfers:► The data controller may not transfer personal data to a state that is not a
Member State of the EU if this state does not provide a sufficient level of protection of individuals’ privacy, liberties and fundamental rights.p p y, g► If a third country has enacted a generally applicable privacy law that the
European Commission deems “adequate,” the country is eligible to receive personal data from Europe (Switzerland, Isle of Man, Canada, Argentina,
S G )Israel, Uruguay, Switzerland, Guernsey, European Economic Area countries)► If not, the following legal tools must be implemented to transfer personal data
from Europe, not country-by-country, but company-by-company:S f H b► Safe Harbor
► Standard contractual clauses of the EC► Binding corporate rules
Data privacy and global mobilityPage 15
Strategies for international transfer of personal datapersonal data
► Lack of a so-called group privilege (often criticized by companies): ► Data exchange between affiliates is regulated under data protection laws
as a transfer between third parties► The strategy to adopt should be determined regarding the► The strategy to adopt should be determined regarding the
specificities of the company and its activity (size of the company, number and locations of affiliates and processor, etc.):► The EU standard contractual clauses export European principles► The EU standard contractual clauses export European principles
concerning the processing of personal data to all companies receiving the data I th f US i th t l ith d t
+ : “ready-to-be-signed” - : potentially numerous contracts to be concluded
► In the case of US companies, they can agree to comply with data protection laws on the European model as part of Safe Harbor self-certification processI t t i lt ti ith th d t t ti l t
+ : self-certification process- : only for US companies; liability before the FTC
► Important groups, in consultation with the data protection regulatory agencies, can adopt Binding Corporate Rules (BCRs) to facilitate transfers between all entities within the group
+ : cover all data transfers within a group
Data privacy and global mobilityPage 16
+ : cover all data transfers within a group- : implementation process may be complex
Management of international transfers of dataFocus on the BCRs
► Definition of the BCRs:► BCRs are a set of internal guidelines, similar to a Code of Conduct, that
establishes policies for transferring personal information within the organization and across international boundaries.g
► BCRs benefits:► Elimination of contracts for each transfer
Miti ti f i k f d t t f t thi d t i► Mitigation of risks from data transfers to third countries► Consistency in data protection strategies and practices within the
organization► In-house awareness of privacy issues► A way to achieve accountability within the organization
► Implementing BCRs Close the ► Implementing BCRs EU cooperationprocedure/
implementBCRs
CirculateBCRs to
relevants DPA
DraftBCRs
procedure
Designate a leadDPA
Data privacy and global mobilityPage 17
BCRs
Focus 2: Security of personal data is critical and subject to public scrutinysubject to public scrutiny
Data privacy and global mobilityPage 18
Security of personal data Elements of context
► A highly publicized issue:g y p► ABC Corporation:
► External intrusion in the PlayStation Network:► Data from approximately 77 million accounts were stolen ► Several legal actions have been engaged against ABC Corporation► Loss of trust/damage to the image of the company► Loss of trust/damage to the image of the company► Impressive fall in the share price
Data privacy and global mobilityPage 19
Security of personal data Elements of context
► Focus on HR data:► External intrusion:
► The “hacktivist” group called Anonymous succeeded into obtaining d bli hi d t b t i i th il d th t i land publishing a database containing the emails and other material
related to a big pharma’s employees► Internal mistake:
► The HR of Company B accidently sent an email to 300 employees revealing wage levels, proposed increases and comments of HR services concerning the evaluation of the employees
Data privacy and global mobilityPage 20
Security of personal data Technical and legal leading practicesg g p
► IT risk has privacy implications:p y p► More and more countries have or are adopting data privacy
regulations with strong security requirements:I th EU t i t i h S i It l P t l G► In the EU, certain countries such as Spain, Italy, Portugal, Germany are very demanding in terms of security
► In the past years Mexico enacted a comprehensive privacy law such as South Korea, Peru, Colombia or Costa Rica
► In 2011, India enacted a controversial new privacy regulation► Breach notification requirements are emerging in many countries from q g g y
Latin America (Brazil, Uruguay and Mexico) to Europe (draft regulation) and Japan in the Asia-Pacific region
► Regulators will always be in a position of having to react to the► Regulators will always be in a position of having to react to the challenges new technologies present
Data privacy and global mobilityPage 21
Security of personal data Technical and legal leading practicesg g p
► Questions to consider:► Does your network architecture design route data from different countries
to a central location?► Do you have a good knowledge of data privacy regulations in the► Do you have a good knowledge of data privacy regulations in the
countries where expatriates are located or where their data is processed?► Have the privacy regulations in the jurisdictions in which you operate
changed in the last years?changed in the last years?► If you outsource to countries with new or updated privacy regulations,
have you considered what impact that may have on your business in these countries?these countries?
► If you are transferring data to countries with new or updated regulations, have you considered the impact of those regulations on your local or expatriated employees?expatriated employees?
► Have you identified solutions to address compliance needs and limit the risk of inappropriate access and exposure of personal information across the organization?
Data privacy and global mobilityPage 22
the organization?
Security of personal data Technical and legal leading practices g g p
► Tools to address compliance needs and IT risks: p► Cartography of security requirements in local data protection laws► Accountability within the organization► Improve internal monitoring and identify privacy professionals
within the organization► Organize security and privacy audits on a regular basis► Organize security and privacy audits on a regular basis► Set up privacy impact assessment/privacy by design► Reinforce employees’ awareness (internal policies and training of
the employees)► Secure contractual relationship with processors
Data privacy and global mobilityPage 23
What’s next: How to anticipate the new EU data protection framework requirementsprotection framework requirements
Data privacy and global mobilityPage 24
Illustrations of the main changes provided by the new EU regulation currently in draft versiony g y
► Increased responsibility and accountability for those processing personal data:► Breach notifications► Application of EU rules to companies active in the EU market (even if not established in the EU)► “Principle of accountability”► Obligation to appoint Data Privacy Officers► Obligation to appoint Data Privacy Officers► New obligations applicable to data processors
► Simplification:► A “one-stop-shop” for data protection: only one set of data protection rules valid across the EU► A one stop shop for data protection: only one set of data protection rules valid across the EU
and one responsible data protection authority — the national authority of the Member State in which the company has its main establishment
► Right to be foregotten► Maximum penalty of 2% of the groupwide annual turnover ► New rules regarding transfer to third countries, consistency mechanism, role of the EC,
European Data Protection Board, supervisory authorities, etc.Still f ti l l i i l t► Still open for national rules on privacy in employments
► Still no group privilege but promotion of BCRs
Data privacy and global mobilityPage 25
How to anticipate the new EU data protection framework requirementsframework requirements
► Practical steps to comply:p p y► Perform a privacy audits and regular privacy impact assessment► Perform regular training► Appoint a data protection officer ► Implement BCRs to meet transfer and future accountability
requirementsrequirements► Stay aware of developments
Data privacy and global mobilityPage 26
Questions
Data privacy and global mobilityPage 27