DATA PRIVACY AND PROTECTION

5 Insights from the Experts

Data privacy and protection is a hot topic at the moment—and why

wouldn’t it be? With major data breaches in the news nearly every day, the

privacy of personal and business information is on the minds of companies

across the globe. This eBook gathers data privacy and protection insights from

internal Iron Mountain experts, along with external experts on the subject.

It addresses a wide range of issues, from what information managers should

learn from new European guidelines, to what your IT team needs to know

about retention.

2

CONCLUSION 13 ›

SAFE HARBOUR 3 ›Safe Harbour Ruling Highlights Discrepancies

Between European and U.S. Data Privacy Laws

PERSONAL DATA 5 ›Personal Data is Not a Commodity

DATA PRIVACY LAWS 7 ›How Do New Data Privacy Laws Affect Records Managers?

5 THINGS IT NEEDS TO KNOW 8 ›5 Things Your IT Team Needs to Know about Data Privacy

DEFINING RETENTION POLICIES 10 ›5 Steps To Defining Your Retention Policies

SAFE HARBOUR RULING HIGHLIGHTS DISCREPANCIES BETWEEN EUROPEAN AND U.S. DATA PRIVACY LAWS

In early October 2015, a key agreement that allows the transfer of European residents’ personal data from the European Economic Area (EEA) to the U.S. called ‘Safe Harbour’ was deemed invalid by Europe’s top court.

The European Court of Justice (ECJ) made the landmark ruling on the agreement which has been in place since 2000. The court concluded that the agreement did not provide adequate protection for personal data in the context of access by intelligence agencies, an issue brought to light by former National Security Agency (NSA) contractor Edward Snowden, and Austrian student Max Schrems, who filed a complaint against Facebook to the Irish data protec­tion authority after Snowden’s publications in 2013.

What Happens Now?

Companies need to find another mechanism to legally “export” (or grant access to) personal data outside the EEA. The various options are discussed below. In addition, the ECJ confirmed that national data protection authorities have the authority to

examine whether transfers of personal data to a third country meet the requirements of the EU data protection legislation.

Different countries and organisations have had a wide range of reactions to the ruling. Some data protection authorities (DPAs) have suggested a ban on most U.S. transfers, others have reached out to companies that have relied on the Safe Harbour, reminding them to implement a compliant solution, while the UK is telling its businesses not to panic. The so­called Article 29 working party (which rep­resents all EU data protection authorities) set a deadline of the end of January 2016 to implement a compliant alternative to Safe Harbour. While work on ‘Safe Harbour 2’ continues, most DPAs have stated that transfers to the U.S. should be treated in the same way as transfers to most other major economies outside of the EEA, and legitimised using one of the other transfer options available.

There are four major options for Safe Harbour moving forward.

OPTION 1:Option one is, as mentioned above, a second version of Safe Harbour. The parties hope to reach a new agreement in early 2016, but it is not certain that an agreement can be reached before the end of January.

Michael Zurcher Julian Cunningham Day

3

MICHAEL ZURCHER | Iron MountainJULIAN CUNNINGHAM DAY | Linklaters

Worst Case Scenario?

If no workable solution is found, data storage solu­tions may have to be rethought. It may be easier to house and grant access to European data in Europe only. This solution is possible, but would involve significant structural change for many organi­sations. EU regulators seem keen to encourage a better outcome.

4

OPTION 2:Option two is adopting Binding Corporate Rules (BCRs). BCRs are an intra­group framework with different elements (legally binding commitments, policies, training, audit, etc.) that guarantees that European personal data will be adequately protected within the group. Implementing BRCs is a heavy weight process, taking 12—18 months to gain approvals from DPAs. It is also intra­group only and it is not clear how it would limit access by U.S. intelligence agencies.

Implementing BRCs is a heavyweight process, taking 12—18 months to gain approvals from DPAs.

OPTION 3:Option three focuses on Model Contracts. This is an

option that is already widely adopted by businesses operating in the EEA, and likely to be the most com­mon alternative selection to Safe Harbour. It involves entering into bilateral arrangements that can be used with affiliates, 3rd party vendors or others with which companies want to share data. Potential issues include the fact that this solution also doesn’t pre­vent access by intelligence agencies and in some countries additional complications arise from admin­istrative formalities (submissions of the model clauses and translated and notarised documentation relating to the signing authority of the officers executing the clauses). In addition, under this ruling, DPAs would be able to suspend their approval for the use of Model Contracts.

OPTION 4:Option four is really a partial solution focusing on individual derogations (consent, contractual neces­sity, etc.). The issues with this solution include: difficulties in obtaining valid consent from affected individuals and the fact that other derogations (e.g., processing necessary for a contract with an individ­ual) only operate on a case­by­case basis.

Safe Harbour: Take Home

We are currently in a grace period as the EU and US authorities try to negotiate an alterna­tive form of Safe Harbour (until end of January 2016), though this could be extended. Use the remaining time to select an option that works for your organisation. Like most multinational companies, Iron Mountain has selected Option 3 and executed Model Contracts.

What Does this Mean for Records Managers?

Records managers must ask the following questions:

• To what extent does my organisation rely on third party vendors in the U.S. for EU records/data processing?

• On what basis does my organisation export its data to such U.S. based vendors?

• Do any of our EU vendors subcontract work to the U.S.?

• On what basis do these EU vendors export their data to such U.S. based subcontractors?

• Do we have contracting arrangements in place to ensure compliance works all the way down the supply chain?

• Have I notified our procurement and compliance partners about potential vendor issues/changes?

SAFE HARBOUR RULING HIGHLIGHTS