The SIG Webinar will begin shortly. Once the webinar begins, the sound will come from your computer speakers. In the meantime, please take a look at the upcoming SIG networking events listed on the right side of your screen and plan to join us if you are in one of these cities this fall. NETWORKING EVENTS GLOBAL SUMMITS April 19-21 – Orlando, FL SYMPOSIUMS Jan 14 – Silicon Valley, CA Mar 24 – Minneapolis, MN REGIONAL ROUNDTABLES Feb 2 – Seattle, WA Mar 3 – Hartford, CT For more information and to register for all SIG events: www.sig.org
Transcript
The SIG Webinar will begin shortly.
Once the webinar begins, the sound will come from your computer
speakers.
In the meantime, please take a look at the upcoming SIG networking events listed on the right side of your screen
and plan to join us if you are in one of these cities this fall.
NETWORKING EVENTS
GLOBAL SUMMITSApril 19-21 – Orlando, FL
SYMPOSIUMS
Jan 14 – Silicon Valley, CA
Mar 24 – Minneapolis, MN
REGIONAL ROUNDTABLES
Feb 2 – Seattle, WA
Mar 3 – Hartford, CT
For more information and to register for all SIG events:
www.sig.org
RECENT POSTINGS
The SIG Career Network is
bursting with opportunities.
New jobs are posted daily by some
of the best known global companies in the world for those
seeking careers in sourcing, outsourcing, procurement and
related functions.
For more information go to: www.sig.org/career-center.php
NEW to the Career Network!
• FedEx – posted Nov 2 - 9:
• Sourcing Advisor (Nov 6)
• Sourcing Specialist (Nov 5, Nov 9)
• Sourcing Principal (Nov 2)
• Workday – posted Nov 4:
• Senior Strategic Sourcing Specialist
• Options Clearing Corp. – posted Oct 28:
• Manager, Contracts & Corp. Services
• Strategic Sourcing, Lead Buyer
• Huntington National Bank – posted Oct 27:
• Senior Sourcing Manager
• Guardian Life Insurance – posted Oct 14:
• Manager, Vendor Management
• Travelers – posted October 14:
• Procurement Program Manager
• University of Notre Dame – posted Oct 13:
• Associate Director, Strategic Sourcing
• N. Carolina State Univ. – posted Oct 13:
• Director
You must be logged in to the SIG website to access the Loyalty Program.
For more information and to register for all SIG events:
www.sig.org
Become a SIG Champion and earn
points in the process by…
• Attending a networking event
• Dialing into an online event
• Speaking at a live or online event
• Submitting content to our blog or
SRC
• Referring a new member
• And more
special member
benefits
• 6 months of free buy-side
access to the Vendor
Evaluation & Assessment Tool (NEAT)
• 2 free Market Intelligence
Reports
• 15% discount on direct
hire placement fees
For more information, go to: http://sig.org/member-discounts
European court halts flow of personal data through Safe Harbor exceptionWhat you need to know: Maximillian Schrems v. Data Protection Commissioner C-362/14
Mark Prinsley is head of the Intellectual Property & IT group at Mayer Brown International LLP in London as well as the outsourcing practice. His practice involves acting for customers at all stages of outsourcing transactions. Recent outsourcing projects have included acting for a commodity exchange in the outsourcing of its IT functions; a telecommunications company in IT outsourcing; a global bank in the outsourcing of its human resources functions; a global chemicals company in outsourcing its finance and accounting functions; a global automotive company in the outsourcing of human resources functions; and a consumer goods company in Finance and Accounting outsourcing and the implementation of cloud computing arrangements and on privacy related matters. Mark also works on the technology transactions which generally include real-time licensing of financial markets data.
Oliver Yaros is a senior associate in the Intellectual Property & IT Group of the London office of Mayer Brown International LLP and advises clients on TMT, outsourcing, IT, data protection, privacy, e-commerce and IP issues. Oliver acts on global financial industry utility projects, IT and business process outsourcing projects and IT systems procurement transactions as well as advising a range of clients (financial institutions, manufacturers and retailers of consumer products, publishers and providers of digital media and online content) on many e-commerce and data protection issues. From May 2013 to October 2014, Oliver spent 18 months on secondment to the GBM Legal team of HSBC in London during which he advised the Global Banking and Markets (investment bank) division and worked with other divisions of HSBC on the creation of various global know-your-client / client onboarding and other types of banking industry utility joint ventures with other banks, on a number of multilateral and bilateral outsourcing projects, on investment banking IT system procurement projects, and on various worldwide IP portfolio management and data protection issues.
14
“They're very practical in terms of trying to identify solutions and giving very good advice on areas where it's reasonable for us to compromise or, alternatively, where to hold our ground.”
~ Chambers USA 2015
"An excellent team of people for outsourcing agreements globally -pragmatic in their approach, with a wealth of experts they can call on.”
~ Chambers Global 2014
“Mayer Brown is universally regarded as a leading player in the technology and outsourcing arena, with market commentators commending the ease with which its lawyers integrate with clients, delivering business-focused advice and guidance.”
~ Chambers Global 2013
“Their knowledge in this area is tremendous. They know us so well they blend into our deal teams and become a natural extension to our in-house team.”
~ Chambers USA 2014
• More than 50 lawyers around the world focused on helping clients improve their business operations by sourcing services and technology
• Advised on more than 300 significant outsourcing transactions valued at an aggregate of more than $100 billion
RECOGNIZED MARKET LEADER
“Band 1” ranking in IT/Outsourcing for12 consecutive years (Chambers 2004-2015)
Named “MTTOutsourcing Team of the Year” in 2014 and ranked in the top tier from 2010 thru 2015
Ranked as one of the top law firms in 2009 thru 2015 on The World’s Best Outsourcing Advisors list for The Global Outsourcing 100™
Mayer Brown Business & Technology Sourcing Practice
Topics we will cover during this webinar
• An explanation of the decision
• How your organisation should react to this decision
• Alternative methods of transferring personal data to the US
• Safe Harbor 2.0
15
Polling Question 1
Which of the following methods do you use to transfer Personal Data from the EU to the United States?
A. Safe Harbor
B. EU Model Terms
C. Binding Corporate Rules
D. Consent of Data Subject
E. Other
16
The Safe Harbor decision: The timeline
• In 1995, Data Protection Directive 95/46 is adopted to govern the processing of personal data in Europe.
• Under the Directive, export of personal data from the EEA to the US is prohibited unless levels of protection considered “adequate” by the European Commission are used.
• In 2000, the US Department of Commerce proposes a self-certification “Safe Harbor” program under which US companies will process personal data received from Europe in compliance with the directive.
• In Decision 2000/520, the European Commission decides that the US Safe Harbor program provides an adequate level of protection.
• By 2015, about 4,500 companies have self-certified to Safe Harbor.
17
The Safe Harbor decision timeline
• Mr Schrems, an Austrian living in Austria, creates his Facebook account in 2008.
• To register, Mr Schrems enters into an agreement with Facebook Ireland.
• Some or all of Facebook Ireland’s users’ personal data is transferred to and processed by Facebook Inc in the USA.
• Facebook Inc has self-certified that its processing complies with the US Safe Harbor program.
• In 2013, Edward Snowden reveals details about the PRISM programme under which companies, including those which are Safe Harbor-certified, are required by US authorities to grant access to their data.
18
The Safe Harbor decision timeline
• June 2013 – Mr Schrems submits a complaint to the Irish Data Protection Commissioner, asking the Commissioner to prohibit Facebook Ireland from transferring his personal data to the US.
• Mr Schrems alleged that the Snowden revelations demonstrated that US law and practice does not ensure adequate protection of his personal data processed in the US under Safe Harbor against surveillance activities by US authorities.
• The Commissioner rejected his complaint on the grounds that there was no evidence that Mr Schrems’ personal data had been accessed by US authorities and that Decision 2000/520 had determined that Safe Harbor ensured an “adequate” level of protection.
19
The Safe Harbor decision timeline
• Mr Schrems challenged the Commissioner’s decision at the Irish High Court.
• The High Court finds that if it were a matter of Irish law alone, the Commissioner should have investigated the matters identified by Mr Schrems and would have been wrong to reject the complaint.
• The complaint really raises the legality of Safe Harbor.
• The complaint also raises the question of whether the Commissioner is bound by European Commission’s Decision 2000/520 or is authorised to break free under the Charter of Fundamental Rights of the European Union.
20
Questions from the Irish High Court for the Court of Justice of the European Union
• The Irish High Court stayed the proceedings and referred the following questions to the CJEU (emphasis underlined):
– “Whether in the course of determining a complaint which has been made to an independent office holder who has been vested by statute with the functions of administering and enforcing data protection legislation that personal data is being transferred to another third country (in this case, the United States of America) the laws and practices of which, it is claimed, do not contain adequate protections for the data subject, that office holder is absolutely bound by the Community finding to the contrary contained in [Decision 2000/520] having regard to Article 7, Article 8 and Article 47 of [the Charter], the provisions of Article 25(6) of Directive [95/46] notwithstanding?
– Or, alternatively, may and/or must the office holder conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision was first published?”
21
Decision of the Court of Justice of the European Union
• The CJEU found that:
– Decision 2000/520 does not prevent a national data protection authority from:
• Examining a claim made by a person concerning the protection of his rights and freedoms with respect to the processing of personal data relating to him which has been transferred to a third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection; or
• From exercising its rights to suspend transfers.
Member States have to be able to take the measures necessary to safeguard the fundamental right to the protection of personal data under the Charter of Fundamental Rights of the European Union.
22
Decision of the Court of Justice of the European Union
• The CJEU found that:
– Decision 2000/520 is invalid because:
• In making its decision, the European Commission did not consider whether the US would ensure an adequate level of protection in Safe Harbor by reason of its domestic law or international commitments as required by the Directive
• Safe Harbor does not provide a guaranteed level of protection because:
– US authorities may process personal data transferred to the US under Safe Harbor in a way that is incompatible with the purposes for which it was transferred there and beyond what is strictly necessary and proportionate for the protection of national security;
– Safe Harbor-certified organisations are required to comply with requests from US authorities; and
– Data subjects have no right of redress.
23
Reaction to the decision
• Reaction from the UK Information Commissioner’s Office (emphasis in bold):
“…We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them…Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced. The ICO will be working with our European colleagues to produce guidance following the European Court of Justice ruling”.
6 October 2015
• Reaction from the UK Information Commissioner:
“…[We will not be] knee-jerking into sudden enforcement of a new arrangement. We are coordinating our thinking very much with the other data protection authorities across the EU”.
8 October 2015
24
Reaction to the decision
• Reaction from the Article 29 Working Party:
“…the question of massive and indiscriminate surveillance is a key element of the Court’s analysis…the Working Party is urgently calling on the Member States and the European institutions to open discussions with US authorities in order to find political, legal and technical solutions enabling data transfers to the territory of the United States that respect fundamental rights…In the meantime, the Working Party will continue its analysis on the impact of the CJEU judgment on other transfer tools. During this period, data protection authorities consider that Standard Contractual Clauses and Binding Corporate Rules can still be used.
…If by the end of January 2016, no appropriate solution is found with the US authorities and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include coordinated enforcement actions.
…The Working Party considers that it is clear that transfers from the European Union to the United States can no longer be framed on the basis [of Safe Harbor]… transfers that are still taking place…after the CJEU judgment are unlawful”.
16 October 2015
25
Reaction to the decision
• Reaction from the German Data Protection Commissioners (DSK):
– Transfers of personal data to the US solely under Safe Harbor are no longer permitted.
– The admissibility of data transfers to the US based on standard contractual clauses or binding corporate rules is also questionable.
– The German DPAs will not issue any new permissions for data transfers to the US based on binding corporate rules or bespoke data export contracts for the time being.
– Under strict conditions, consent to the transfer of personal data to the US may be a viable basis [but] such data transfer must not occur repeatedly, on a mass scale or routinely. For the export of employee data or if data of third parties are affected at the same time… consent may be the basis for data transfers to the US only in exceptional cases.
– The European Commission is asked to insist on creating sufficiently broad guarantees for the protection of privacy in its negotiations with the US…the decisions on standard contractual clauses must soon be adapted to the requirements laid down in the CJEU’sruling….for this reason the DSK welcomes the deadline of 31 January 2016 set by the Article 29 Working Party.
21 October 201526
How your organisation should react to this decision
• If your organisation or its service providers are Safe Harbor-certified:
– Conduct an urgent review to identify the types of personal data being transferred and processed and the purposes for which that personal data are being transferred and processed under Safe Harbor;
– Determine if that personal data is being transferred under any other mechanisms that have been determined to be adequate in addition to Safe Harbor (e.g. the standard contractual clauses, binding corporate rules etc);
– Where Safe Harbor alone is being relied upon to transfer that data, determine if it is possible to suspend processing of personal data under Safe Harbor or conduct it in the EU until alternative mechanisms for processing such personal data can be put in place; and
– Put in place alternative mechanisms for transferring that personal data to the US as soon as possible and in any event before 31 January 2016.
27
Alternative methods of transferring personal data to the US
• Standard contractual clauses (data controller to data controller / data controller to data processor)
• Binding corporate rules
• “Ad hoc” / bespoke data export agreements
• Consent
• Other “derogations”
• EU Commission communications on the transfer of Personal Data from the EU to the United States (6 November 2015)
– Supportive of the alternatives and implicit criticism of the challenges to the alternatives
28
Safe Harbor 2.0
• EU concerns about safe harbor emerged in 2010 (in Germany)
• Commission Communication on the Functioning of Safe Harbor from the perspective of EU citizens and companies established in the EU – November 2013
• Growth in businesses relying on safe harbor
– Approx. 400 2004
– Approx. 3200 2013
– Approx. 4500 2015
29
Polling Question 2
If Safe Harbor is no longer available, which of the following methods will you use to transfer Personal Data from the EU to the United States?
A. EU Model Terms
B. Binding Corporate Rules
C. Consent of the Data Subject
D. Other
30
EU concerns about Safe Harbor 2013
• Lack of transparency
• Lack of redress
• Limited enforcement
• Access by US Authorities
31
EU position post-Schrems
• Requirements for new Safe Harbor
– Stronger oversight by the Department of Commerce
– Clearer cooperation between the Department of Commerce and EU National Data Protection Authorities
– More likelihood of enforcement by the FTC
• Steps taken by the United States include:
– Presidential Policy Directive PPD-28 – 17 January 2014
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown Mexico, S.C., a sociedad civil formed under the laws of the State of Durango, Mexico; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.35
