International Privacy LawWhat is at Stake for the US?

CLE Seminar for In-House CounselJune 8, 2016Chicago, Illinois

Sam FiferPartnerDentonsChicago+1 312 876 3114samuel.fifer@dentons.com

Chantal BernierCounselDentonsOttawa+1 613 783 9684chantal.bernier@dentons.com

Part IPrivacy troubleshooting for corporate counsel- Main trends, legal issues and strategies

2

Chantal BernierCounselDentonsOttawa+1 613 783 9684chantal.bernier@dentons.com

1. Trends

2. Legal issues

3. Strategies

3

Answer: U.S. business ability to receive foreignpersonal data

Trends

4

Privacy Concerns are jumping:

Nearly 50% Americans curtail their activities online (NTIA)

Cross border data flows increases

Worldwide spending on public cloud expected to grow by 19.4% (IDC)

Privacy standards are rising: new European General Data ProtectionRegulation(2018) expands to foreign business and raises the bar

A quick guide to the EU Data Protection ReformDentons 2015

5

A field heating up

Legal issues

6

1995 European Directive on Data Protection

No transfer outside EEA except

To an adequate state or

With approved legal clauses or

With individual consent

The US Europe divide

Adequacy status

The invalidation of Safe Harbor

The attempts to a EU-US Privacy Shield

Safe Harbor: EU Court Decision

Dentons 2015

7

1. Restrictions on Cross border data flows

Canada Personal Information Protection and Electronic Documents Act :transfer outside Canada allowed with

Comparable level of protection and

Notification to individual

Mexican law: transfer outside of Mexico allowed with

Notice and consent and

Comparable level of protection

A Map of Data Residency Requirements

Dentons 2016

8

Cross border data flows

2013 OECD Guidelines governing the Protection of Privacy andTransborder Flows of Personal Data (2013):

Fee flow with sufficient safeguards

International Data Transfers-

A Short Chronology

Dentons 2016

9

Recommendations on cross border data flows

Microsoft v DoJ (Ireland case), currently U.S. Court of Appeal for theSecond Circuit:

U.S. jurisdiction on US business records held abroad

U.S. Supreme Court approval of changes to Rule 41(b):

Allowing search and seizure warrants outside of the district ofauthority

10

2. Spread of extraterritorial reach2.1. From the US

New General Data Protection Regulation in Europe

Extending to any organizations offering goods and services in Europe

Worldwide impact of the right to be forgotten

The CNIL-Google showdown

Clarification of domestic laws

Privacy Dynamics in Latin America

Privacy Law and Business 2015

11

2.2 From other countries

Increased information exchange

Arrangements for joint cooperation

Coordinated investigations among regulators

The example of WhatsApp

Co-operation a big focus for privacy enforcement

Law Times 2015

12

3. Enforcement cooperation among regulators

Strategies

13

Localisation of data: Microsoft. Amazon, Google, are opening datacentres in Europe and in adequate States for example, Canada

Meeting the highest standards:

Shopify introduces individual consent to store consumer data in the US

American Express, Hewlett Packard, GE, adopt European BindingCorporate Rules

Motorola has a mix of instruments including European model clauses

14

A few public examples

Understand the cultural and legal differences behind domestic privacy law

Aim at highest common denominator for global privacy compliance

Establish contact with the regulator when rolling out into a new country

Tips form a Former Privacy Regulator

Canadian Privacy Law Review

December 2014

15

and a few tips from a former regulator

Part IIBig Data - It's a Big Deal

16

Sam FiferPartnerDentonsChicago+1 312 876 3114samuel.fifer@dentons.com

1.Regulatory Environment

2.Privacy and Advertising

3.How to Avoid Data Breaches

4.How to Respond to Breaches

5.How to Plan Ahead

17

Topics

18

Data Collection and Data Science

Aidan MacAllan, House of Cards,Netflix Original Series

Data scientists, like Aidan, "bring structure tolarger quantities of formless data and makeanalysis possible." The Sexiest Job of the 21stCentury, Harvard Business Review (2012).

Aidan used domestic surveillance data topull the names of thousands of peopleaffected by gun violence so that campaigncould make targeted phone calls toencourage citizens to urge their lawmakersto support the First Lady's legislation

Ironically, companies, like Netflix, sift throughdata collected regarding consumers (i.e., likes,dislikes, and streaming history) to craft newproducts, like House of Cards, and promoteother ones; for more details on this, see:

http://www.bigwisdom.net/blog/2016/03/13/4-big-data-lessons-from-house-of-cards/

19

Data Collection and Data Science

Aidan MacAllan, House of Cards,Netflix Original Series

Regulatory EnvironmentCompliance

20

The Ever-Evolving Risks Regarding Data Collection

The multi-layer uneven overlap between the various US federal, state,and industry statutes and regulations has created a high duty of care forcompanies that collect, process, store, or handle personal information

Many countries have higher standardsthan the US with higher penalties.

Companies that hire third-partyservice providers (vendors) are in manycases required by various laws to ensurethose service providers properlyprotect personal information.

Privacy: ever-growing complexity, higher and higher stakes

21

Embodied in Article 8 of EuropeanConvention on Human Rights

Considered a Moral Issue

Privacy Right Equal to Free Speech

Comprehensive Approach

Data Protection Directive 95/46/EC

European General Data ProtectionRegulation?

22

Privacy European Approach

Privacy is a Fundamental Human Right

US Privacy is Judicially Created Under a "Penumbra" of ConstitutionalRights under the 1st, 3rd, 4th, 5th and 9th Amendments

Selective Sector-based Federal Legislation

Healthcare, Finance, Children

Many bills pending GPS Legislation (3 different pending bills)

Federal Trade Commission Enforcement

(Coming Attraction: FTC Data Security Conference at Northwestern on June 15 --Ask me for Details if you are interested)

Varying State Laws

California requires owners of personal information to "implement and maintainreasonable security procedures and practices appropriate to the nature of theinformation.; AB 83 would include biometrics and location

23

Privacy US Approach

Free Speech Almost Always Trumps Privacy

Varying State Laws (continued)

Massachusetts and Nevada enacted strong privacy regulations, including certaindata encryption requirements

The Massachusetts regulations require covered entities to require that outsideservice providers maintain appropriate security measures

In 2015, 33 different pieces of state law legislation were introduced

Only three states Alabama, New Mexico and South Dakota do not currently have a law requiring consumer notification of security breaches involving personalinformation

Common law of privacy has been around for more than a century Section 652 ofthe Second Restatement of the Law of Torts relates to invasion of privacy ingeneral and Section 652D governs the public disclosure of private facts: One whogives publicity to a matter concerning the private life of another is subject toliability to the other for invasion of his privacy, if the matter publicized is of akind thata) would be highly offensive to a reasonable person, and

b) is not of legitimate concern to the public.

24

Privacy US ApproachFree Speech Almost Always Trumps Privacy

Obstacles to Data TransfersBetween EU and US

US Protections not Adequate

Example: Edward Snowden

Additional Assurances Required

EU/US Safe Harbors

Model Clauses for Data Protection

Binding Corporate Rules

No Restrictions on US to EUTransfers

Data is Property of Collector

Collector Free to Use as it Sees Fit

25

Practical Effects of Conflicting ApproachesThe Downsides of a Borderless Society

EU/US Safe Harbors

Self-certification that privacy protections are in place andadhered to

Model Clauses for Data Protection

Contractual provisions that ensure processors and sub-processors maintain privacy protections

Binding Corporate Rules

Allow multinational companies to make intra-organizationaltransfers in compliance with EU law

Most flexible but most expensive

Only 12 Nation/States currently qualify as "safe" to the EU

26

EU to US Data Sharing Choices

The Downsides of a Borderless Society

Example: UK requires detailed notice of how employees can bemonitored. US does not.

A Simplified Global Compliance Plan Can Reduce Costs, ImproveAdoption of Innovations if committed.

Requires focused and strategic consideration of multinational complianceissues

Development of flexible framework can address todays requirements andadapt to future changes

27

Harmonization Challenges

One Size Fits All is Difficult to Achieve

EU Data Protection Authorities Say:Privacy Shield needs more work

The Article 29 Working Party (Art 29WP)has not approved Privacy Shield in itscurrent form, which is supposed to replacethe now defunct Safe Harbor

The single most notable asserted defect inPS is a virtually complete lack of trust, bythe EU, of the USs ability to refrain frommass surveillance

Fear as a driver of US nationalsurveillance policy is getting in the way ofco-operation with the EU

28

Harmonization Challenges

What About Privacy Shield?