Type in document reference # if needed Privacy protection in a Globalized World Association of Corporate Counsel New York, 24 March 2015 1
The plan Bringing out the main cross-border privacy issues for in-house counsel Describing that reality from the point of view of regulators Exploring strategies for resolution Sharing experiences 25 March 2015 2
A Global View Vancouver Edmonton Calgary Montreal Ottawa Chicago San Francisco Boston Toronto Kansas City New York Silicon Valley Short Hills St. Louis Washington, DC Los Angeles Phoenix Dallas Atlanta Houston New Orleans Miami Milton Keynes London Praia Paris Barcelona Madrid Algiers Casablanca Nouakchott Bissau Brussels Berlin Warsaw Prague Frankfurt Bratislava Budapest Zürich Bucharest Tripoli Istanbul Cairo Beirut St. Petersburg Minsk Kyiv Moscow Astana Rostov on Don Almaty Krasnodar Tashkent Tbilisi Ashgabat Amman Riyadh Baku Doha Abu Dhabi Dubai Muscat Beijing Shanghai Hong Kong Key Lagos Accra São Tomé Luanda Kampala Kigali Nairobi Singapore Offices, associate offices x and facilities* Associate firms and special alliances* Lusaka Port Louis Johannesburg Maputo Cape Town 25 March 2015 3
From the point of view of in-house counsel Photo 25 March 2015 4
In-House A Global Privacy Analysis Global patchwork of privacy laws + globalized business = challenge How does this come up? Most projects are multijurisdictional MasterPass Product Development and Expansion Simplify Commerce Product Development and Expansion MasterCard Datacash Acquired UK payment processing business 25 March 2015 5
In-House A Global Privacy Analysis Goal is always to understand the rights and obligations that attach to data at point of collection and throughout lifecycle First, what is the business matter at hand? What are we doing (and where)? What is our role in the ecosystem? Who are we working with? Then, how does data layer in? Country of collection / data subject Entity/mechanism of collection Notice & consent mechanics Cross-border transfers Type of data elements collected and processed Nature of processing (primary and secondary uses) Sharing with third parties / participants in an ecosystem 25 March 2015 6
In-House A Global Privacy Analysis Result of that analysis drives Product design Contract terms Security protocol Risk allocation and determination Analysis applies to all situations Acquisitions and investments Product development and expansion Contracting with customers and vendors Incident response 25 March 2015 7
The point of view of regulators Photo 25 March 2015 8
Main issues Asserting jurisdiction over foreign respondents Holding a common front across diverse legislative frameworks Coordinating compliance 25 March 2015 9
The point of view of outside counsel 25 March 2015 10
Outside Counsel A Global Privacy Analysis Consistent policies and processes are essential to managing privacy and data protection risk. Why? High process integrity greatly minimizes operational risk. Speaking with a consistent voice to customers and partners builds trust and creates accountability with business partners. Managing different policies within different businesses and markets can create unmanageable compliance obligations and expectations. 25 March 2015 11
Outside Counsel A Global Privacy Analysis Companies have trouble driving consistent privacy policies and practices across businesses and geographies. Why? Business Units are in silos with different leadership and strategy. Lack of an integrated, enterprise-wide risk management framework. Misperception that adopting consistent standards will lead to missed business opportunities. 25 March 2015 12
Outside Counsel A Global Privacy Analysis Regulatory schemes in North America and Europe will continue to harmonize while maintaining substantial differences. Why? The EU will adopt breach notification rules and requirements. The US may adopt EU-style rights, such as right to be forgotten/obscurity. International data protection schemes like Canada and in Asia-Pacific will continue to move closer to the EU approach. 25 March 2015 13
Outside Counsel A Global Privacy Analysis What should In-House Counsel do to stay on top of the global complexity? Be knowledgeable about privacy laws in other jurisdictions. Attempt to rationalize requirements at a high level and drill down at a local level. Ensure that you have both a short term and longer term compliance strategy. 25 March 2015 14
Your point of view What are the main issues for cross border privacy law? What are the main strategic issues for cross border privacy compliance? 25 March 2015 15