Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts

Similar documents
GDPR and the Privacy Shield

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Technology and data privacy Global perspectives

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

EU data security and privacy trends

Data Protection in Switzerland Update Following the Safe Harbor Decision. 21 October 2015 / 6 February 2016 Christian Wyss

Global Privacy and Data Protection Risk:

Do you handle EU residents personal data? The GDPR update is coming May 25, Are you ready?

Developing and Implementing Data Protection Law: Malaysia and Beyond

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

EU Data Protection Triple Threat for May of 2018 What Inside Counsel Needs to Know

GDPR is coming in less than 2 months Are you ready?

Data Privacy for Multinationals: How to Build and Implement a Compliance Plan

NEWSFLASH GDPR N 8 - New Data Protection Obligations

Safeguards on Personal Data Privacy.

Changing times in Swiss Data Privacy: new opportunities? Microsoft Security Day 27 April 2017 Clara-Ann Gordon

The Role of the Data Protection Officer

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

2014 Luxury & Fashion Industry Conference for Multinationals

The Application of GDPR to Canadian businesses: Are you ready?

General Data Protection Regulation (GDPR) The impact of doing business in Asia

GDPR - Are you ready?

Introductory guide to data sharing. lewissilkin.com

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

EU General Data Protection Regulation (GDPR) Achieving compliance

Cisco Spark and GDPR. Thomas Flambeaux. Collaboration Consulting Solution Engineer, Security and Compliance. Cisco Connect 2018 Copenhagen April 12th

EU General Data Protection Regulation (GDPR) A Point of View for Technology Sector Organisations. For private circulation only.

PROJECT BACKGROUND AND RATIONALE

Disruptive Technologies Legal and Regulatory Aspects. 16 May 2017 Investment Summit - Swiss Gobal Enterprise

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

GDPR compliance: some basics & practical to do list

HOT TOPICS IN DATA PRIVACY REGULATION IN RUSSIA

Law & Policy Meets Data in the Cloud: Data Sovereignty Across Asia. Bernie Trudel Chairman, Asia Cloud Computing Association

20/09/2013. Global Privacy and Data Protection: Practical Risk Assessment and Governance. Topics

DATA PROTECTION BY DESIGN

Motorola Mobility Binding Corporate Rules (BCRs)

IT MANAGEMENT AND THE GDPR: THE VMWARE PERSPECTIVE

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

EU GDPR and . The complete text of the EU GDPR can be found at What is GDPR?

Data Leak Protection legal framework and managing the challenges of a security breach

How the GDPR will impact your software delivery processes

Cybersecurity Considerations for GDPR

A comprehensive approach on personal data protection in the European Union

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Dealing with Security and Security Breaches

GDPR: A QUICK OVERVIEW

Our agenda. The basics

CNPD Course: Data Protection Basics

A Modern European Data Protection Framework

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

Data Protection Policy

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Overview of Key E.U. and U.S. Privacy and Cybersecurity Laws. Brett Lockwood Smith, Gambrell & Russell, LLP May 15, 2018

Knowing and Implementing the GDPR Part 3

Five Ways that Privacy Shield is Different from Safe Harbor and Five Simple Steps Companies Can Take to Prepare for Certification

General Data Protection Regulation (GDPR)

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Data Privacy and Cybersecurity

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Developing Issues in Breach Notification and Privacy Regulations: Risk Managers Are you having the right conversation with the C Suite?

PS Mailing Services Ltd Data Protection Policy May 2018

Getting ready for GDPR. Philipp Hobler EMEA Field CTO Global Technology Office Dell EMC Data Protection Solutions

Hong Kong s Personal Data (Privacy) Ordinance

EU data protection regulation: how will it impact businesses worldwide?

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

Outsourcing und Data Protection

INFORMATION TO BE GIVEN 2

Data Processing Clauses

PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology

8. AUTOMATED DECISION MAKING DURING DATA PROCESSING FURTHER INFORMATION FURTHER INFORMATION AND GUIDANCE CONTACT US...

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

CIPP/E CIPT. Data Protection Technologist (DPT) Training Bundle Official IAPP Training and Certification

G DATA Whitepaper. The new EU General Data Protection Regulation - What businesses need to know

Workday s Robust Privacy Program

New Spanish Regulation Tightens Up Data Protection Requirements RAFI AZIM-KHAN, JOHN NICHOLSON, ALESSANDRO LIOTTA, AND DOMINIC HODGKINSON

Royal Mail Consultation: Changes to Postal Schemes to reflect new data protection legislation

Element Finance Solutions Ltd Data Protection Policy

Privacy and Data Protection Draft Personal Data Protection Bill 2018: A Summary. For Private Circulation Only August 2018.

Creative Funding Solutions Limited Data Protection Policy

NYDFS Cybersecurity Regulations

Data Privacy & Protection in the EU-U.S.

Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology

City, University of London Institutional Repository. This version of the publication may differ from the final published version.

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

THE NEW EU DATA PROTECTION REGULATION: WHAT IS IT AND WHAT DO WE NEED TO DO? KALLIOPI SPYRIDAKI CHIEF PRIVACY STRATEGIST, EUROPE

IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Liechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.

CNPD Course: Data Protection Basics

A Homeopath Registered Homeopath

General Data Protection Regulation (GDPR) NEW RULES

Implementing the new GDPR: what does it mean for Universities?

PRIVACY POLICY. Marlin Hawk Limited of 10 Throgmorton Avenue, London EC2N 2DL, tel

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

Data Protection Policy

Cyber Security Law --- Are you ready?

GDPR Data Protection Policy

Welcome & Introductions

Data Breach Notification: what EU law means for your information security strategy

General Data Protection Regulation (GDPR)

Transcription:

Developments in Global Data Protection & Transfer: How They Impact Third-Party Contracts Rebecca Eisner Partner +1 312 701 8577 reisner@mayerbrown.com Mark Prinsley Partner +44 20 3130 3900] mprinsley@mayerbrown.com Gabriela Kennedy Partner and Head of Asia IP & TMT +852 2843 2380 gabriela.kennedy@mayerbrownjsm.com Lei Shen Senior Associate +1 312 701 8852 lshen@mayerbrown.com June 7, 2016

Speakers Rebecca S. Eisner Partner Rebecca S. Eisner is the Partner in Charge of the Chicago office of Mayer Brown LLP and a member of the firm s Business & Technology Sourcing group. Her practice focuses on complex global cloud and emerging technologies, outsourcing and technology transactions, privacy, data protection and data transfers, Internet and e-commerce law issues. She is a frequent writer and speaker on outsourcing, cloud computing and privacy and data protection topics. Gabriela Kennedy Partner Gabriela Kennedy is a partner of Mayer Brown JSM and head of the Asia IP and TMT group. She is also co-leader of Mayer Brown's global Intellectual Property practice. She is based in Hong Kong, practising intellectual property, privacy, media, information technology and telecommunications law. Gabriela advises extensively on technology and data protection issues in Hong Kong and throughout Asia, particularly in relation to business processing outsourcing, the cross-border transfer of data, data compliance and data breaches. HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 2

Speakers Mark A. Prinsley Partner Mark A. Prinsley is a partner of Mayer Brown and head of the Intellectual Property & IT group in London as well as the outsourcing practice. He is regularly named as a leading individual in the areas of business process outsourcing, information technology and intellectual property by Chambers' UK and Global guides. His practice involves acting for customers at all stages of outsourcing transactions with a particular focus on the financial services sector. Lei Shen Senior Associate Lei Shen is a senior associate in the Cybersecurity & Data Privacy and Business & Technology Sourcing practices in Mayer Brown's Chicago office. Lei focuses her practice on data privacy and cybersecurity, technology and business process outsourcing, and information technology transactions. Lei is a Certified Information Privacy Professional in U.S. privacy law (CIPP/US) and a member of the International Association of Privacy Professionals (IAPP). HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 3

EUROPE: IMPLICATIONS OF THE GENERAL DATA PROTECTION REGULATION

EU General Data Protection Regulation Implementation Regulation adopted and published 27 April 2016 and replaces existing EU data privacy regime in May 2018 Key changes Territorial scope/application Compliance obligations Rights of data subjects Sanctions for breach International transfers HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 5

Territorial Scope/Application New law is by way of EU Regula on should result in a largely harmonised posi on throughout all EU countries Applies to processing of personal data (a) in the context of the activities of a controller or processor established in the EU, irrespective of where the processing takes place; (b) of data subjects who are in the EU by controllers or processors not established in the EU where the processing relates to offering goods or services to the data subjects or monitoring the behaviour in the EU of data subjects NOTE: It applies to Data Processors and Data Controllers HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 6

Compliance Obligations Privacy by design concept builds on current technical and organisational security measures obligations on data controllers More sophisticated requirements for the contractual arrangements between a data controller and a data processor Formal record-keeping obligations on controllers and processors, records to be open to inspection by information commissioner Data privacy impact assessments for high-risk processing Data privacy officers required in some situations HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 7

Enhanced Rights of Data Subjects Greater transparency of nature of processing more information to be made available clear and concise explanations required likely emergence of washing instructions icons Right to be forgotten impact on information made publicly available Data portability for data an individual has provided to the data controller and where the processing is carried out by automated means Right to object to processing potential impact on the legitimate interests ground for processing personal data absolute right to object to processing for direct marketing HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 8

Data Breach and Sanctions (and International Transfers) Personal data breaches presumption that Information Commissioner must be notified within 72 hours of the controller becoming aware of the breach processor under obligation to notify the controller notification of data subjects only required where there is a high risk to the rights and freedoms of the data subject Administrative fines up to 4% of worldwide annual turnover or 20 million, whichever is the greater. BUT many qualifications on likely level of fines Direct legal remedies greater clarity as to potential for direct proceedings. Consumer class actions possible International transfers current regime continues but that is not the whole story! HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 9

ASIA: CONSTANT CHANGE

The Emergence of Privacy Legislation Current overarching data privacy law China S. Korea Japan Piecemeal approach Proposed/draft data privacy law India Thailand Malaysia Taiwan Hong Kong The Philippines Amendment Bill approved in 2015 and will come into force by 2017 Singapore Indonesia HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 11

Data Localisation S. Korea Japan Stringent data localisation restrictions Partial data localization restrictions No restrictions China India Taiwan Hong Kong Thailand Malaysia The Philippines Singapore Indonesia HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 12

Personal Data Cross-Border Transfer Restrictions Specific cross-border transfer restrictions Applies to sensitive data only China S. Korea Japan Specific cross-border restrictions not yet in force Some cross-border restrictions India Taiwan Hong Kong Bill approved in 2015 and will come into force by 2017 Thailand Singapore Malaysia The Philippines must ensure third-party provides comparable level of protection Indonesia HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 13

Marketing Restrictions S. Korea Japan Specific direct marketing restrictions No specific direct marketing restrictions China India Taiwan Hong Kong Thailand Malaysia The Philippines Singapore Indonesia HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 14

Emerging Trends Data localisation China and Indonesia Cybersecurity HK HKMA initiated Cybersecurity Fortification Initiative in May 2016, SFC issued Circular on Cybersecurity in March 2016 China draft Cybersecurity Law Singapore new Cybersecurity Act will be tabled in Singapore s parliament in 2017 Philippines Sept 2015, National Cybersecurity Inter-Agency Committee and National Cybersecurity Coordination Centre formed HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 15

Emerging Trends (Cont.) Biometric / sensitive data India 25 March 2016, law passed enabling federal agencies to access Aadhaar database scheme HK Electronic Health Record Sharing System (March 2016); guidelines on handling biometric data in July 2015 Japan 2015 amendments to introduce restrictions on sensitive personal data in PDPA (come into force in 2017) HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 16

US: DATA BREACH NOTIFICATION LAW UPDATES AND RESPONSE TO SAFE HARBOR

Recent US Developments Overview Recent Updates to US Data Breach Notification Laws Invalidation of Safe Harbor and Rejection of Privacy Shield HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 18

US Data Breach Notification Laws Recent updates to US Data Breach Notification Laws Expansion of the Definition of Personal Data Encryption Exceptions and Requirements Notification Timeframes Requirements for the Contents of Breach Notices HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 19

US Data Breach Notification Laws Expansion of the Definition of Personal Data Additional elements added to scope Outliers in recent updates: California: data collected by an automated license plate recognition system North Dakota: work ID number with security or access code Wyoming: birth or marriage certificates HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 20

US Data Breach Notification Laws Encryption Exceptions and Requirements Definition of encryption Removal of encryption safe harbor If encryption code is compromised Regardless of whether data was encrypted or not HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 21

US Data Breach Notification Laws Notification Timeframes Specific timeframes for notification of consumers Data owner notification timeframe vs. data processor notification timeframe HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 22

US Data Breach Notification Laws Requirements for Contents of Breach Notices California Illinois HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 23

Safe Harbor Invalidation and Rejection of Privacy Shield Safe Harbor Invalidation Rejection of Privacy Shield Article 29 Working Party European Parliament European Data Protection Supervisor HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 24

Other Transfer Mechanisms EU Model Clauses (but with caution) Binding Corporate Rules (BCRs) Derogations listed in Article 26 of EU Data Protection Directive Data Subject Consent Approval from Data Protection Authority (DPA) HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 25

QUESTIONS Rebecca Eisner Partner +1 312 701 8577 reisner@mayerbrown.com Mark Prinsley Partner +44 20 3130 3900] mprinsley@mayerbrown.com Gabriela Kennedy Partner and Head of Asia IP & TMT +852 2843 2380 gabriela.kennedy@mayerbrownjsm.com Lei Shen Senior Associate +1 312 701 8852 lshen@mayerbrown.com HOW EMERGING TECHNOLOGIES AND CYBERSECURITY ARE TRANSFORMING SOURCING 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback