1 / 10

EU Personal Data Transfers: The Perspective of a Friendly U.S. Harborite And AMCHAM EU Member

EU Personal Data Transfers: The Perspective of a Friendly U.S. Harborite And AMCHAM EU Member. Christopher Foster Assistant General Counsel, Data Privacy October 16, 2007. Department of Commerce, Inc. – Video Education Program. Department of Commerce, Inc.

natara
Download Presentation

EU Personal Data Transfers: The Perspective of a Friendly U.S. Harborite And AMCHAM EU Member

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EU Personal Data Transfers:The Perspective of a Friendly U.S. Harborite And AMCHAM EU Member Christopher Foster Assistant General Counsel, Data Privacy October 16, 2007

  2. Department of Commerce, Inc. – Video Education Program Department of Commerce, Inc. Jonathan Faull is an employee of DOC, Inc. Representatives from each EU country have produced videos for us

  3. Department of Commerce, Inc. – Video Education Program Department of Commerce, Inc. Jonathan Faull is an employee of DOC, Inc. Representatives from each EU country have produced videos for us • Sensitive personal data? Analysis in each country. • Consent required? Analysis in each country. • DPA Notifications required? Analysis in each country. • Standard contractual clauses?

  4. VP & Deputy General Counsel Chris Foster Assistant General Counsel – Data Privacy Data Privacy Function Members Lisa Parlato LeDonne Chief Privacy Officer Chief Labor & Employment Counsel Director HR -- CPG Germany Privacy Officer – EMEA Director HR, Canada Regional Privacy Officer – Canada & Latin America GC and AGC Honeywell APAC Regional Privacy Officer – Asia-Pacific TBD Regional Privacy Officer – Latin America National Privacy Officers as Required Senior IT Auditor Data Privacy

  5. Director IT Turbo Technologies Director Corporate Learning VP-Enterprise Infrastructure Consolidation Manager Communications CISO Aerospace CISO Corporate Director and CISO/ACS Director & CISO-SM & TS IT Manager, HRIT Data Management TBD IT Director - Online Communications Head HR – Talent Engagement, HTS Director, Procurement HR Srvc, and Solutions Lead HRIS Aerospace GTS, Global Operations Leader Labor COE Director HR, SM Diversity Director Director, Aerospace Customer Portal Senior IT Audit Data Privacy TS China HR Director Director HR Law Data Privacy Team Members Privacy Liaisons Director, IT Director Employee and Labor Relations COE EMEA Vice President HR Data Administration Asst. General Counsel Benefits

  6. IT Specialty Materials IT ACS ManagerIntegrity and Compliance Manager Program IT Aerospace EMEA Asst. General Counsel Benefits Corporate ManagerIT Vice President Global Security VP GC EMEA VP HR EMEA Data Privacy Team Members Other Interested Persons IT Transportation Systems IT Aerospace

  7. Data Privacy Team Roles • CHIEF PRIVACY OFFICER (CPO) • Responsible for overall data privacy compliance strategy and implementation • Leading quarterly meetings of DPF Team • ASSISTANT GENERAL COUNSEL – DATA PRIVACY • Responsible for: • driving global privacy compliance, including certification to Safe Harbor Agreement • conducting privacy reviews of projects and drafting notices and contracts • developing and implementing privacy guidelines, operating procedures and training • maintaining data access/privacy inquiry and internal audit mechanisms • coordinating with Regional Privacy Officers • REGIONAL PRIVACY OFFICERS • Part-time roles focused on regional support Report to Assistant General Counsel – Data Privacy and coordinate regional issues • Assist with Works Council communications/concerns • Liaison between Assistant General Counsel – Data Privacy and national resources escalating issues to the Data Privacy Function as necessary • Meet quarterly to review significant initiatives and analyze risk assessment and participate in remediation efforts • NATIONAL PRIVACY OFFICERS • Part-time roles focused on local support keeping the Regional Privacy Officers informed and escalating issues as necessary • Address local issues/complaints • Assist with Works Council communications/concerns • Responsible for local training rollout • Meet quarterly to review significant initiatives and to analyze risk assessment and participate in remediation efforts • PRIVACY LIAISONS • Responsible to report to the Function any security breaches or other significant privacy matters • Meet quarterly to review significant initiatives and to analyze risk assessment and participate in remediation efforts • Report back to their organizations on Privacy Function initiatives/developments • HIPAA OFFICER • Responsible to HIPAA compliance • Participates in quarterly Privacy Liaison meetings and provides updated on HIPAA law • OTHER INTERESTED PERSONS • Optionally participate in quarterly meetings and help with compliance efforts and communication within their respective organizations

  8. DPF Compliance Program Overview Current compliance approach – “Safe Harbor Plus” • Local compliance approach focused on HR data • Safe Harbor principles for data transferred to U.S. • Model Contracts for data sent from EMEA to non-U.S. countries • Attention on U.S. SSNs and other sensitive identification data • Technical remedies include laptop encryption and extrusion detection • Swift investigation and response required for any potential and actual data security breaches involving SID • Has motivated many initiatives to reduce the company’s risk of allowing unauthorized access to SID Emerging Compliance Approach – Global • Use Binding Corporate Rules to treat all personal data, including customer and supplier personal data • Interim step of one-Company Policy guided by privacy principles • Expand global focus on security for most sensitive personal data

  9. General assessment Flexible mechanisms for international data transfers are key for companies operating on both sides of the Atlantic. Directive needs to be implemented consistently in all 27 EU Member States Too often, 27 different compliance regimes Binding Corporate Rules BCRs provide an excellent new mechanism for companies to transfer data to non-EEA countries. The benefit is a unified, global company standard, tailored to a company’s unique culture or business compliance processes. More DPA resources should be devoted to reviewing BCRs Mutual recognition of a lead DPA’s approval by other DPAs Clear indication of what each DPA requires to approve a set of BCRs AMCHAM EU Position on Intra-EU Data Flows

  10. Standard Contractual Clauses Alternative Standard Contractual Clauses are a valuable means to legitimize data transfer outside the EEA. However, a number of practical difficulties remain in the application of the clauses. DPAs should support multi party contracts Consistent standards for notification and approval WP 29 should prepare a report on companies’ obligation to file SCCs EU Member States should apply uniform procedural requirements when using the clauses Onward transfer to a data processor should be allowed. Consent Consent is a useful tool for transferring some personal data to third countries, in particular relating to employee data for specific applications. Adequate prior information needs to be provided. Consent by employees should be acceptable for specific applications Consent by employees should also be acceptable for less confidential data Countries’ legal requirements should be limited to the Directive’s demands Safe Harbor The Safe Harbor Agreement is a success, as it provides a flexible and well-structured process to manage the free flow of information between signatories of the agreement. Safe Harbor should be extended to sectors currently excluded. AMCHAM EU Position on Intra-EU Data Flows

More Related