Many companies have started the potentially lengthy process of auditing their service provider contracts to make sure that they comply with the requirements of the General Data Protection Regulation, which comes into force on May 25, 2018.

Fortunately for those companies that are trying to kick-start their contract audit process, the UK Information Commissioner’s Office (ICO) is forging ahead with its promised series of guidance documents to help companies get ready for the GDPR. The latest addition is a draft guidance note on the GDPR’s requirements for contracts between data controllers (the folks who make decisions about what personal data will be processed, and for what purposes) and data processors (the folks who carry out processing activities on behalf of a data controller).

The requirement that there be a contract between data controllers and their data processors is not itself new.  Current EU data protection law requires data controllers to have contracts with data processors governing the security of the personal data held by the processor and requiring processor to process the personal data solely in accordance with the instructions of the controller.

But the contract requirements under the GDPR are much more expansive. Continue Reading Have you started auditing your contracts with your service providers that handle EU personal data?  UK Information Commissioner’s Office issues draft guidance for compliance with the GDPR’s contracting requirements.  

For the next few months, the Mintz Levin Privacy Webinar Series is focusing on the upcoming EU General Data Protection Regulation (GDPR) to help businesses understand the reach and scope of the GDPR and prepare for the potentially game-changing privacy regulation.   The GDPR will affect how US businesses handle and process personal data originating in the EU and may require changes to business process.

Next week, we’ll present a webinar focusing on the data security and accountability requirements of the GDPR, including reviews and documentation of internal policies and procedures and data impact assessments.   We will also take a look at the onerous breach notification requirements and recommend actions that companies can take in advance to mitigate the need for breach notification.

Make sure to join us for this important webinar!

Registration link is here.

 

 

US companies and policy makers will no doubt spend a good chunk of the day today considering the possible implications for them of yesterday’s UK vote for Brexit.  Mark Carney, Governor of the Bank of England, has issued a statement to calm the markets.  I will content myself with a much more modest statement to calm US companies who have been working hard to fill in the gap left by the demise of Safe Harbor and to prepare for the implementation of the GDPR in May 2018:  Brexit will have very little, if any, impact on the UK’s approach to data protection laws, at least in the medium term (say the next five years or so).

Why is that?  First and foremost, the UK has no interest in doing anything that would impede the flow of personal data between the UK and the rest of Europe.  The GDPR, like the current laws under the Data Protection Directive, provides a pathway of least resistance for data transfers: If a country’s laws “ensure[ ] an adequate level of protection” for the personal data, the Commission can issue an adequacy decision to allow data transfers to that country (without the need for model clauses or BCRs).  The most straightforward way for the UK to get an adequacy decision is to adopt and implement the GDPR (or at least all of the material parts of the GDPR) as part of its national legislation.

Second, of all the things that the UK will need to negotiate with the EU over the coming years, any quibbles that the UK may have about data protection legislation is likely to be low on the list, far behind passporting of banking services and new immigration arrangements.   The UK did have some concerns about the GDPR, as communicated by the ICO in its initial comments on the Commission’s early draft of the GDPR.  However, none of them were deal-breakers for the UK.

Third, as a practical matter, UK companies that are part of international corporate groups with a European presence would probably not make it a priority to push hard for UK legislation that eases their burden under UK law, while they still have to comply, in effect, with the GDPR with respect to their European operations (both of their affiliates and with regard to UK companies’ own sales into Europe).

Looking past the medium term, how might the UK’s approach change later on, once the key Brexit negotiations are finished?  The ICO did say a couple of weeks ago at a conference that it would consider other approaches, such as the data protection frameworks used in New Zealand or Australia, that meet EU adequacy requirements.  However, all of those existing frameworks will need to be reviewed again against the GDPR in order to keep their adequacy decisions in place, so those legal frameworks may look a lot more like the GDPR within a couple of years.

So until the ICO tells us otherwise, US companies working on preparing for the implementation of the GDPR should continue with that work even if their primary EU activities are only in the UK.  (And don’t forget that the actual exit is not taking place immediately.)

Mintz Levin’s Immigration Law Blog is running a series titled “Innocents Abroad” addressing issues in an increasingly globalized economy where employers assign employees all over the globe.

These are big questions, reflecting some of the practical concerns in our international marketplace.  The series focuses on the well-intentioned Global HR Director, Ned Help, who will raise hot topics and difficulties his company faces when sending their employees abroad.  We will then explore the common pitfalls and offer practical solutions to the difficulties Ned Help faces.   This month’s edition:   Privacy Considerations – follow the rest of the series at Innocents Abroad.


 

From:            Carrie Counselor

To:                  Ned Help

Date:              May 24, 2016

RE:     Privacy considerations for employees working abroad

Dear Ned,

I understand that one of your employees will be engaging a six-month temporary assignment around Europe to scope market opportunities, and you’d like to have a better understanding of what to be thinking about in terms of privacy.  Great question!  This is an area where many employers struggle because other jurisdictions protect privacy and personal data quite differently than we do here in the United States.

Generally speaking, federal and state laws applicable to employee information do not have “extraterritorial” effect beyond the information that remains in the United States, meaning that American employees working abroad (even temporarily) will not benefit from US legal protections with respect to personal information collected, stored or transmitted outside of the country.

What makes this area of the law particularly crucial and daunting for employers is that non-US countries frequently offer greater protections to employees and establish far higher compliance obligations on the part of employers.  Of particular concern for you should be the data protection landscape across the European Economic Area (referred to as the “EEA,” encompassing all European Union (EU) Member States as well as Iceland, Liechtenstein and Norway) because each country has passed its own set of national laws governing the collection, use, retention and transmission of personal data. Companies must consider these local laws before electronically monitoring an employee outside the United States or transferring an employee’s personal information back home.  Let’s talk specifics: Continue Reading Innocents Abroad: Privacy Considerations for Employers

The Article 29 Working Party has released opinions on Privacy Shield and “essential guarantees” under EU law relating to surveillance, here and here.

Please join us in our webinar at 1 pm EDT today to learn more about the Article 29 Working Party’s opinion on Privacy Shield (register here).  We will look at the opinion’s likely impact on Privacy Shield’s rocky progress through the EU bureaucracy, as well as on the legal attacks that we expect Privacy Shield will face if and when it is ultimately adopted by the Commission.

 

The European Union Commission has issued a fact sheet on the new General Data Protection Regulation (final post-trilogue text available via Statewatch).  The Commission claims that the Regulation is good for individuals and good for business.  We’ll leave that to readers . . . and history . . . .to decide.

As regulations go, the GDPR is a page-turner, but if you don’t have time to read all 204 pages before the holidays, consider joining our webinar at 1 pm ET today. Registration is here.

 

 

Don’t forget to join us tomorrow afternoon – Tuesday – at 1 PM ET for a webinar discussion on the New EU General Data Protection Regulation. What’s next? What are the key changes? What do you need to do to prepare?

Registration is here.

Continue Reading REMINDER: Webinar TOMORROW — Getting to Grips with the New EU General Data Protection Regulation: Key Changes and What You Need to Do to Prepare

Updated at 8:50 pm GMT on 16 December 2015.

The new General Data Protection Regulation is effectively a “done deal” following the final trilogue meeting on December 15.  One might assume based on UK media coverage that the biggest change in EU privacy law is that kids under 16 will need their parent’s consent to sign up for social media services and apps.  As much consternation as that will cause at the breakfast table, it’s really the least of our worries.

It will take some time to process the new Regulation, and of course we don’t have the complete, official version yet (please read the important caveat at the end of this summary), but here are the key features of the Regulation in bullet point form so we can start mapping out the new legal landscape.  This summary focuses more on what’s new than what has stayed in place; generally speaking, rights of data subjects that existed under the Directive also exist under the Regulation.  On the other hand, the burdens on data controllers and processors have substantially increased. We’ll explore all of this in more detail over the coming weeks. Continue Reading The General Data Protection Regulation in Bullet Points

The EU has announced that the Commission, Parliament and Council have reached agreement on the final shape of the General Data Protection Regulation.  The official version will be available early in 2016, but we will be reviewing the details that have been made available so far and providing further information here over the next couple of days.  We’ll start with the bottom line:  the maximum fine for breaches is four percent of annual worldwide turnover.  Big numbers, big goals on the part of the EU.

 

 

 

 

The European Court of Justice (ECJ) has announced that it will release its decision in the Schrems Safe Harbor case on Tuesday, October 6.  It is highly unusual for the ECJ to issue a decision so quickly after publication of the Advocate General’s opinion on a case.  However, the ECJ seems to be expediting its decision process.  (See the Wall Street Journal’s summary of the usual process here.)

One way or another, the uncertainty generated last week by Advocate General Yves Bot’s opinion invalidating Safe Harbor will come to an end soon.  Last week we advised companies who rely on Safe Harbor for their EEA-to-US data transfers to get a contingency plan in place without delay.  Now, it’s urgent.