All posts by Patrick H. Haggerty

About Patrick H. Haggerty

Email: [email protected]
Tel: +1 513 929 3412
Patrick Haggerty has a growing practice in the area of privacy and data protection, counseling companies and hospitals that have suffered data breaches and are involved in subsequent investigations and litigation.

Cross-Border Data Transfers: Cutting Through The Complexity

Editor’s Note: We recently launched a graphic illustrating our Cyber Risk Mitigation Services. This week, our attorneys will be writing about specific examples of those services.

With the rise of the global economy and the reach of the Internet, many businesses now have customers and data from around the world, if not offices and employees in numerous countries. But when marketing or HR asks for data pertaining to global customers or employees to be sent to the home office, this can raise complex cross-border data-transfer issues and the specter of a patchwork of privacy laws applicable to personal information. These laws can pose myriad and sometimes conflicting obligations for a multinational enterprise or any business with global reach. Our attorneys are experienced at guiding our clients through this global labyrinth.

For example, some countries have no general data protection framework in place, but perhaps have sector-specific laws or regulations applicable to cross-border data transfers. Other countries use vague language, such as requiring that the recipient country (the country where the data is to be transferred) have a “sufficient” or “comparable” level of protection in place for data containing personal information. In other countries, such as South Korea, the transfer of personal data may require the prior consent of the data subject. India combines the two approaches, so that data can be transferred only if the recipient adheres to the same level of data protection as the transferor entity and the data subject consents to the transfer.

The European Economic Area (EEA), which includes the 28 EU Member States, has established a framework applicable to cross-border data transfers. Unfortunately, this doesn’t remove complexity from the legal landscape. Generally, under Data Protection Directive 95/46/EC (the DPD), personal data may be transferred outside the EEA only when the recipient country provides an “adequate level of protection” for the data. The European Commission maintains a list of countries that are deemed to provide adequate protection for the processing of data subjects’ personal information, so data transfers from the EEA/EU are allowed to those nations. Presently, there are only a handful of countries on the list, including Argentina, Australia, Canada, Israel, New Zealand, Switzerland and Uruguay.

Notably, the United States is not on the list. However, a U.S. business can instead self-certify with the U.S.-EU Safe Harbor program and therefore meet the “adequacy” standard for privacy protection. Organizations that participate in the Safe Harbor program must annually self-certify with the U.S. Department of Commerce in writing that they agree to adhere to the U.S.-EU Safe Harbor Framework’s requirements, which includes seven privacy principles such as notice, choice, security, access and enforcement. They must also state in their published privacy policy statement that they adhere to the Safe Harbor Privacy Principles.

In addition to the Safe Harbor program, other mechanisms are available to demonstrate that adequate safeguards are in place for data transfers from the EEA/EU. These options, such as Binding Corporate Rules (BCRs) and standard contractual clauses (also known as model contract clauses), may be useful in the context of transferring data from the EEA/EU to countries other than the U.S.

In light of the scope and reach of the various rules and regulations, cross-border data transfer issues can arise under various circumstances. These can include preparing global employee privacy policies, implementing a new global HR system, selling to customers overseas, hiring employees from around the globe and, of course, transferring data between office locations.

Your organization may be unsure which regulations apply or how to ensure compliance. The Privacy and Data Protection team at BakerHostetler can proactively guide you through these issues. For instance, if you are considering consolidating customer data or HR data from offices outside the U.S., we can assess whether Safe Harbor certification, BCRs or model contracts make the most sense for your company.

We can also help companies (1) determine eligibility for participation in the U.S.-EU Safe Harbor program; (2) create or modify privacy notices and internal privacy policies to conform to the seven Safe Harbor Privacy Principles; (3) establish an independent recourse mechanism to investigate unresolved complaints relating to personal information; (4) ensure that procedures are in place for compliance with the Safe Harbor program (by using a self-assessment or an outside/third-party assessment program); and (6) self-certify annually with the Department of Commerce.

In addition, our team can work with clients in drafting policies that may invoke cross-border transfer issues, such as employee personal information privacy policies. Such policies should include the circumstances under which the employer will process personal data, including the transfer of data to third parties.

Accordingly, whether your organization processes, controls or maintains personal data in Europe, Asia or elsewhere, the regulatory landscape can be complex and constantly changing. No matter where your company does business, we can assist with navigating the murky waters of cross-border data transfers and provide expert guidance on the applicable privacy laws and regulations.

CFTC Chairman Provides Guidance On Cybersecurity

On November 5, 2014, the Chairman of the Commodity Futures Trading Commission, Timothy G. Massad, gave keynote remarks at the Futures Industry Association Expo 2014.

Part of Chairman Massad’s remarks focused on the importance and oversight of cybersecurity and business continuity disaster recovery for the financial institutions, exchanges, and markets that the Commission regulates. Specifically, Chairman Massad discussed the fact that the Commission’s system safeguards require that the entities the Commission regulates have four important components:

  1. A program of risk analysis and oversight to identify and minimize sources of cyber and operational risk;
  2. Automated systems that are reliable, secure, and have adequate scalable capacity;
  3. Emergency procedures, backup facilities, and a business continuity disaster recovery plan; and
  4. Regular, objective, independent testing to verify that the system safeguards program is sufficient to fulfill its regulatory responsibilities.

In addition, Chairman Massad explained that the entities the Commission regulates must have a risk management program that addresses the following key elements: information security, systems development, quality assurance, and governance. Clearinghouses and exchanges must notify the Commission promptly of certain incidents and must have recovery procedures in place. For example, systematically important clearinghouses must be able to resume operations in two hours.

Finally, Chairman Massad provided guidance on the key areas that the Commission is focused on:

  • Governance – Is the board paying sufficient attention to cybersecurity and taking appropriate steps? Does the board have the expertise — and does it devote the time — to do so? Is it setting the right tone as to the importance of these issues? The same questions apply, needless to say, to top management.
  • Resources – Are sufficient resources and capabilities being devoted to monitor and control cyber-related risks across all levels of the organization?
  • Policies and Procedures – Are adequate plans and policies in place to address information security, physical security, system operations, and other critical areas? And is the regulated entity actually following its plans and policies and considering how plans and policies may need to be amended from time to time in light of technological, market, or other security developments?
  • Vigilance and Responsiveness to Identified Weaknesses and Problems – If a weakness or deficiency is identified, does the regulated entity take prompt and thorough action to address it? Does it not only fix the immediate problem but also examine the root causes of the deficiency?

Chairman Massad concluded his remarks by noting that enforcement and compliance are a priority for the Commission.

Regulators are continuing to increase their focus on whether directors and executive officers are appropriately engaged in overseeing cybersecurity preparedness. While the board or CEO is not expected to configure the firewall, they should be able to ask appropriate questions to ensure that the right people, processes, and technology are in place and that the company is continuously analyzing threats and risks and adjusting accordingly. Further, they should ensure that the company is preparing to respond in the event of an incident and evaluating ways to appropriately shift liability for financial consequences through insurance products and contracts.