Is it legal to use American Cloud Services in Europe?
Martha presentation at Barcelona V Consultants day. about legal aspets of the business in the cloud since american perspective
4. Difference in Perception
between EU and US
• Privacy as a matter of commerce in the U.S.
• Privacy as a fundamental human right in the EU
• Right to be forgotten
www.marthabuyer.com
5. Once data crosses international borders,
where is it “safe?”
• “it depends”
• Do you know where your cloud actually is?
• Guess what? It matters.
www.marthabuyer.com
6. Schrems v. Data Protection Commissioner
(Case C-362/14)
• What the case means
• Historical context
• 2000 decision enabled U.S. companies to self-certify that company practices
ensured an adequate level of protection for personal data under the EU Data
Protection Directive, thus permitting the company to transfer data from the
EU to the United States.
• Schrems decision holds that U.S. law does not afford adequate protection to
personal data
www.marthabuyer.com
7. What’s happened since the decision
(October, 2015)
• Data transfers from the EU to the United States trigger the
provisions of the EU Data Protection Directive and may come
under scrutiny.
• Many companies utilize U.S.-based cloud services
• If personal data is kept outside of a U.S. jurisdiction
• Knowledge of compliance regs is required
• So is compliance!
www.marthabuyer.com
8. Companies can no longer rely on “safe
harbor” self-certification.
• Entities need to independently verify that company transfers of personal
data from the EU to the United States meet the level of data privacy
protection considered adequate by the EU Data Protection Directive.
• http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046
• http://ec.europa.eu/justice/data-protection/
• The European Commission recommends that entities consider using the EU-
approved standard contractual clauses, the EU-approved Binding Corporate
Rules, or the enumerated derogations under which data can be transferred.
www.marthabuyer.com
9. Use of Standard Contract Clauses
• two sets of standard contractual clauses for transfers from data
controllers to data controllers established outside the EU/EEA
• one set for the transfer to processors established outside the EU/EEA.
• http://ec.europa.eu/justice/data-protection/international-
transfers/transfer/index_en.htm
www.marthabuyer.com
10. FCPA
Foreign Corrupt Practices Act
The Foreign Corrupt Practices Act of 1977, as amended, 15 U.S.C. §§ 78dd-1, et seq.
• The anti-bribery provisions prohibit paying foreign officials to obtain or
retain business.
• Accurate accounting and adequate internal controls are REQUIRED!
• jurisdiction of the FCPA is far-reaching and hinges on the use of interstate
commerce by a U.S. or foreign person.
• Aggressive Enforcement
• compliance policies to maintain watch over company actors to avoid
inadvertently violating the FCPA.
• http://www.justice.gov/criminal-fraud/foreign-corrupt-practices-act
www.marthabuyer.com
11. More FCPA
• Department of Justice is happy to offer opinions on
compliance:
U.S. Department of Justice
Criminal Division, Fraud Section
Attn: FCPA Coordinator
Bond Building, 4th Floor
10th and Constitution Ave., NW
Washington, DC 20530-0001
Fax: 202-514-7021
Email - FCPA.Fraud@usdoj.gov
www.marthabuyer.com
12. Protecting the Jewels
• WISP
• Protecting data within a company’s control
• Protecting data beyond the company’s walls
www.marthabuyer.com