Data Protection Series: An Overview of New European and North American Privacy Regulations [Podcast]

Topics: Store and Protect Information

New data protection regulations and changes to existing privacy laws are being revealed in Europe and the U.S. This podcast, featuring Iron Mountain’s Director and Senior Counsel, Michael Zurcher, discusses some of the key provisions that are relevant for records management, legal and IT professionals.

Where do we stand with Safe Harbor?


Part 1 - Transcript


Moderator: Hello and welcome to today’s podcast on strategies for addressing global data privacy laws.

Joining us for today’s discussion is Michael Zurcher, Director and Senior Counsel, for Privacy and Compliance at Iron Mountain. In his current role, he focuses on HIPAA, GLB, PCI DSS, “Safe Harbor,” European, Asian and South American data protection laws. Michael also focuses on general compliance, regulatory matters, including building and managing policies and controls, providing training, conducting risk assessments, monitoring compliance functions and creating and sustaining awareness of risks.

Welcome Michael.

Michael Zurcher: Good morning. Good afternoon. Thanks for having me.

Moderator: First, can you tell us about where we stand with the “Safe Harbor?” What is it and what should companies do after the European Court of Justice declared it invalid?

Michael Zurcher: The Safe-Harbor is an agreement between Europe and the U.S. under which Europe recognizes those U.S. companies that certify under the framework to comply with European privacy standards. As many of you may know, last October the European Court of Justice determined that U.S.-certified companies cannot guarantee compliance with European privacy standards b/c the US government can demand access to the information on a large scale (Edward Snowden).

US based companies and their European partners that export personal data to the US and that used to rely on the S/H now need to look at other options which often means executing the so-called standard contractual clauses or implementing the so-called binding corporate rules.

The European data protection authorities have given European companies a grace period until the end of January 2016 to implement a new legal process if they want to continue sending personal data to US companies that are S/H certified. If you aren’t certified and you need to work with European partners, you may be running out of time. Is there an alternative? Will there be a Safe Harbor 2? The answer is yes.

The EU and U.S. are working on a new S/H framework, and there is currently a bill before the U.S. Senate that will add an important additional safeguard.

Well that’s all the time we have today. Thank you again to Michael Zurcher for joining us. For more information on Safe Harbor, visit the Iron Mountain blog page for a recent blog by Michael on this topic. Thank you again for your time, and have a great day.


Implementing Global Data Protection Regulation changes


Part 2 - Transcript


Moderator: Next, let’s talk about the GDPR – or General Data Protection Regulation. Again – what is it and any recommendations for companies implementing changes from it, within their organization?

Michael Zurcher: The new law will come into effect in Q1 of 2018 (the final date depends on the publication of the new Regulation in the Official Journal of the EU) and will simplify compliance because there will be only one data protection law in the European Economic Area (EEA). (There will be some exceptions, such as for employee data).

The underlying privacy principles have not changed. Companies still need to ensure that personal data is:

  • accurate
  • kept up to date
  • kept only for as long as necessary
  • secured so that its confidentiality, availability and integrity is guaranteed
  • only processed for legitimate purposes.

This last element requires organizations to maintain a system which tracks the basis on which the data was collected (e.g., legal obligation, consent, legitimate interest, vital interest of the individual) and the corresponding notices and/or consent forms.

As under the existing regime, people living in Europe have certain rights against anyone that processes their information. These rights include the right to:

  • access the information (including receiving copies)
  • rectify wrong information
  • object to the processing
  • demand deletion of information (including the so-called right to be forgotten)
  • demand transfer of information.

These rights require companies to be able to locate personal information and to respond promptly and comprehensively to such requests. Please keep in mind that such a process also needs to address how to update, delete, etc. data that is processed by affiliates, vendors, subcontractors, etc. and copies of such data. The enhanced enforcement tools (e.g., increased fines) combined with the fact that a large portion of complaints filed with the local data protection authorities relate to these rights, should incentivize everyone to allocate the necessary resources to develop and maintain a compliant process.

Well that’s all the time we have today. Thank you again to Michael Zurcher for joining us. For more information on Safe Harbor, visit the Iron Mountain blog page for a recent blog by Michael on this topic. Thank you again for your time, and have a great day.


New concepts introduced in data privacy laws


Part 3 - Transcript


Moderator: Will any new concepts be introduced?

Michael Zurcher: Yes, in addition to the right to demand the transfer of personal data to a third party (for instance your banking details), the new law also introduces the concepts of privacy by design and default. These concepts are based on the idea that new processes and systems must be designed from the beginning to comply with privacy laws. For example, they must secure data (encryption), restrict access, be capable of deleting or transferring data, reduce the risk of data breaches, etc. In addition, the new regulation demands that organizations maintain a record of all processing activities.

2018 will see the first comprehensive data breach notification obligation. In addition to the unauthorized access, deletion or alteration of personal data, the loss of such data must also be reported to the supervisory authorities, unless a breach is unlikely to result in a risk for the rights and freedoms of the affected individuals. The affected individuals must be informed if the breach is likely to result in a high (!) risk for their rights and freedoms (this is not the case if encryption or similar tools are employed). Supervisory authorities must be informed within 72 hours.

Organizations with core activities that require regular and systematic monitoring of individuals on a large scale or that process large scales of sensitive information must appoint a Data Protection Officer.

Transfers to or access from countries outside of the EEA continue to be restricted and subject to additional safeguards. Court or administrative orders from outside of EEA to transfer or disclose personal data (e.g., in the context of discovery or an investigation) cannot be complied with, unless they are authorized pursuant to EU law.

Well that’s all the time we have today. Thank you again to Michael Zurcher for joining us. For more information on Safe Harbor, visit the Iron Mountain blog page for a recent blog by Michael on this topic. Thank you again for your time, and have a great day.


What recent data privacy laws mean to records managers and IT pros


Part 4 - Transcript


Michael Zurcher: Can you say a few things about enforcement?

Michael Zurcher: The administrative fines have increased from a cap of about EUR 1 million to EUR 20 million—or up to 4% of the worldwide revenue in the proceeding financial year. In most instances, the fines will be substantially lower, but for egregious conduct we can expect substantial fines (the GDPR mandates that fines must be effective, proportionate and dissuasive).

Michael Zurcher: What do these regulations mean to records managers?

Michael Zurcher: I think fundamentally it does not change that much if you currently run a program that complies with the current European privacy regime. However, it will require more robust processes and even better understanding where, on what systems you process data and with whom you share personal data.

Michael Zurcher: What do these regulations mean to IT professionals?

Michael Zurcher: Privacy by design will be critical when it comes to the development, sale, purchase or implementation of new IT systems.

I also believe that the location of your IT systems, access from abroad and use of the cloud will need to be looked at more carefully and can become a competitive differentiator.

Well that’s all the time we have today. Thank you again to Michael Zurcher for joining us. For more information on Safe Harbor, visit the Iron Mountain blog page for a recent blog by Michael on this topic. Thank you again for your time.