EU Privacy Shield - Understanding the New Framework from TRUSTe
description
Transcript of EU Privacy Shield - Understanding the New Framework from TRUSTe
1 v Privacy Insight Series v
EU-US Privacy Shield:
Understanding the New Framework
February 10, 2016
2 v Privacy Insight Series
Today’s Speakers
Josh Harris
Director of Policy
TRUSTe
Shannon Coe
Team Lead, Data Flows and Privacy
U.S. Department of Commerce
John Bowman
Senior Principal
Promontory
3 v Privacy Insight Series
• Introduction and Overview
– Josh Harris, Director of Policy, TRUSTe
• EU-U.S. Privacy Shield Framework
– Shannon Coe, Team Lead Data Flows & Privacy, U.S. Department of Commerce
• Next Steps and EU Approval Process
– John Bowman, Senior Principal, Promontory
• Audience Q&A
• Demo of TRUSTe EU Data Privacy Transfer Assessment
Agenda
4 v Privacy Insight Series v
Introduction & Overview
Josh Harris
Director of Policy, TRUSTe
5 v Privacy Insight Series
June 2013: Snowden revelations published by the Guardian
• Timeline of Safe Harbor
Negotiations
• July 2013: EU Parliament calls for
EC review of Safe Harbor
• July 2013: EU VP Reding
announces EC review to commence
• November 2013: EC announces
results of review
• January 2014: Safe Harbor
consultations begin
• Timeline of Schrems Case
• June 2013: Schrems lodges complaint with the Irish Privacy Commissioner
• July 2013: Irish DPC declines complaint
• October 2013: Irish High Court agrees to Judicial Review
• June 2014 : Irish High Court refers case to the Court of Justice of the European Union(CJEU)
• September 2015: Advocate General Opinion announced
October 2015: Safe Harbor Invalidated
6 v Privacy Insight Series
Transparency
• Companies should publicly
disclose their privacy policies.
• Privacy policies should include a
link to the Department of
Commerce (DoC) Safe Harbor
website.
• Companies should publish
privacy conditions of any
contracts they conclude with
subcontractors
• DoC should flag all companies
which are not current members.
13 EC Recommendations
Redress • Companies should include a
link to ADR provider in privacy policy.
• ADR should be readily available and affordable.
• DoC should monitor ADR
providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
7 v Privacy Insight Series
Enforcement
• A certain percentage of companies should
be subject to ex officio investigations of
compliance of their privacy policies (going
beyond control of compliance with formal
requirements).
• Whenever there has been a finding of
non-compliance, following a complaint or
an investigation, the company should be
subject to follow-up specific investigation
after 1 year.
• In case of doubts about a company's
compliance DoC should inform the
competent EU data protection authority.
• False claims of Safe Harbor adherence
should continue to be investigated
Access by US authorities
• Privacy policies should include information
on the extent to which US law allows
public authorities to collect and process
data and should be encouraged to
describe the policies in place to comply.
• The national security exception be used
only when strictly necessary or
proportionate.
13 EC Recommendations
8 v Privacy Insight Series v
Shannon Coe, Team Lead Data Flows and Privacy
U.S. Department of Commerce
EU-U.S. Privacy Shield
9 v Privacy Insight Series
Overview of EU-U.S. Privacy Shield (1/3)
The EU-U.S. Privacy Shield significantly improves commercial oversight and enhances privacy protections
• The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield.
• EU individuals will have access to multiple avenues to resolve concerns, including through alternative dispute resolution, now at no cost to the individual.
• The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield.
• The Privacy Shield adds an important new avenue to supplement the others. Companies now will commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.
10 v Privacy Insight Series
Overview of EU-U.S. Privacy Shield (2/3)
• The Privacy Shield embodies a renewed commitment to privacy by the U.S.
and the EU, and to ensure it remains a living framework subject to active
supervision, the Department of Commerce, the FTC, and EU DPAs will hold
annual review meetings to discuss the functioning of and compliance with the
Privacy Shield.
• The Privacy Shield includes significant improvements to improve transparency
regarding personal data use, strengthen the protections participants provide,
and inform EU individuals more comprehensively about their rights under the
program.
• The Privacy Shield includes new contractual privacy protections and oversight
for data transferred by participating companies to third parties or processed by
those companies’ agents to improve accountability and ensure a continuity of
protection.
11 v Privacy Insight Series
Overview of EU-U.S. Privacy Shield (3/3)
The EU-U.S. Privacy Shield demonstrates the U.S. Commitments to
limitations and safeguards on national security.
• Since 2013, President Obama, including through Presidential Policy Directive 28, has
directed several measures to enhance privacy protections for U.S. signals intelligence
activities, including protections that apply regardless of nationality; enhanced executive
oversight of intelligence activities; and implementation of new legislation that enhances
judicial review of certain intelligence collection activities, increases transparency, and further
ensures that collection of information for intelligence purposes is precisely focused and
targeted.
• In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence
Community has described in writing for the European Commission the multiple layers of
constitutional, statutory, and policy safeguards that apply to its operations, with active
oversight provided by all three branches of the U.S. Government.
• The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise
questions regarding signals intelligence activities relating to the Privacy Shield. As a part of
this process, the United States is making the commitment to respond to appropriate requests
regarding these matters, consistent with our national security obligations.
12 v Privacy Insight Series v
John Bowman, Senior Principal,
Promontory
Next Steps and EU Approval
Process
13 v Privacy Insight Series
The Council (the 28 EU member states) and the European Parliament have given the European
Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether
a third country ensures an adequate level of protection by reason of its domestic law or of the
international commitments it has entered into.
European Commission Adequacy Decisions
AD - Andorra
AR - Argentina
CA - Canada
CH - Switzerland
FO - Faeroe Islands
GG - Guernsey
IL - State of Israel
IM - Isle of Man
JE - Jersey
NZ - New Zealand
US - United States - Safe Harbour
UY - Eastern Republic of Uruguay
European Commission Adequacy Decisions as at February 2016
The effect of these adequacy decisions is that personal data can flow from the 28 EU countries
and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country
without any further safeguard being necessary.
14 v Privacy Insight Series
Procedure for adopting the Privacy Shield
In order for the EU-US Privacy Shield to become law, a Commission Decision needs to be
adopted on the basis of Article 26(6) of Directive 95/46/EC. This process involves;
• The proposal from the European Commission (the draft text of the new adequacy decision)
• An opinion of the member states supervisory authorities and the European Data Protection
Supervisory (EDPS) in the framework of the Article 29 Working Party (WP29)
• An approval from the Article 31 Committee (member states) under the comitology
‘examination procedure’
• The adoption of the decision by the College of Commissioners
Article 31 of Directive 95/46/EC sets out that the (Article 31) committee shall deliver its opinion
on the draft by a qualified majority vote of member states. However, if these measures are not
in accordance with the opinion of the committee, they shall be communicated by the
Commission to the Council forthwith. In that event:
• the Commission shall defer application of the measures which it has decided for a period of
three months from the date of communication,
• the Council, acting by a qualified majority, may take a different decision within a specified
time limit.
15 v Privacy Insight Series
• WP29 calls on the Commission to communicate all documents pertaining to the new
arrangement by the end of February
• WP29 will conduct an assessment of the draft decision in light of the European
jurisprudence on fundamental rights which sets four essential guarantees for intelligence
activities:
– Processing should be based on clear, precise and accessible rules
– Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
– An independent oversight mechanism should exist, that is both effective and impartial
– Effective remedies need to be available to the individual
• WP29 will then complete its assessment for all personal data transfers to the US before
holding an extraordinary plenary session where consideration will be given as to whether
other transfer mechanisms (e.g. Binding Corporate Rules and Standard Contractual
Clauses) can be used for personal data transfers to the US
• The Commission and the Article 31 Committee will then consider the report of WP29 and
act on the recommendations accordingly
• The European Parliament may in the meantime issue a letter, opinion or request that the
Commission attend the Parliament
The path to approval in the EU
16 v Privacy Insight Series v
Questions?
18 v Privacy Insight Series v
Stay on the call for a
LIVE DEMO of TRUSTe EU Data Privacy Transfer Assessment
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
Thank You!
19 v Privacy Insight Series
Today’s LIVE DEMO Presenter
Joanne Furtsch
Director of Product Policy,
TRUSTe
20 v Privacy Insight Series
TRUSTe Has You Covered
Whether you meet your EU Data Transfer compliance requirements through
the new Privacy Shield Framework, Model Contract Clauses, or a combination
of the two – TRUSTe has you covered.
To find out more about TRUSTe Assessment Manager, and how TRUSTe can
help you with your EU compliance program,
Visit www.truste.com/business-products/eu-privacy/ or contact your TRUSTe
Rep at 888-878-7830
We have the resources and tools to help you quickly address the forthcoming
compliance deadlines.
21 v Privacy Insight Series v
Don’t miss the next webinar in the Series –” Investment in Privacy Brings
Security Results” with Chris Babel, TRUSTe and Sam Pfeifle, IAPP on
March 10th
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
Thank You!