1 / 21

EU Privacy Shield - Understanding the New Framework from TRUSTe

Webinar to understand the new EU-US Privacy Shield Framework which replaces the EU-US Safe harbor framework followed by a demo of the TRUSTe EU data privacy transfer assessment.<br>Visit https://info.truste.com/WB-2016-02-10-Insight-Series-Privacy-Shield_RegPage-On-Demand_Recording.html to view the complete

truste
Télécharger la présentation

EU Privacy Shield - Understanding the New Framework from TRUSTe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EU-US Privacy Shield: Understanding the New Framework February 10, 2016 v v Privacy Insight Series 1

  2. Today’s Speakers Josh Harris Director of Policy TRUSTe Shannon Coe Team Lead, Data Flows and Privacy U.S. Department of Commerce John Bowman Senior Principal Promontory v Privacy Insight Series 2

  3. Agenda • Introduction and Overview – Josh Harris, Director of Policy, TRUSTe • EU-U.S. Privacy Shield Framework – Shannon Coe, Team Lead Data Flows & Privacy, U.S. Department of Commerce • Next Steps and EU Approval Process – John Bowman, Senior Principal, Promontory • Audience Q&A • Demo of TRUSTe EU Data Privacy Transfer Assessment v Privacy Insight Series 3

  4. Introduction & Overview Josh Harris Director of Policy, TRUSTe v v Privacy Insight Series 4

  5. June 2013: Snowden revelations published by the Guardian • Timeline of Safe Harbor Negotiations Timeline of Schrems Case • June 2013: Schrems lodges complaint with the Irish Privacy Commissioner July 2013: Irish DPC declines complaint • July 2013: EU Parliament calls for EC review of Safe Harbor • • • July 2013: EU VP Reding announces EC review to commence • October 2013: Irish High Court agrees to Judicial Review • • November 2013: EC announces results of review June 2014 : Irish High Court refers case to the Court of Justice of the European Union(CJEU) • • January 2014: Safe Harbor consultations begin September 2015: Advocate General Opinion announced October 2015: Safe Harbor Invalidated v Privacy Insight Series 5

  6. 13 EC Recommendations Transparency Redress • Companies should include a link to ADR provider in privacy policy. • ADR should be readily available and affordable. • DoC should monitor ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints. • Companies should publicly disclose their privacy policies. • Privacy policies should include a link to the Department of Commerce (DoC) Safe Harbor website. • Companies should publish privacy conditions of any contracts they conclude with subcontractors • DoC should flag all companies which are not current members. v Privacy Insight Series 6

  7. 13 EC Recommendations Enforcement Access by US authorities • A certain percentage of companies should be subject to ex officio investigations of compliance of their privacy policies (going beyond control of compliance with formal requirements). • Privacy policies should include information on the extent to which US law allows public authorities to collect and process data and should be encouraged to describe the policies in place to comply. • Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year. • The national security exception be used only when strictly necessary or proportionate. • In case of doubts about a company's compliance DoC should inform the competent EU data protection authority. • False claims of Safe Harbor adherence should continue to be investigated v Privacy Insight Series 7

  8. EU-U.S. Privacy Shield Shannon Coe, Team Lead Data Flows and Privacy U.S. Department of Commerce v v Privacy Insight Series 8

  9. Overview of EU-U.S. Privacy Shield (1/3) The EU-U.S. Privacy Shield significantly improves commercial oversight and enhances privacy protections • The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield. • EU individuals will have access to multiple avenues to resolve concerns, including through alternative dispute resolution, now at no cost to the individual. • The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield. • The Privacy Shield adds an important new avenue to supplement the others. Companies now will commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies. v Privacy Insight Series 9

  10. Overview of EU-U.S. Privacy Shield (2/3) • The Privacy Shield embodies a renewed commitment to privacy by the U.S. and the EU, and to ensure it remains a living framework subject to active supervision, the Department of Commerce, the FTC, and EU DPAs will hold annual review meetings to discuss the functioning of and compliance with the Privacy Shield. • The Privacy Shield includes significant improvements to improve transparency regarding personal data use, strengthen the protections participants provide, and inform EU individuals more comprehensively about their rights under the program. • The Privacy Shield includes new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection. v Privacy Insight Series 10

  11. Overview of EU-U.S. Privacy Shield (3/3) The EU-U.S. Privacy Shield demonstrates the U.S. Commitments to limitations and safeguards on national security. • Since 2013, President Obama, including through Presidential Policy Directive 28, has directed several measures to enhance privacy protections for U.S. signals intelligence activities, including protections that apply regardless of nationality; enhanced executive oversight of intelligence activities; and implementation of new legislation that enhances judicial review of certain intelligence collection activities, increases transparency, and further ensures that collection of information for intelligence purposes is precisely focused and targeted. • In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. Government. • The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise questions regarding signals intelligence activities relating to the Privacy Shield. As a part of this process, the United States is making the commitment to respond to appropriate requests regarding these matters, consistent with our national security obligations. v Privacy Insight Series 11

  12. Next Steps and EU Approval Process John Bowman, Senior Principal, Promontory v v Privacy Insight Series 12

  13. European Commission Adequacy Decisions The Council (the 28 EU member states) and the European Parliament have given the European Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. European Commission Adequacy Decisions as at February 2016 AD - Andorra AR - Argentina CA - Canada CH - Switzerland FO - Faeroe Islands GG - Guernsey IL - State of Israel IM - Isle of Man JE - Jersey NZ - New Zealand US - United States - Safe Harbour UY - Eastern Republic of Uruguay The effect of these adequacy decisions is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary. v Privacy Insight Series 13

  14. Procedure for adopting the Privacy Shield In order for the EU-US Privacy Shield to become law, a Commission Decision needs to be adopted on the basis of Article 26(6) of Directive 95/46/EC. This process involves; • The proposal from the European Commission (the draft text of the new adequacy decision) • An opinion of the member states supervisory authorities and the European Data Protection Supervisory (EDPS) in the framework of the Article 29 Working Party (WP29) • An approval from the Article 31 Committee (member states) under the comitology ‘examination procedure’ • The adoption of the decision by the College of Commissioners Article 31 of Directive 95/46/EC sets out that the (Article 31) committee shall deliver its opinion on the draft by a qualified majority vote of member states. However, if these measures are not in accordance with the opinion of the committee, they shall be communicated by the Commission to the Council forthwith. In that event: • the Commission shall defer application of the measures which it has decided for a period of three months from the date of communication, • the Council, acting by a qualified majority, may take a different decision within a specified time limit. v Privacy Insight Series 14

  15. The path to approval in the EU • WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February • WP29 will conduct an assessment of the draft decision in light of the European jurisprudence on fundamental rights which sets four essential guarantees for intelligence activities: – Processing should be based on clear, precise and accessible rules – Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated – An independent oversight mechanism should exist, that is both effective and impartial – Effective remedies need to be available to the individual • WP29 will then complete its assessment for all personal data transfers to the US before holding an extraordinary plenary session where consideration will be given as to whether other transfer mechanisms (e.g. Binding Corporate Rules and Standard Contractual Clauses) can be used for personal data transfers to the US • The Commission and the Article 31 Committee will then consider the report of WP29 and act on the recommendations accordingly • The European Parliament may in the meantime issue a letter, opinion or request that the Commission attend the Parliament v Privacy Insight Series 15

  16. Questions? v v Privacy Insight Series 16

  17. Contacts Josh Harris John Bowman jharris@truste.com jmbowman@promontory.com v v Privacy Insight Series 17

  18. Thank You! Stay on the call for a LIVE DEMO of TRUSTe EU Data Privacy Transfer Assessment See http://www.truste.com/insightseries for details of our 2016 Privacy Insight Series and past webinar recordings. v v Privacy Insight Series 18

  19. Today’s LIVE DEMO Presenter Joanne Furtsch Director of Product Policy, TRUSTe v Privacy Insight Series 19

  20. TRUSTe Has You Covered Whether you meet your EU Data Transfer compliance requirements through the new Privacy Shield Framework, Model Contract Clauses, or a combination of the two – TRUSTe has you covered. To find out more about TRUSTe Assessment Manager, and how TRUSTe can help you with your EU compliance program, Visit www.truste.com/business-products/eu-privacy/ or contact your TRUSTe Rep at 888-878-7830 We have the resources and tools to help you quickly address the forthcoming compliance deadlines. v Privacy Insight Series 20

  21. Thank You! Don’t miss the next webinar in the Series –” Investment in Privacy Brings Security Results” with Chris Babel, TRUSTe and Sam Pfeifle, IAPP on March 10th See http://www.truste.com/insightseries for details of our 2016 Privacy Insight Series and past webinar recordings. v v Privacy Insight Series 21

More Related