Privacy shield: What You Need To Know About Storing EU Data

Privacy Shield – What You Need To Know About Storing EU Data | 1
Privacy Shield
What You Need to KnowAbout Storing EU Data

Overview & Agenda
• Overview on global data protection
• The Past: EU-U.S. Safe Harbour
• The Present: EU-U.S. Privacy Shield
• How the Privacy Shield Differs from the Safe Harbour
• Deep Dive: The Framework
• Options to Prove You’re Compliant
• What is the Future?
• Q/A

Overview on Global
Data Protection

Overview
Regulate the collection, use, storage, disclosure,
and other processing of “personally identifiable
information” or “PII”
• Name and other “identifiers,” and any other data that can be
linked with the identified or identifiable person or device.
• Employees, consumers, contractors, corporate customer
contacts, supplier contacts, website visitors, business partner
contacts, end users, and other individuals.

Overview
Two approaches to regulation globally:
• United States: Sector-specific (HIPAA/HITECH, GLBA/FCRA,
and the like) and data-specific (SSNs, bank account, credit/debit
card numbers, username/password to online account)
• European Union: Omnibus privacy laws applicable to all personal
data, regardless of sector, category of individual, or type of
personal data; local hurdles on collection and processing +
additional restrictions on cross-border transfers
• EU tends to lead the rest of the non-US world

Some Examples
• Business manifestations
• Cloud and sourcing
• Global HR databases
• Customer relationship management (CRM) applications
• Websites and mobile apps
• Mergers and acquisitions

Some Examples
• Compliance manifestations
• Whistleblower hotlines
• Email and internet monitoring
• Internal investigations
• E-discovery and legal demands
• Data security and breach notice

1995 EC Data Protection Directive
(95/46/EC)
• Omnibus regulation for industry sectors
• Implemented by Member States into
national data protection laws
• Local compliance issues
• Cross-border data transfer restrictions

The Past:
EU Safe Harbour

Privacy Shield – What You Need To Know About Storing EU Data | 11Privacy Shield – What You Need To Know About Storing EU Data | 11

Background on Schrems
Who is Max Schrems?
He is an Austrian privacy activist who campaigns against Facebook for
privacy violation, including its violations of European privacy laws and
alleged transfer of personal data to the US National Security
Agency (NSA) as part of the NSA's PRISM programme. He has founded
a group called Europe v Facebook and as of February 2015 has initiated
two lawsuits involving Facebook.

How did the invalidation process get started?
• On 20 November 2014, Schrems said at a conference convened in
Brussels by the International Association of Privacy Professionals that
his group would go on a head-on collision with Safe Harbour, an E.U.-
U.S. agreement that allows over 3,000 U.S. companies, including
Google, Facebook, and Apple, to repatriate European personal data.
Schrems argues that in practice it does not give the consumer any
protection.[12]

How did the invalidation process get started?
• In Schrems, the European Court of Justice (Court) invalidated the US-EU
Safe Harbor Privacy Arrangement (“Safe Harbor) on October 6, 2015
• Safe Harbor had served as the EC adequacy finding for the United
States for fifteen years
• The Court specified that Safe Harbor was not adequate because of the
apparent absence of sufficient protections within Safe Harbor against US
government surveillance and corresponding redress for EU citizens (not
“essentially equivalent”)

Current Developments
• Initial Article 29 Working Party Opinion on Schrems (Oct 16, 2015):
– Transfers relying solely on Safe Harbor unlawful
– Model contracts and binding corporate rules can be used at present, although under
examination for concerns about government surveillance
– Collective action to be considered if no resolution on “Safe Harbor 2.0” by the end of
January 2016
• Various individual data protection authority opinions (e.g., German data protection
authorities, UK Information Commissioner, and the like).
• EU-US Privacy Shield (Safe Harbor 2.0) announced as agreed upon between the
European Commission and the US Department of Commerce and other
authorities on February 2, 2016 (ahead of WP meeting)
• Other developments (to be discussed after Privacy Shield overview)

The Present: EU-U.S.
Privacy Shield

"The EU-U.S. Privacy Shield is
a tremendous victory for privacy,
individuals, and businesses on both
sides of the Atlantic."
- U.S. Secretary of Commerce Penny Pritzker

EU-U.S. Privacy Shield

Why Was It Designed?
https://www.e-education.psu.edu/cloudGIS/node/91
• The EU-U.S. Privacy Shield Framework was designed by the U.S.
Department of Commerce and European Commission to provide companies
on both sides of the Atlantic with a mechanism to comply with EU data
protection requirements when transferring personal data from the European
Union to the United States in support of transatlantic commerce.

• The Privacy Shield Framework provides a set of robust and enforceable
protections for the personal data of EU individuals. The Framework provides
transparency regarding how participating companies use personal data,
strong U.S. government oversight, and increased cooperation with EU data
protection authorities (DPAs). The European Commission deemed the
Privacy Shield Framework adequate to enable data transfers under EU law.
Commerce will allow companies time to review the Framework and update
their compliance programs and then, on August 1, will begin accepting
certifications
• On February 29, 2016, the European Commission issued its draft decision
and the US documents for the EU-US Privacy Shield Arrangement.

• The US-issued Privacy Shield documents are:
– A commitment from the US Secretary of Commerce to devote all necessary
resources to adhere fully to the requirements of the Privacy Shield
– Twenty Two Privacy Shield Principles, along with Arbitration Procedures
– Letters from the Federal Trade Commission and the Department of
Transportation (commercial enforcement authority)
– Letters from the Office of the Director of National Intelligence (ODNI)
(surveillance law and policy), the Department of State (surveillance redress), and
the Department of Justice (criminal law enforcement law and policy)

• The European Commission is now (i) evaluating the non-binding views of
the Article 29 Working Party of Data Protection Authorities, the European
Parliament, the European Data Protection Supervisor, and (ii) consulting
with the Article 31 Member State Representatives
• Finalized and went into affect June 2016.

Certification
• Self-certify
• Department of Commerce
• Voluntary
• Eligible - Committed

How the Privacy Shield
Differs from the Safe Harbour

Enhancements from the Safe Harbour
• Expanded privacy notices
• Strengthened standards on data transfers
• Reinforced certification/ recertification
• Clarified retention standards
• Commissioned recourse mechanisms

Deep Dive: The
Framework

Key Definitions and Clarifications
• Personal and sensitive information
• Controllers vs. processors
• Publicly available data
• Exceptions

Notice
• Required points of presentation
• Must detail:
– Commitment to the Privacy Shield
– Aspects of the privacy life cycle and individual rights
– Recourse, enforcement and liability
• Exceptions

Choice
• Required points of presentation
• Opt-out vs. opt-in mechanisms
• Exceptions

Accountability for Onward Transfer
• Contracting with third parties acting as
controllers and agents
• Limiting transfers to specified purposes
• Noncompliance remediation and
processing cessation
• Exceptions

Security

Data Integrity and Purpose Limitation
• Collection and processing limitation
• Data veracity controls
• Retention standards

Access
• Fielding requests for access to and the
correction and deletion of data
• Communications
• Facilitating requests
• Exceptions

Recourse, Enforcement and Liability
• Direct handling of individuals’ complaints
• Independent recourse mechanisms
• Cooperation with DPAs
• Arbitration

Government Surveillance

Options to Prove
You’re Compliant

Certification and Periodic Assessment
• Initiation
• Self-assessment vs. outside reviews

What is the Future?

• Pivoting on updates
• Challenges
• Iterations
• Verification
• Enterprise adoption
The Near Term and Long Term

Privacy shield: What You Need To Know About Storing EU Data

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (20)

Similaire à Privacy shield: What You Need To Know About Storing EU Data

Similaire à Privacy shield: What You Need To Know About Storing EU Data (20)

Plus de Schellman & Company

Plus de Schellman & Company (17)

Dernier

Dernier (20)

Privacy shield: What You Need To Know About Storing EU Data