Embed Size (px)
Citation preview
From Safe Harbor toPrivacy Shield: What Now?
Monday, March 7, 2016 | 12:00 p.m. EST
If you cannot hear us speaking, please make sure you have called into the teleconferencenumber on your invite information.
US participants: 1 800 920 2977
Outside the US: 212 231 2921
The audio portion is available via conference call. It is not broadcast through your computer.*This webinar is offered for informational purposes only, and the content should not be construed as legal advice on any matter.
Speakers
2
Andrew DysonPartnerDLA PiperLondon
Kate LucenteAssociateDLA PiperSeattle
Jennifer KashatusPartnerDLA PiperWashington, DC
Privacy Shield
Many Similarities
Self-certification and internal verification
Public list of participating companies
Administered by U.S. Department of Commerce
Adherence to Privacy Principles
Notable Differences
Increased oversight and enforcement by U.S. regulators
Increased role of EU DPA
Enhanced Privacy Principles
New dispute resolution procedures, including mandatoryArbitration Procedures
3
Roadmap
Effective Date – Timing, EU Approval
Privacy Principles – What’s the Same? What’sNew?
Practical Implications
Recommendations and Next Steps
Questions
4
Timing, EU Approval?
5
When Will Privacy Shield Take Effect?
Privacy Shield will be effective once approved by the ECapproval process
Article 29 Working Party publish draft opinion (29 Feb)
Article 29 Working Party approve the opinion (13 Apr)
Committee of the Commission meet to confirm the decision (Apr)
Member States then required to "take the measures necessary tocomply with the Commission's decision" (Art 25(6))
Will Member States comply?
Mixed response so far from EU supervisory authorities
Schrems suggests legal challenge ECJ
Remaining landscape of concern re EU-US transfers (eg Hamburg/ Paris)
6
Privacy Shield: What’s theSame? What’s Different?
7
The Privacy Principles
Safe Harbor Privacy Shield
Notice Notice
Choice Choice
Onward Transfer Accountability for Onward Transfer
Security Security
Data Integrity Data Integrity
Access Access
Enforcement Recourse, Enforcement and Liability
Privacy Shield principles largely mirror the Safe Harbor principles
8
Some Principles Remain Largely
Unchanged by Privacy Shield
Choice – Individuals must be offered the opportunity to opt-outof disclosure to a third party or before information is used for apurpose other than for which it was originally collected
Security – Certifying entities must maintain reasonable andappropriate measures to protect personal information fromloss, misuse and unauthorized access, disclosure, alterationand destruction
Access – Individuals must have access to personal informationabout them that an organization holds and be able to correct,amend, or delete that information
9
Enhanced Principles
Notice
Onward Transfer
Data Integrity and Purpose Limitation
Recourse, Enforcement and Liability
10
Notice – Additional Privacy Policy Disclosures
Safe Harbor Privacy Shield
Purpose of Collection Purposes for which information is collected and used
Contact Information Contact information, including EU entities
Types of PartiesInformation Disclosed To
Entities or subsidiaries also adhering to Privacy Shield
Choices to Limit Use andDisclosure
Choice to Limit Use and Disclosure
Safe Harbor statement Detailed Description Required Under Privacy Shield. Must include the following:• Participation and a link to the Privacy Shield list
• Types of personal information collected
• Type or identity of third parties to which information is disclosed and thepurposes of the disclosure
• Access rights
• Specific commitment that all personal data received under PS will be subjectto the principles
• Independent dispute resolution body to address complaints and provision of arecourse FREE of charge to individuals
• That the entity is subject to FTC, DOT or other US enforcement authorities
• Requirement to disclose information in response to lawful requests from publicauthorities, including for national security
• Liability for onward transfers 11
Onward Transfers
Controller-to-Controller Transfers
What’s the Same:
Transfers to third parties acting as a “controller” require notice andchoice (non-sensitive personal data) or notice and consent(sensitive data)
What’s New:
A contract with the third-party controller is required that limits dataprocessing to specified purposes consistent with the originalconsent and protections meet Privacy Shield principles
12
Onward Transfers
Controller-to-Processor
What’s the Same:
Companies may transfer personal information to processors or agents,without applying the Choice Principle
What’s New:
Purpose Limitation: Transfer data only for “limited and specified purposes”
Adherence to Level of Protection: ascertain that the agent is obligated toprovide at least the same level of protection as is required by thePrinciples
Oversight Obligation: Must oversee the agent meets it obligations underthe Principles and remediate any unauthorized processing
Disclosure of Contractual Provisions: Must disclose the privacy provisionsof the contract to the Department of Commerce upon request
Liability Burden Shifted: Remain liable for actions of service providersunless prove not responsible for the event giving rise to the damage
13
Data Integrity
What’s the same:
Use of personal information must be limited to the purpose forwhich it is collected
Must take reasonable steps to ensure that personal data isreliable, accurate, complete, and current
What’s new:
Organizations must adhere to the Principles for as long as itretains personal information gathered subject to the Principles
14
Recourse, Enforcement & Liability
What’s the same:
Must have procedures for verifying privacy policy attestations aretrue and implemented
Must remedy problems arising out of a failure to comply with thePrinciples
What’s new – multiple dispute options:
Individuals may bring a complaint directly to Company andCompany must respond within 45 days
Contemplates process for individuals to bring a complaint beforethe DPA, and for DPA to work with DOC to facilitate resolution
Independent recourse mechanisms must be free for individuals
Organizations must arbitrate claims (if the individual choosesarbitration) and such arbitration must occur according to terms setout in the Privacy Shield agreement
15
Recourse, Enforcement & Liability
What’s new:
Certified entities and third party independent dispute resolutionprovider must respond to inquiries and requests from theDepartment of Commerce
Privacy Shield certified entities are liable if its processor/agentprocesses data inconsistent with the Principles, unless can provenot responsible
If the entity is subject to an FTC or court order for noncompliance,it must publicly disclose any Privacy Shield sections of its internalcompliance assessments submitted to the FTC
16
Human Resources Data
Organizations may transfer HR data subject to limitations inthe national laws of where the data was collected (e.g., limitson what can be transferred or additional uses)
Similar to Safe Harbor, organizations transferring HR dataunder Privacy Shield must cooperate with EU DPAs
Organizations must submit their employee privacy notice toDepartment of Commerce during their certification
17
Practical Implications
18
Preparing to Certify
Ensure able to satisfy all requirements before certification
Update your privacy policy to meet the Privacy Shieldenhanced notice requirements
Prepare and implement choice and access mechanisms forindividuals
Select an independent recourse mechanism
Establish a verification process to annually ensure that yourorganization continues to adhere to the principles (self-assessment or third party)
Fully document steps taken!!
Prepare and submit your certification to the Department ofCommerce
19
Continued Obligations Under Privacy
Shield
Privacy Shield obligations last for as long as an organizationmaintains personal data transferred under its principles
Principles apply even if no longer participant
Option: continue to apply Principles, use another adequacymechanism, or return/delete data
DOC will follow up on this
Certified entities must notify the Department of Commerce inadvance if it will cease to exist as a legal entity (i.e., merger ortakeover)
20
Recommendations andNext Steps
21
Frequently Asked Questions?
I’m already Safe Harbor certified, what do I do?
What should my company do in the interim, before PrivacyShield Takes Effect?
We put in place an IGDTA, do we still need Privacy Shield?
Are there any alternatives to Privacy Shield?
Is Privacy Shield going to be overturned?
If Privacy Shield is right for my organization, should we startpreparing now?
Will there be greater enforcement of a Company’s commitmentto Privacy Shield?
22
Questions?
23
