Privacy shield what you need to know about storing eu data slideshare

Privacy Shield – What You Need To Know About Storing EU Data | 1

Privacy ShieldWhat You Need to Know About Storing EU Data


Overview & Agenda• Overview on global data protection • The Past: EU-U.S. Safe Harbour • The Present: EU-U.S. Privacy Shield• How the Privacy Shield Differs from the Safe Harbour• Deep Dive: The Framework• Options to Prove You’re Compliant• What is the Future?• Q/A


Overview on Global Data Protection


OverviewRegulate the collection, use, storage, disclosure, and other processing of “personally identifiable information” or “PII”

• Name and other “identifiers,” and any other data that can be linked with the identified or identifiable person or device.

• Employees, consumers, contractors, corporate customer contacts, supplier contacts, website visitors, business partner contacts, end users, and other individuals.


OverviewTwo approaches to regulation globally:

• United States: Sector-specific (HIPAA/HITECH, GLBA/FCRA, and the like) and data-specific (SSNs, bank account, credit/debit card numbers, username/password to online account)

• European Union: Omnibus privacy laws applicable to all personal data, regardless of sector, category of individual, or type of personal data; local hurdles on collection and processing + additional restrictions on cross-border transfers

• EU tends to lead the rest of the non-US world


Some Examples


• Business manifestations• Cloud and sourcing• Global HR databases• Customer relationship management (CRM) applications• Websites and mobile apps• Mergers and acquisitions


Some Examples


• Compliance manifestations• Whistleblower hotlines• Email and internet monitoring• Internal investigations• E-discovery and legal demands• Data security and breach notice


1995 EC Data Protection Directive (95/46/EC)

• Omnibus regulation for industry sectors• Implemented by Member States into

national data protection laws• Local compliance issues• Cross-border data transfer restrictions


The Past: EU Safe Harbour


Privacy Shield – What You Need To Know About Storing EU Data | 11Privacy Shield – What You Need To Know About Storing EU Data | 11


Background on SchremsWho is Max Schrems?He is an Austrian privacy activist who campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA's PRISM programme. He has founded a group called Europe v Facebook and as of February 2015 has initiated two lawsuits involving Facebook.

https://en.wikipedia.org/wiki/Facebook

https://en.wikipedia.org/wiki/US_National_Security_Agency

https://en.wikipedia.org/wiki/PRISM


Background on SchremsHow did the invalidation process get started?• On 20 November 2014, Schrems said at a conference convened in

Brussels by the International Association of Privacy Professionals that his group would go on a head-on collision with Safe Harbour, an E.U.-U.S. agreement that allows over 3,000 U.S. companies, including Google, Facebook, and Apple, to repatriate European personal data. Schrems argues that in practice it does not give the consumer any protection.[12]

https://en.wikipedia.org/wiki/International_Association_of_Privacy_Professionals

https://en.wikipedia.org/wiki/International_Safe_Harbor_Privacy_Principles

https://en.wikipedia.org/wiki/Max_Schrems#cite_note-12


Background on SchremsHow did the invalidation process get started?• In Schrems, the European Court of Justice (Court) invalidated the US-EU

Safe Harbor Privacy Arrangement (“Safe Harbor) on October 6, 2015• Safe Harbor had served as the EC adequacy finding for the United

States for fifteen years• The Court specified that Safe Harbor was not adequate because of the

apparent absence of sufficient protections within Safe Harbor against US government surveillance and corresponding redress for EU citizens (not “essentially equivalent”)


Current Developments• Initial Article 29 Working Party Opinion on Schrems (Oct 16, 2015):

– Transfers relying solely on Safe Harbor unlawful– Model contracts and binding corporate rules can be used at present, although under

examination for concerns about government surveillance– Collective action to be considered if no resolution on “Safe Harbor 2.0” by the end of

January 2016 • Various individual data protection authority opinions (e.g., German data protection

authorities, UK Information Commissioner, and the like).• EU-US Privacy Shield (Safe Harbor 2.0) announced as agreed upon between the

European Commission and the US Department of Commerce and other authorities on February 2, 2016 (ahead of WP meeting)

• Other developments (to be discussed after Privacy Shield overview)


The Present: EU-U.S. Privacy Shield


"The EU-U.S. Privacy Shield is a tremendous victory for privacy,

individuals, and businesses on both sides of the Atlantic."

- U.S. Secretary of Commerce Penny Pritzker


EU-U.S. Privacy Shield



Why Was It Designed?

https://www.e-education.psu.edu/cloudGIS/node/91

• The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.




• The Privacy Shield Framework provides a set of robust and enforceable protections for the personal data of EU individuals. The Framework provides transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with EU data protection authorities (DPAs). The European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law. Commerce will allow companies time to review the Framework and update their compliance programs and then, on August 1, will begin accepting certifications

• On February 29, 2016, the European Commission issued its draft decision and the US documents for the EU-US Privacy Shield Arrangement.




• The US-issued Privacy Shield documents are:– A commitment from the US Secretary of Commerce to devote all necessary

resources to adhere fully to the requirements of the Privacy Shield– Twenty Two Privacy Shield Principles, along with Arbitration Procedures– Letters from the Federal Trade Commission and the Department of

Transportation (commercial enforcement authority)– Letters from the Office of the Director of National Intelligence (ODNI)

(surveillance law and policy), the Department of State (surveillance redress), and the Department of Justice (criminal law enforcement law and policy)




• The European Commission is now ( i) evaluating the non-binding views of the Article 29 Working Party of Data Protection Authorities, the European Parliament, the European Data Protection Supervisor, and (ii) consulting with the Article 31 Member State Representatives

• Finalized and went into affect June 2016.


Certification


• Self-certify• Department of Commerce• Voluntary• Eligible - Committed


How the Privacy Shield Differs from the Safe Harbour


Enhancements from the Safe Harbour


• Expanded privacy notices• Strengthened standards on data transfers• Reinforced certification/ recertification• Clarified retention standards• Commissioned recourse mechanisms


Deep Dive: The Framework


Key Definitions and Clarifications


• Personal and sensitive information• Controllers vs. processors• Publicly available data• Exceptions



Notice


• Required points of presentation• Must detail:

– Commitment to the Privacy Shield

– Aspects of the privacy life cycle and individual rights

– Recourse, enforcement and liability

• Exceptions


Choice


• Required points of presentation• Opt-out vs. opt-in mechanisms • Exceptions



Accountability for Onward Transfer


• Contracting with third parties acting as controllers and agents

• Limiting transfers to specified purposes• Noncompliance remediation and

processing cessation • Exceptions


Security




Data Integrity and Purpose Limitation


• Collection and processing limitation• Data veracity controls• Retention standards


Access


• Fielding requests for access to and the correction and deletion of data

• Communications• Facilitating requests• Exceptions


Recourse, Enforcement and Liability


• Direct handling of individuals’ complaints• Independent recourse mechanisms• Cooperation with DPAs• Arbitration


Government Surveillance




Options to Prove You’re Compliant


Certification and Periodic Assessment


• Initiation• Self-assessment vs. outside reviews


What is the Future?


• Pivoting on updates• Challenges• Iterations • Verification• Enterprise adoption

The Near Term and Long Term


Education

Privacy shield what you need to know about storing eu data slideshare