EU Privacy Shield - Understanding the New Framework from TRUSTe

1 v Privacy Insight Series v

EU-US Privacy Shield:

Understanding the New Framework

February 10, 2016

2 v Privacy Insight Series

Today’s Speakers

Josh Harris

Director of Policy

TRUSTe

Shannon Coe

Team Lead, Data Flows and Privacy

U.S. Department of Commerce

John Bowman

Senior Principal

Promontory


• Introduction and Overview

– Josh Harris, Director of Policy, TRUSTe

• EU-U.S. Privacy Shield Framework

– Shannon Coe, Team Lead Data Flows & Privacy, U.S. Department of Commerce

• Next Steps and EU Approval Process

– John Bowman, Senior Principal, Promontory

• Audience Q&A

• Demo of TRUSTe EU Data Privacy Transfer Assessment

Agenda


Introduction & Overview

Josh Harris

Director of Policy, TRUSTe


June 2013: Snowden revelations published by the Guardian

• Timeline of Safe Harbor

Negotiations

• July 2013: EU Parliament calls for

EC review of Safe Harbor

• July 2013: EU VP Reding

announces EC review to commence

• November 2013: EC announces

results of review

• January 2014: Safe Harbor

consultations begin

• Timeline of Schrems Case

• June 2013: Schrems lodges complaint with the Irish Privacy Commissioner

• July 2013: Irish DPC declines complaint

• October 2013: Irish High Court agrees to Judicial Review

• June 2014 : Irish High Court refers case to the Court of Justice of the European Union(CJEU)

• September 2015: Advocate General Opinion announced

October 2015: Safe Harbor Invalidated


Transparency

• Companies should publicly

disclose their privacy policies.

• Privacy policies should include a

link to the Department of

Commerce (DoC) Safe Harbor

website.

• Companies should publish

privacy conditions of any

contracts they conclude with

subcontractors

• DoC should flag all companies

which are not current members.

13 EC Recommendations

Redress • Companies should include a

link to ADR provider in privacy policy.

• ADR should be readily available and affordable.

• DoC should monitor ADR

providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.


Enforcement

• A certain percentage of companies should

be subject to ex officio investigations of

compliance of their privacy policies (going

beyond control of compliance with formal

requirements).

• Whenever there has been a finding of

non-compliance, following a complaint or

an investigation, the company should be

subject to follow-up specific investigation

after 1 year.

• In case of doubts about a company's

compliance DoC should inform the

competent EU data protection authority.

• False claims of Safe Harbor adherence

should continue to be investigated

Access by US authorities

• Privacy policies should include information

on the extent to which US law allows

public authorities to collect and process

data and should be encouraged to

describe the policies in place to comply.

• The national security exception be used

only when strictly necessary or

proportionate.

13 EC Recommendations


Shannon Coe, Team Lead Data Flows and Privacy

U.S. Department of Commerce

EU-U.S. Privacy Shield


Overview of EU-U.S. Privacy Shield (1/3)

The EU-U.S. Privacy Shield significantly improves commercial oversight and enhances privacy protections

• The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield.

• EU individuals will have access to multiple avenues to resolve concerns, including through alternative dispute resolution, now at no cost to the individual.

• The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield.

• The Privacy Shield adds an important new avenue to supplement the others. Companies now will commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.



• The Privacy Shield embodies a renewed commitment to privacy by the U.S.

and the EU, and to ensure it remains a living framework subject to active

supervision, the Department of Commerce, the FTC, and EU DPAs will hold

annual review meetings to discuss the functioning of and compliance with the

Privacy Shield.

• The Privacy Shield includes significant improvements to improve transparency

regarding personal data use, strengthen the protections participants provide,

and inform EU individuals more comprehensively about their rights under the

program.

• The Privacy Shield includes new contractual privacy protections and oversight

for data transferred by participating companies to third parties or processed by

those companies’ agents to improve accountability and ensure a continuity of

protection.



The EU-U.S. Privacy Shield demonstrates the U.S. Commitments to

limitations and safeguards on national security.

• Since 2013, President Obama, including through Presidential Policy Directive 28, has

directed several measures to enhance privacy protections for U.S. signals intelligence

activities, including protections that apply regardless of nationality; enhanced executive

oversight of intelligence activities; and implementation of new legislation that enhances

judicial review of certain intelligence collection activities, increases transparency, and further

ensures that collection of information for intelligence purposes is precisely focused and

targeted.

• In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence

Community has described in writing for the European Commission the multiple layers of

constitutional, statutory, and policy safeguards that apply to its operations, with active

oversight provided by all three branches of the U.S. Government.

• The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise

questions regarding signals intelligence activities relating to the Privacy Shield. As a part of

this process, the United States is making the commitment to respond to appropriate requests

regarding these matters, consistent with our national security obligations.


John Bowman, Senior Principal,

Promontory

Next Steps and EU Approval

Process


The Council (the 28 EU member states) and the European Parliament have given the European

Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether

a third country ensures an adequate level of protection by reason of its domestic law or of the

international commitments it has entered into.

European Commission Adequacy Decisions

AD - Andorra

AR - Argentina

CA - Canada

CH - Switzerland

FO - Faeroe Islands

GG - Guernsey

IL - State of Israel

IM - Isle of Man

JE - Jersey

NZ - New Zealand

US - United States - Safe Harbour

UY - Eastern Republic of Uruguay

European Commission Adequacy Decisions as at February 2016

The effect of these adequacy decisions is that personal data can flow from the 28 EU countries

and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country

without any further safeguard being necessary.


Procedure for adopting the Privacy Shield

In order for the EU-US Privacy Shield to become law, a Commission Decision needs to be

adopted on the basis of Article 26(6) of Directive 95/46/EC. This process involves;

• The proposal from the European Commission (the draft text of the new adequacy decision)

• An opinion of the member states supervisory authorities and the European Data Protection

Supervisory (EDPS) in the framework of the Article 29 Working Party (WP29)

• An approval from the Article 31 Committee (member states) under the comitology

‘examination procedure’

• The adoption of the decision by the College of Commissioners

Article 31 of Directive 95/46/EC sets out that the (Article 31) committee shall deliver its opinion

on the draft by a qualified majority vote of member states. However, if these measures are not

in accordance with the opinion of the committee, they shall be communicated by the

Commission to the Council forthwith. In that event:

• the Commission shall defer application of the measures which it has decided for a period of

three months from the date of communication,

• the Council, acting by a qualified majority, may take a different decision within a specified

time limit.


• WP29 calls on the Commission to communicate all documents pertaining to the new

arrangement by the end of February

• WP29 will conduct an assessment of the draft decision in light of the European

jurisprudence on fundamental rights which sets four essential guarantees for intelligence

activities:

– Processing should be based on clear, precise and accessible rules

– Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated

– An independent oversight mechanism should exist, that is both effective and impartial

– Effective remedies need to be available to the individual

• WP29 will then complete its assessment for all personal data transfers to the US before

holding an extraordinary plenary session where consideration will be given as to whether

other transfer mechanisms (e.g. Binding Corporate Rules and Standard Contractual

Clauses) can be used for personal data transfers to the US

• The Commission and the Article 31 Committee will then consider the report of WP29 and

act on the recommendations accordingly

• The European Parliament may in the meantime issue a letter, opinion or request that the

Commission attend the Parliament

The path to approval in the EU


Questions?


Josh Harris [email protected]

John Bowman [email protected]

Contacts

mailto:[email protected]


Stay on the call for a

LIVE DEMO of TRUSTe EU Data Privacy Transfer Assessment

See http://www.truste.com/insightseries for details of our 2016 Privacy

Insight Series and past webinar recordings.

Thank You!

http://www.truste.com/insightseries


Today’s LIVE DEMO Presenter

Joanne Furtsch

Director of Product Policy,

TRUSTe


TRUSTe Has You Covered

Whether you meet your EU Data Transfer compliance requirements through

the new Privacy Shield Framework, Model Contract Clauses, or a combination

of the two – TRUSTe has you covered.

To find out more about TRUSTe Assessment Manager, and how TRUSTe can

help you with your EU compliance program,

Visit www.truste.com/business-products/eu-privacy/ or contact your TRUSTe

Rep at 888-878-7830

We have the resources and tools to help you quickly address the forthcoming

compliance deadlines.

http://www.truste.com/business-products/eu-privacy/







Don’t miss the next webinar in the Series –” Investment in Privacy Brings

Security Results” with Chris Babel, TRUSTe and Sam Pfeifle, IAPP on

March 10th

See http://www.truste.com/insightseries for details of our 2016 Privacy

Insight Series and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

Technology

EU Privacy Shield - Understanding the New Framework from TRUSTe