The Rise (And Fall) of the U.S.-EU Safe Harbor - ARMA Chicago
U.S.-EU Privacy Shield and GDPR Bruce A. Radke Vedder Price P.C. November 8, 2016 2016 Vedder Price Agenda Introductions Background on the U.S.-EU Privacy Shield Privacy Shield Principles Path to Certification General Data Protection Regulation Preparing for GDPR Recap/Q & A 2 2016 Vedder Price
Background on the U.S.-EU Privacy Shield 1995 EU Passed Data Protection Directive to protect EU citizens fundamental rights and freedoms with respect to their personal data. 2000 EU and U.S. Department of Commerce agreed on U.S.-EU Safe Harbor to permit the transfer of personal data about EU citizens. 2016 European Court of Justice found the U.S.-EU Safe Harbor framework invalid because the U.S. surveillance program allowed for the large-scale collection of personal data of EU citizens without judicial oversight. Left approximately 4,000 U.S. companies without a mechanism to transfer such data. 3 2016 Vedder Price Why the New Privacy Shield?
The Privacy Shield Framework now addresses the issues that the DPAs themselves prioritized: Bulk collection Written assurances re: mass surveillance of EU data Independence of the Ombudsperson Addition of an explicit data retention principle Data to be retained only for as long as it serves the purpose(s) for which it was initially collected or subsequently authorized 4 2016 Vedder Price Privacy Shield Timeline Draft text was released on February 29, 2016 Revised further in response to criticisms from Article 29 WP and EDPS Privacy Shield adopted and entered into force on July 12, 2016 by EU Commission
U.S. Department of Commerce began accepting certifications on August 1, 2016 5 2016 Vedder Price Privacy Shield Principles Notice Choice Security Accountability for Onward Transfer Data Integrity and Purpose Limitation Access
Recourse, Enforcement and Liability 6 2016 Vedder Price Notice and Choice Privacy Principles Safe Harbor Privacy Shield Notice To disclose that an organization adheres to principles/framework and states what information collection, sharing, access, opt-out, enforcement and security measures are in place. New:
Choice Provide consumers with the opportunity to opt-out or opt-in (sensitive information) depending on the nature of the data. Set-up appropriate procedures to respect consumers opt-out/opt-in requests, particularly with respect to consumers requests to not be approached for direct marketing (i.e., in-house suppression system). Opting-out should not require consumers to incur any fee or expense beyond a first-class stamp or a phone call. Opt-in for sensitive information: medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual. 7
Requires links to DOC Shield participant list and dispute provider website Discloses new ability for individuals to pursue binding arbitration if other mechanisms fail Discloses that may share PI with lawful requests or for national security; and liability in onward transfers to third parties Individuals must be provided with clear, conspicuous and readily available mechanisms to exercise choice. An organization must offer individuals the opportunity to choose to (opt out) whether their PI is to be disclosed to a third party or used for a materially different purpose. Choice is not required when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf
of an organization. However, an organization shall always enter into a contract with the agent. Definition of sensitive information is same as for Safe Harbor. 2016 Vedder Price What Should Be Included in a Privacy Shield Notice? Statement of adherence to the Shield and its principles Link to DOC Privacy Shield participant list: https://www.privacyshield.gov/list Types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the principles Purpose and use of data collection Types or identities of third parties to whom you disclose/share personal information, and the purposes for which you do so Right of individuals to access their personal data
8 2016 Vedder Price continued What Should Be Included in a Privacy Shield Notice? Choices and methods the organization offers individuals for limiting the use and disclosure of their personal data Company contact information, for inquiries or complaints Link to independent dispute resolution provider designated to address complaints: Link to the panel established by DPAs; or An alternative dispute resolution provider based in EU 9
2016 Vedder Price Onward Transfer & Security Privacy Principles Safe Harbor Privacy Shield Accountability For Onward Transfer Determine the need for contracts with respect to the transfer of information to third parties. Same overall themes, but participating company now has liability in cases of onward transfer of data to third parties
You must ensure that if information is disclosed to agents or subcontractors, those parties will agree to abide by the safe harbor principles. You should transfer data to third parties only consistent with the notice and choices you have given the consumers. Agent is obligated to provide at least the same level of privacy protection as is required by the principles Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing
Additionally, upon request by DOC, must provide a summary or a copy of relevant contract privacy provisions entered into with its agent Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data. Security Organization must take reasonable and appropriate measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction. 10
Same. 2016 Vedder Price Data Integrity & Access Privacy Principles Safe Harbor Privacy Shield Data Integrity And Purpose Limitation Ensure that the customers personal information is reliable, accurate, complete, current and used for intended purposes. Same. Your company should not process data that is not relevant to the purpose for which it
was collected, unless subsequently authorized by the consumer. Access You must provide customers the ability to access PI being maintained by the company and the ability to correct, amend or delete it where it is inaccurate or processed in violation of the principles (based on a slidingscale principle the obligation to provide access to information increases where its use is more likely to significantly affect the individual). 11 Additional: The organization must adhere to the principles as long as it retains the data. Organizations can retain data as long as it serves a purpose for processing consistent with the purpose stated at time of collection. This does not prevent organizations from
processing personal information for longer periods if doing so reasonably serves the purpose of archiving in the public interest, journalism, literature, art, scientific or historical research, and statistical analysis. Same. 2016 Vedder Price Recourse, Enforcement and Liability Privacy Principles Safe Harbor Privacy Shield Recourse, Enforcement and Liability Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer
service department or other in-house dispute resolution program; (2) subscribing to a thirdparty dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints; and (3) having appropriate monitoring, verification and remedy procedures in place. The independent dispute resolution service should be readily available and at no cost to the consumer. New available remedy for EU individuals is binding arbitration individuals must pursue other mechanisms first such as: 1) contacting company directly; 2) contacting independent dispute provider; and 3) then may pursue binding arbitration. No monetary damages allowed under binding arbitration. Binding arbitration seeks to resolve an individual complaint. A separate complaint process consumers may also contact appropriate DPA, and then DPA resolves complaint or works with DOC to resolve
complaint. No binding arbitration under this scenario. 12 2016 Vedder Price Privacy Shield Self-Certification Checklist Initial Steps: Assess your companys practices against the principles; make changes as needed Designate an accountable executive Designate a point of contact Engage an independent dispute resolution provider Implement an annual assessment program
Formally adopted by European Parliament on April 14, 2016 Next steps: Publication in EU Official Journal in June Effective 20 days following publication Two-year implementation period Organizations will need to be compliant around June 2018 16 2016 Vedder Price Single Lead Supervisory Authority A single Supervisory Authority (SA) will supervise and enforce a companys data protection compliance across the EU. Location is based on where the controller/processor has its main establishment (usually HQ) The location in the EU at which decisions are made relating to the purposes and means of processing personal data
17 2016 Vedder Price Supervisory Authorities SA is responsible for dealing with issues that arise due to processing in a single member-state and involving only data subjects in that state. Must consult and cooperate with other concerned SAs. Only local SAs may deal with their own national public authorities or private bodies acting in the public interest. 18 2016 Vedder Price Jurisdictional Issues GDPR applies when: Personal data is processed in connection with the provision of goods
or services to EU citizens. EU data subjects behavior is monitored. Location of data controller and processor is not relevant. A non-EU company will need to appoint a representative in the EU unless it meets certain requirements that reduce the risk to EU citizens. 19 2016 Vedder Price Privacy by Design Emphasis on adopting appropriate policies and safeguards to protect personal data. Companies must draft, adopt and implement appropriate technical,
physical and administrative measures to protect personal data prior to, and continually monitor during, processing of personal data. The draft text of the GDPR uses the term transparency a number of times a company must be clear and transparent in its dealings with individuals. 20 2016 Vedder Price Privacy Risk Assessments For high-risk processing, data controller must conduct a Privacy Impact Assessment (PIA). When PIA demonstrates high risk to data subjects, controller must notify the lead SA for review of the activity and the proposed risk mitigation measures. SAs must develop and publish a list of processing activities which they consider high-risk and will therefore require a PIA
prior to implementation. 21 2016 Vedder Price Risk-Based Approach Some compliance regulations in the GDPR will apply only to data processing likely to result in a risk to a data subjects individual rights. Example: Data breach notification. Need to notify SAs and individuals only when there is a risk to the data subjects personal data. 22 2016 Vedder Price Data Protection Officers Some categories of businesses will need to appoint a Data
Protection Officer (DPO). Organizations that regularly or systematically gather data as part of their core activities. Data controllers or processors that process large amounts of sensitive personal data. DPO must be independent in order to fulfill its obligations. 23 2016 Vedder Price Responsibilities of the DPO Informing and advising controllers and processors of obligations under GDPR and other data protection laws Monitoring compliance (including internal data protection activities)
Training internal staff Internal audits Provide advice for PIAs Work with the SA Point of contact for inquiries from data subjects, withdrawal of consent, right to be forgotten requests and other related rights 24 2016 Vedder Price Pseudonymization GDPR encourages pseudonymization Personal data is partially anonymized. Personal data is split into two databases one using an anonymous
key and the other containing the lookup of the identifying information with the key. Databases are held separately. Requirement to use technical and administrative measures to prevent reidentification. 25 2016 Vedder Price New Rights for Data Subjects Right to Be Forgotten Explicit right to be forgotten personal data must be erased without undue delay when:
Retention is not required Data is no longer needed Consent is withdrawn May have a significant impact on how controllers and processors do business. 26 2016 Vedder Price Security Requirements Both data controllers and processors must implement appropriate technical and administrative measures to protect personal data. Appropriateness of the measures based on: State of the art and the costs of implementation Nature, scope, context and purpose of processing Likelihood and severity of risks to the rights and freedoms of the data subjects
27 2016 Vedder Price continued Security Requirements Controllers and processors must consider: Ability to ensure ongoing confidentiality, integrity and availability and the resilience of systems and services that process personal data Disaster recovery in the event of a physical or technical incident Regular testing of the effectiveness of the measures Encryption of personal data 28
2016 Vedder Price Data Breach Notifications A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed. 29 2016 Vedder Price continued Data Breach Notifications Controllers must notify SAs within 72 hours after becoming aware of a data breach If notification is not made within 72 hours, controller must provide a
reasoned justification for the delay Notice content requirements Notice is not required if the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals Even if no notification is necessary, organizations must retain a record of the breach for later investigation or audit by SA 30 2016 Vedder Price continued Data Breach Notifications The affected individuals must also be notified without undue delay (unless there is a reasoned justification for the delay) if breach is likely to result in high risk to the rights and freedoms of individuals.
Not required if data is encrypted or otherwise rendered unintelligible Alternative communication efforts may be used if the notification would involve disproportionate effort (may use alternative communication efforts) Exceptions if controller has taken actions to ensure that the risk is unlikely to materialize Processors need to notify only the controller. No obligations to notify SA or individuals under GDPR 31 2016 Vedder Price Financial Penalties/Damages
SAs may impose monetary fines on data controllers and processors for violations. Two different levels: Up to 10M EUR or 2% of organizations prior years worldwide turnover Up to 20M EUR or 4% of organizations prior years worldwide turnover GDPR maintains the private right of action for damages. But now extended to actions against data processors for breaches of the applicable sections of GDPR Burden of proof lies with the data controller and/or processor. 32 2016 Vedder Price Transfers of Data under GDPR Determination of adequacy (Privacy Shield?)
BCRs are explicitly recognized But GDPR provides minimum requirements which may require changes to existing BCRs Standard contractual clauses Eliminated requirements for prior notice to DPA Current clauses remain valid, but GDPR leaves open possibility of changes Codes of conduct or certifications (provision for data protection seals/marks) Compelling legitimate interests of controller 33 2016 Vedder Price Preparing for GDPR Start a data inventory now. Put processes in place for PIAs (if needed). Review and revise (or draft) your written information security policies to ensure appropriate technical, administrative and
physical measures are in place to protect data. Maintain detailed records of personal data processing. Adopt a Privacy by Design strategy for your products and services. 34 2016 Vedder Price continued Preparing for GDPR Review and revise your privacy policies to ensure that they are written in clear and plain language and fully disclose your data collection and processing practices. Review and update your method to obtain consent to ensure you get specific, informed and unambiguous opt-in consent. Begin the search for qualified DPOs. Build relationships with the Supervisory Authority early and
before you need them. Review your insurance for scope and limits of coverage. 35 2016 Vedder Price Question & Answer 36 2016 Vedder Price For more information, please contact: Bruce A. Radke [email protected] (312) 609-7689 37 2016 Vedder Price
Life of Christ: Matthew. 22 Feb 2010. ... *Bartholomew is traditionally identified with Nathanael in John 1:45; 21:2. The number 12 though is more important than the specific identities of the Twelve (as with the 12 tribes of Israel in...
Get a modern PowerPoint Presentation that is beautifully designed. I hope and I believe that this Template will your Time. Contents. 01. Get a modern PowerPoint Presentation that is beautifully designed.
possible to predict a child's high school math performance much earlier . than Asian mothers said was possible. American . parents are . satisfied with their . children's mediocre performance, whereas Asian parents express much less satisfaction with their children's...
Beach Plum Project 2003 Foodservice Industry Presentation Summary Bob Weybright Dr. Wen-fei Uva Dr. Rick Uva Objectives of Presentations Present concept to potentially high margin market(s) Present to cutting edge operations and individuals Determine level of interest in fruit Identify...
When reconstructing the phylogeny we compare the characteristics of the taxa, such as their appearance, physiological features, or the composition of the genetic material. Phylogenetic trees [Definition] A phylogenetic X-tree is a tree T=(V,E) with a set X of labelled...
For Your Information. There is intentional repeat of some HSII course content in Nursing Fundamentals.. Academic and skill competence must be . maintained. at a very high level for direct resident care. Nursing Fundamentals 7243. 3.01
Memory Memory persistence of learning over time through the storage and retrieval of information Encoding: Getting Information In Encoding Automatic Effortful Effortful Encoding Rehearsal: conscious repetition of information Types Maintenance Rehearsal: rote memory Elaborative Rehearsal: associating unlike terms Deep Processing:...
Ready to download the document? Go ahead and hit continue!