How To Understand The Privacy Shield

Transcription

1 The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? SCCE Webinar May 24, 2016 Presenter: Dan Cotter [email protected] Agenda - What is the Privacy Shield - What is the EU General Data Protection Regulation? - How did we get to the Privacy Shield framework and EU GDP Regulation? - What is the Current Status of each? - How will the Privacy Shield, if passed, affect you? - How will the EU GDP Regulation, if passed, affect you? - What impact will they have to you if passed? - Questions 1

2 Bullet Points to Cover How the Privacy Shield framework issued by the EU and US on February 29th affects you Learn how the EU GDP Regulation, if passed, will require organizations to change their privacy practices Hear how the EU initiatives identified above are likely to start a data safekeeping revolution The Origins Organisation for Economic Co-operation and Development (OECD) (economic group of 34 countries) Seven principles for protection of private data 2

3 EU Data Protection Directive (DPD) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data Each EU country adopted a version EU at forefront on privacy and human rights Took effect in 1998 Contained an adequacy/equivalency measure Second privacy initiative by EU Wide arm of applicability written before real explosion of internet EU Data Protection Directive (DPD) (cont d) Governs Processing of Data within EU But applies if using equipment located in EU Controller Number of Principles: Transparency Legitimate Purpose Proportionality 3

4 Applicability of DPD Applies to all personal data (intentionally broadly defined): "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Transfer to Third Countries EU permitted transfer to non-eu countries only if: Country has adequate levels of protection or equivalency, or Binding corporate rules developed, or Standard contractual clauses, or Person consents to transfer 4

5 Countries Found to be Adequate Switzerland Canada Argentina Bailiwick of Guernsey Isle of Man Bailiwick of Jersey Andorra New Zealand Faeroe Islands Israel Uruguay United States Never found to be adequate Likely never will be More on this in a few slides Now, let s turn to EU General Data Protection Regulation 5

6 EU General Data Protection Regulation (GDPR) January 25, 2012 new privacy regulation proposed To replace and supersede EU Data Protection Directive March 2018 effective date April 14, 2016: EU Parliament plenary vote of support for GDPR Changes from DPD to GDPR Scope expansion: Applies if controller or processor or individual located within EU Personal data any information relating to an individual One stop shop Existing framework each member country variations (like US privacy and other laws) Under GDPR, one set of rules will apply 6

7 Changes from DPD to GDPR (cont d) Notice requirements Remain but much expanded Consent Must be received Opt in Data Protection Officer (DPO) Must be identified for each organization Public Private Changes from DPD to GDPR (cont d) Data breach notification Must be made without undue delay Report to supervisory DPO Sanctions Increased Up to 20m Right to be forgotten 7

8 Prior Safe Harbor for US Companies US not found to be adequate (never will be) Compromise was set of principles developed by US Safe Harbor Decision - July 26, /520/EC- three page decision: 95/46/EC required adequate level of protection by a country seeking EU data transfer Safe Harbor Principles established. Permitted the transfer of data from the EU to the US Safe Harbor Principles Notice Choice Onward Transfer Security Data Integrity Access Enforcement 8

9 Purpose of Safe Harbor Designed to put in place systems to prevent accidental disclosure of private information from companies in the EU or U.S. Practical solution to problems of U.S. inadequacy Developments Since Safe Harbor Decision Attacks of September 11 Patriot Act Snowden disclosures on extent of US government surveillance Also, challenge of Facebook practices by individual 9

10 Maximillian Schrems v. Data Protection Commissioner (October 6, 2015) Max Schrems Austrian privacy activist Concerned with Facebook transfer of data Facebook European HQ in Dublin 2000 decision declared invalid because: Notwithstanding adoption by Commission of a decision, national supervisory authorities have chance to review Commission did not find a level of protection of fundamental rights essentially equivalent to EU Safe Harbor 2.0 Safe Harbor Principles no longer valid Options for US companies: Standard contract provisions Binding corporate rules Second option very burdensome February 2, 2016 EU issued draft of the Privacy Shield Often referred to as Safe Harbor 2.0 February 29, EU Commission issued guidance 10

11 Privacy Shield Skeleton of Safe Harbor underlying Privacy Shield Same seven principles But much more detailed Notice provisions much more onerous Enhanced consumer choices Status Article 29 Working Party April 13, nonbinding opinion Criticized elements of Privacy Shield Recommended actions for Commission: create a glossary of terms with clear definitions review the decision in light of the forthcoming GDPR, and ensure that the proposed annual joint review of the Privacy Shield occurs 11

12 Impact on US Companies Companies not collecting or accessing EU data Companies collecting or accessing Safe Harbor self-certification voided Privacy Shield self-certification Onward transfers most burdensome Why Does EU Activity Matter if US-based only? EU on forefront of privacy and human rights EU GDPR elements likely to be adopted by US regulators Department of Commerce lead from US side Good to review privacy practices and policies TCPA, FTC enforcement, HIPAA, etc. 12

13 Steps all US companies should be taking Review current privacy policies and practices Review your compliance program Consider how DPO will fit within organization Review your policy notices Review your contract provisions Review your data breach notification provisions Questions??????? 13

14 The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? SCCE Webinar May 24, 2016 Presenter: Dan Cotter [email protected]