How To Understand The Privacy Shield

Similar documents
The Data Protection Landscape. Before and after GDPR: General Data Protection Regulation

Privacy vs Data Protection. PRESENTATION TITLE GOES HERE Eric A. Hibbard, CISSP, CISA Hitachi Data Systems

technical factsheet 176

Context. To cloud or not to cloud, that is a very serious question. Legal challenges in a post Safe Harbour and pre GDPR cloud world

Privacy & Data Security: The Future of the US-EU Safe Harbor

An overview of UK data protection law

The transfer of personal data to third countries and international organisations by EU institutions and bodies. Position paper

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Privacy Risk Assessments

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

OUTSOURCING, HOSTING AND DATA PRIVACY ISSUES

New EU Data Protection legislation comes into force today. What does this mean for your business?

Data and Cyber Laws Up-date 9 July 2015

The potential legal consequences of a personal data breach

Summary of Data Protection Requirements When transferring Data Outside the UK End Users

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Data Protection Policy Information for Clients

Article 29 Working Party Issues Opinion on Cloud Computing

Data protection issues on an EU outsourcing

The eighth data protection principle and international data transfers

PRINCIPLES OF THE TRANSFER OF PERSONAL DATA TO A THIRD COUNTRY. Introduction

Jan Philipp Albrecht Rapporteur, Committee on Civil Liberties, Justice and Home Affairs European Parliament

Data Protection in Clinical Studies Implications of the New EU General Data Protection Regulation

10/4/2012. Marketing: Passport to the EU. October 30, Legalese. Dennis Dayman

BCS, The Chartered Institute for IT Consultation Response to:

GSK Public policy positions

The European General Data Protection Regulation. A guide for the insurance industry

Intellectual Property & Data Protection 2015: Legal developments you need to know about

European Commission initiatives on e- and mhealth

Data Processing Agreement for Oracle Cloud Services

Legal issues in the Cloud

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) 2014: 245 incidents reported

OVERVIEW. stakeholder engagement mechanisms and WP29 consultation mechanisms respectively.

Office 365 Data Processing Agreement with Model Clauses

Into the Cloud: How will the Draft EU Data Protection Regulation affect cloud computing service providers and users?

Data Protection in Ireland

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

5419/16 ADD 1 VH/np 1 DGD 2C

Value of the EU Data Protection Reform against the Big Data challenges. Keynote address 5th European Data Protection Days Berlin, 4.5.

I. Personal data and its use in the business to business environment.

COMMISSION IMPLEMENTING DECISION. of XXX

Application of Data Protection Concepts to Cloud Computing

South East Asia: Data Protection Update

Data transfers in the Cloud

Data Protection Breach Management Policy

CERTIFICATE IN DATA PROTECTION DATA SECURITY & DATA PROTECTION. Presented by Sophie More O Ferrall 9 February 2015

Binding Corporate Rules ( BCR ) Summary of Third Party Rights

Institute for Judicial and Legal Studies

E-PRIVACY DIRECTIVE: Personal Data Breach Notification

The Anti-Corruption Compliance Platform

Briefly summarised, SURFmarket has submitted the following questions to the Dutch DPA:

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

Preparing for the EU General Data Protection Regulation

THE TRANSFER OF PERSONAL DATA ABROAD

Addressing Information Protection, Privacy & Sovereignty Concerns in Cloud Applications

PRIVACY MANAGEMENT ACTIVITIES

ARTICLE 29 DATA PROTECTION WORKING PARTY

ACT on Payment Services 1 ) 2 ) of 19 August Part 1 General Provisions

Data Protection Policy.

International Investigations: Issues to Consider When Conducting or Defending Against an FCPA Investigation Outside the United States

Insurance Europe key messages on the European Commission's proposed General Data Protection Regulation

Impact of EU General Data Protection Regulation

Data Protection & Cyber Security Law Update 1 st October 2015

CHAPTER I GENERAL PROVISIONS

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES

FRANCE. Chapter XX OVERVIEW

Transcription:

The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? SCCE Webinar May 24, 2016 Presenter: Dan Cotter dcotter@butlerrubin.com 312-696-4497 Agenda - What is the Privacy Shield - What is the EU General Data Protection Regulation? - How did we get to the Privacy Shield framework and EU GDP Regulation? - What is the Current Status of each? - How will the Privacy Shield, if passed, affect you? - How will the EU GDP Regulation, if passed, affect you? - What impact will they have to you if passed? - Questions 1

Bullet Points to Cover How the Privacy Shield framework issued by the EU and US on February 29th affects you Learn how the EU GDP Regulation, if passed, will require organizations to change their privacy practices Hear how the EU initiatives identified above are likely to start a data safekeeping revolution The Origins 1980 - Organisation for Economic Co-operation and Development (OECD) (economic group of 34 countries) Seven principles for protection of private data 2

EU Data Protection Directive (DPD) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data Each EU country adopted a version EU at forefront on privacy and human rights Took effect in 1998 Contained an adequacy/equivalency measure Second privacy initiative by EU Wide arm of applicability written before real explosion of internet EU Data Protection Directive (DPD) (cont d) Governs Processing of Data within EU But applies if using equipment located in EU Controller Number of Principles: Transparency Legitimate Purpose Proportionality 3

Applicability of DPD Applies to all personal data (intentionally broadly defined): "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity." Transfer to Third Countries EU permitted transfer to non-eu countries only if: Country has adequate levels of protection or equivalency, or Binding corporate rules developed, or Standard contractual clauses, or Person consents to transfer 4

Countries Found to be Adequate Switzerland Canada Argentina Bailiwick of Guernsey Isle of Man Bailiwick of Jersey Andorra New Zealand Faeroe Islands Israel Uruguay United States Never found to be adequate Likely never will be More on this in a few slides Now, let s turn to EU General Data Protection Regulation 5

EU General Data Protection Regulation (GDPR) January 25, 2012 new privacy regulation proposed To replace and supersede EU Data Protection Directive March 2018 effective date April 14, 2016: EU Parliament plenary vote of support for GDPR Changes from DPD to GDPR Scope expansion: Applies if controller or processor or individual located within EU Personal data any information relating to an individual One stop shop Existing framework each member country variations (like US privacy and other laws) Under GDPR, one set of rules will apply 6

Changes from DPD to GDPR (cont d) Notice requirements Remain but much expanded Consent Must be received Opt in Data Protection Officer (DPO) Must be identified for each organization Public Private Changes from DPD to GDPR (cont d) Data breach notification Must be made without undue delay Report to supervisory DPO Sanctions Increased Up to 20m Right to be forgotten 7

Prior Safe Harbor for US Companies US not found to be adequate (never will be) Compromise was set of principles developed by US Safe Harbor Decision - July 26, 2000 2000/520/EC- three page decision: 95/46/EC required adequate level of protection by a country seeking EU data transfer Safe Harbor Principles established. Permitted the transfer of data from the EU to the US Safe Harbor Principles Notice Choice Onward Transfer Security Data Integrity Access Enforcement 8

Purpose of Safe Harbor Designed to put in place systems to prevent accidental disclosure of private information from companies in the EU or U.S. Practical solution to problems of U.S. inadequacy Developments Since Safe Harbor Decision Attacks of September 11 Patriot Act Snowden disclosures on extent of US government surveillance Also, challenge of Facebook practices by individual 9

Maximillian Schrems v. Data Protection Commissioner (October 6, 2015) Max Schrems Austrian privacy activist Concerned with Facebook transfer of data Facebook European HQ in Dublin 2000 decision declared invalid because: Notwithstanding adoption by Commission of a decision, national supervisory authorities have chance to review Commission did not find a level of protection of fundamental rights essentially equivalent to EU Safe Harbor 2.0 Safe Harbor Principles no longer valid Options for US companies: Standard contract provisions Binding corporate rules Second option very burdensome February 2, 2016 EU issued draft of the Privacy Shield Often referred to as Safe Harbor 2.0 February 29, 2016 - EU Commission issued guidance 10

Privacy Shield Skeleton of Safe Harbor underlying Privacy Shield Same seven principles But much more detailed Notice provisions much more onerous Enhanced consumer choices Status Article 29 Working Party April 13, 2016 - nonbinding opinion Criticized elements of Privacy Shield Recommended actions for Commission: create a glossary of terms with clear definitions review the decision in light of the forthcoming GDPR, and ensure that the proposed annual joint review of the Privacy Shield occurs 11

Impact on US Companies Companies not collecting or accessing EU data Companies collecting or accessing Safe Harbor self-certification voided Privacy Shield self-certification Onward transfers most burdensome Why Does EU Activity Matter if US-based only? EU on forefront of privacy and human rights EU GDPR elements likely to be adopted by US regulators Department of Commerce lead from US side Good to review privacy practices and policies TCPA, FTC enforcement, HIPAA, etc. 12

Steps all US companies should be taking Review current privacy policies and practices Review your compliance program Consider how DPO will fit within organization Review your policy notices Review your contract provisions Review your data breach notification provisions Questions??????? 13

The Privacy Shield and EU GDP Regulation- A Data Safekeeping Revolution? SCCE Webinar May 24, 2016 Presenter: Dan Cotter dcotter@butlerrubin.com 312-696-4497 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information