Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

EU Privacy Shield - Understanding the New Framework from TRUSTe


Published on

Webinar to understand the new EU-US Privacy Shield Framework which replaces the EU-US Safe harbor framework followed by a demo of the TRUSTe EU data privacy transfer assessment.
Visit to view the complete webinar.

Published in: Technology
  • Login to see the comments

EU Privacy Shield - Understanding the New Framework from TRUSTe

  1. 1. 1 vPrivacy Insight Series v EU-US Privacy Shield: Understanding the New Framework February 10, 2016
  2. 2. 2 vPrivacy Insight Series Today’s Speakers Josh Harris Director of Policy TRUSTe Shannon Coe Team Lead, Data Flows and Privacy U.S. Department of Commerce John Bowman Senior Principal Promontory
  3. 3. 3 vPrivacy Insight Series • Introduction and Overview – Josh Harris, Director of Policy, TRUSTe • EU-U.S. Privacy Shield Framework – Shannon Coe, Team Lead Data Flows & Privacy, U.S. Department of Commerce • Next Steps and EU Approval Process – John Bowman, Senior Principal, Promontory • Audience Q&A • Demo of TRUSTe EU Data Privacy Transfer Assessment Agenda
  4. 4. 4 vPrivacy Insight Series v Introduction & Overview Josh Harris Director of Policy, TRUSTe
  5. 5. 5 vPrivacy Insight Series June 2013: Snowden revelations published by the Guardian • Timeline of Safe Harbor Negotiations • July 2013: EU Parliament calls for EC review of Safe Harbor • July 2013: EU VP Reding announces EC review to commence • November 2013: EC announces results of review • January 2014: Safe Harbor consultations begin • Timeline of Schrems Case • June 2013: Schrems lodges complaint with the Irish Privacy Commissioner • July 2013: Irish DPC declines complaint • October 2013: Irish High Court agrees to Judicial Review • June 2014 : Irish High Court refers case to the Court of Justice of the European Union(CJEU) • September 2015: Advocate General Opinion announced October 2015: Safe Harbor Invalidated
  6. 6. 6 vPrivacy Insight Series Transparency • Companies should publicly disclose their privacy policies. • Privacy policies should include a link to the Department of Commerce (DoC) Safe Harbor website. • Companies should publish privacy conditions of any contracts they conclude with subcontractors • DoC should flag all companies which are not current members. 13 EC Recommendations Redress • Companies should include a link to ADR provider in privacy policy. • ADR should be readily available and affordable. • DoC should monitor ADR providers regarding the transparency and accessibility of information they provide concerning the procedure they use and the follow-up they give to complaints.
  7. 7. 7 vPrivacy Insight Series Enforcement • A certain percentage of companies should be subject to ex officio investigations of compliance of their privacy policies (going beyond control of compliance with formal requirements). • Whenever there has been a finding of non-compliance, following a complaint or an investigation, the company should be subject to follow-up specific investigation after 1 year. • In case of doubts about a company's compliance DoC should inform the competent EU data protection authority. • False claims of Safe Harbor adherence should continue to be investigated Access by US authorities • Privacy policies should include information on the extent to which US law allows public authorities to collect and process data and should be encouraged to describe the policies in place to comply. • The national security exception be used only when strictly necessary or proportionate. 13 EC Recommendations
  8. 8. 8 vPrivacy Insight Series v Shannon Coe, Team Lead Data Flows and Privacy U.S. Department of Commerce EU-U.S. Privacy Shield
  9. 9. 9 vPrivacy Insight Series Overview of EU-U.S. Privacy Shield (1/3) The EU-U.S. Privacy Shield significantly improves commercial oversight and enhances privacy protections • The Privacy Shield strengthens cooperation between the Federal Trade Commission and EU Data Protection Authorities, providing independent, vigorous enforcement of the data protection requirements set forth in the Privacy Shield. • EU individuals will have access to multiple avenues to resolve concerns, including through alternative dispute resolution, now at no cost to the individual. • The Department of Commerce will step in directly and use best efforts to resolve referred complaints, including by dedicating a special team with significant new resources to supervise compliance with the Privacy Shield. • The Privacy Shield adds an important new avenue to supplement the others. Companies now will commit to participate in arbitration as a matter of last resort to ensure that EU individuals who still have concerns will have the opportunity to seek legal remedies.
  10. 10. 10 vPrivacy Insight Series Overview of EU-U.S. Privacy Shield (2/3) • The Privacy Shield embodies a renewed commitment to privacy by the U.S. and the EU, and to ensure it remains a living framework subject to active supervision, the Department of Commerce, the FTC, and EU DPAs will hold annual review meetings to discuss the functioning of and compliance with the Privacy Shield. • The Privacy Shield includes significant improvements to improve transparency regarding personal data use, strengthen the protections participants provide, and inform EU individuals more comprehensively about their rights under the program. • The Privacy Shield includes new contractual privacy protections and oversight for data transferred by participating companies to third parties or processed by those companies’ agents to improve accountability and ensure a continuity of protection.
  11. 11. 11 vPrivacy Insight Series Overview of EU-U.S. Privacy Shield (3/3) The EU-U.S. Privacy Shield demonstrates the U.S. Commitments to limitations and safeguards on national security. • Since 2013, President Obama, including through Presidential Policy Directive 28, has directed several measures to enhance privacy protections for U.S. signals intelligence activities, including protections that apply regardless of nationality; enhanced executive oversight of intelligence activities; and implementation of new legislation that enhances judicial review of certain intelligence collection activities, increases transparency, and further ensures that collection of information for intelligence purposes is precisely focused and targeted. • In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence Community has described in writing for the European Commission the multiple layers of constitutional, statutory, and policy safeguards that apply to its operations, with active oversight provided by all three branches of the U.S. Government. • The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise questions regarding signals intelligence activities relating to the Privacy Shield. As a part of this process, the United States is making the commitment to respond to appropriate requests regarding these matters, consistent with our national security obligations.
  12. 12. 12 vPrivacy Insight Series v John Bowman, Senior Principal, Promontory Next Steps and EU Approval Process
  13. 13. 13 vPrivacy Insight Series The Council (the 28 EU member states) and the European Parliament have given the European Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into. European Commission Adequacy Decisions AD - Andorra AR - Argentina CA - Canada CH - Switzerland FO - Faeroe Islands GG - Guernsey IL - State of Israel IM - Isle of Man JE - Jersey NZ - New Zealand US - United States - Safe Harbour UY - Eastern Republic of Uruguay European Commission Adequacy Decisions as at February 2016 The effect of these adequacy decisions is that personal data can flow from the 28 EU countries and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country without any further safeguard being necessary.
  14. 14. 14 vPrivacy Insight Series Procedure for adopting the Privacy Shield In order for the EU-US Privacy Shield to become law, a Commission Decision needs to be adopted on the basis of Article 26(6) of Directive 95/46/EC. This process involves; • The proposal from the European Commission (the draft text of the new adequacy decision) • An opinion of the member states supervisory authorities and the European Data Protection Supervisory (EDPS) in the framework of the Article 29 Working Party (WP29) • An approval from the Article 31 Committee (member states) under the comitology ‘examination procedure’ • The adoption of the decision by the College of Commissioners Article 31 of Directive 95/46/EC sets out that the (Article 31) committee shall deliver its opinion on the draft by a qualified majority vote of member states. However, if these measures are not in accordance with the opinion of the committee, they shall be communicated by the Commission to the Council forthwith. In that event: • the Commission shall defer application of the measures which it has decided for a period of three months from the date of communication, • the Council, acting by a qualified majority, may take a different decision within a specified time limit.
  15. 15. 15 vPrivacy Insight Series • WP29 calls on the Commission to communicate all documents pertaining to the new arrangement by the end of February • WP29 will conduct an assessment of the draft decision in light of the European jurisprudence on fundamental rights which sets four essential guarantees for intelligence activities: – Processing should be based on clear, precise and accessible rules – Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated – An independent oversight mechanism should exist, that is both effective and impartial – Effective remedies need to be available to the individual • WP29 will then complete its assessment for all personal data transfers to the US before holding an extraordinary plenary session where consideration will be given as to whether other transfer mechanisms (e.g. Binding Corporate Rules and Standard Contractual Clauses) can be used for personal data transfers to the US • The Commission and the Article 31 Committee will then consider the report of WP29 and act on the recommendations accordingly • The European Parliament may in the meantime issue a letter, opinion or request that the Commission attend the Parliament The path to approval in the EU
  16. 16. 16 vPrivacy Insight Series v Questions?
  17. 17. 17 vPrivacy Insight Series v Josh Harris John Bowman Contacts
  18. 18. 18 vPrivacy Insight Series v Stay on the call for a LIVE DEMO of TRUSTe EU Data Privacy Transfer Assessment See for details of our 2016 Privacy Insight Series and past webinar recordings. Thank You!
  19. 19. 19 vPrivacy Insight Series Today’s LIVE DEMO Presenter Joanne Furtsch Director of Product Policy, TRUSTe
  20. 20. 20 vPrivacy Insight Series TRUSTe Has You Covered Whether you meet your EU Data Transfer compliance requirements through the new Privacy Shield Framework, Model Contract Clauses, or a combination of the two – TRUSTe has you covered. To find out more about TRUSTe Assessment Manager, and how TRUSTe can help you with your EU compliance program, Visit or contact your TRUSTe Rep at 888-878-7830 We have the resources and tools to help you quickly address the forthcoming compliance deadlines.
  21. 21. 21 vPrivacy Insight Series v Don’t miss the next webinar in the Series –” Investment in Privacy Brings Security Results” with Chris Babel, TRUSTe and Sam Pfeifle, IAPP on March 10th See for details of our 2016 Privacy Insight Series and past webinar recordings. Thank You!