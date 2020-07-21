Successfully reported this slideshow.
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent
This webinar will be recorded and the recording and slides sent out later today
3 Speakers Paul Breitbarth Director, EU Policy and Strategy TrustArc Josh Harris Director, International Regulatory Affair...
4 Cookies ● Implications of the Planet49 case decision ● EDPB Guidelines on Consent International Data Transfers ● Implica...
6 Planet49 offers promotional lotteries on various websites. These sites included pre-ticket cookie consent boxes, allowin...
7 Updated EDPB Consent Guidelines ● Freely Given ○ Real choice and control for individual ○ Not forced to use different se...
9 Summary of CJEU Ruling in Schrems II In a case primarily about the validity of standard contractual clauses (SCCs), the ...
10 TrustArc Insights and Expectations On the Carve-Out for National Security The transfer from the EU to a third country i...
11 TrustArc Insights and Expectations The “Essentially Equivalent” requirement ● The level of protection of natural person...
12 What does this Decision mean for Privacy Shield participants? ● Privacy Shield is no longer a valid legal basis for tra...
13 TrustArc Insights and Expectations On a Replacement to Privacy Shield Transatlantic data flows are critically important...
14 TrustArc Insights and Expectations On the Effects of the Decision for Participants The Court did not raise any concerns...
15 TrustArc Insights and Expectations The European Response ● EDPB and most DPAs: analysing the verdict; further guidance ...
17 © 2020 TrustArc Inc. Proprietary and Confidential Information. Can I transfer personal data from the EU to the U.S. und...
18 © 2020 TrustArc Inc. Proprietary and Confidential Information. Can I transfer personal data from the EU to other countr...
19 © 2020 TrustArc Inc. Proprietary and Confidential Information. What assessment criteria should I consider for whether t...
22 How TrustArc Helps Data Transfer Risk Solution The new Data Transfer Risk algorithm automatically detects data flows wi...
23 More Resources https://trustarc.com/trustarcs-privacy-shield-schrems-resource/
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent

  The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent
July 21, 2020
  2. 2. 2 ● We will be starting a couple minutes after the hour ● This webinar will be recorded and the recording and slides sent out later today ● Please use the GoToWebinar control panel on the right hand side to submit any questions for the speakers Thank you for joining the webinar “The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Consent”
  3. 3. 3 Speakers Paul Breitbarth Director, EU Policy and Strategy TrustArc Josh Harris Director, International Regulatory Affairs TrustArc Trish Danczak Product Owner TrustArc
  4. 4. 4 Cookies ● Implications of the Planet49 case decision ● EDPB Guidelines on Consent International Data Transfers ● Implications of the Schrems II case decision ● The status of Privacy Shield and next steps ● European Commission adequacy re-assessment Agenda
  6. 6. 6 Planet49 offers promotional lotteries on various websites. These sites included pre-ticket cookie consent boxes, allowing tracking of the user that wanted to participate in the lotteries. The German Federal High Court referred the case to the CJEU for confirmation of the legality of these practices under the ePrivacy Directive. The Court: ● Considers that the placement of cookies requires freely given consent, which cannot be given legally with a pre-ticked box. ● Concludes consent not only needs to be free, but also specific (participation in a lottery is not the same as wanting to be tracked) and informed (no information was provided on purpose and retention period of the cookie data). Summary of the Planet49 CJEU Ruling - C-673/17
  7. 7. 7 Updated EDPB Consent Guidelines ● Freely Given ○ Real choice and control for individual ○ Not forced to use different service ○ No conditionality ● Specific ○ Granularity ○ No tie-in with other requirements / T&Cs ● Informed ○ Full transparency ○ Specific information (especially re cookies) ● Unambiguous Indication of a Data Subjects’ Wishes ○ No pre-ticked boxes or scrolling Guidelines 5/2020 on Consent – Adopted after consultation 4 May 2020 Update of WP29 Guidelines on Consent - WP259.01 (2018)
  9. 9. 9 Summary of CJEU Ruling in Schrems II In a case primarily about the validity of standard contractual clauses (SCCs), the European Court of Justice decided: 1. To invalidate EU-U.S. Privacy Shield as a legal transfer mechanism under GDPR 2. That companies relying on SCCs must do case-by-case assessments of whether the data transferred under SCCs can be protected in a manner essentially equivalent to its protection in the EU under GDPR
  10. 10. 10 TrustArc Insights and Expectations On the Carve-Out for National Security The transfer from the EU to a third country is taking place between two commercial entities, in the Schrems-II case between Facebook Ireland and Facebook Inc. in the U.S., and that is a regular transfer that is covered by the provisions of the GDPR. The fact that in theory the data at some point may be intercepted by, or need to be handed over to, intelligence and security services in the U.S., does not make a difference.
  11. 11. 11 TrustArc Insights and Expectations The “Essentially Equivalent” requirement ● The level of protection of natural persons guaranteed by the GDPR can not be undermined by a data transfer. ● The term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union. [Schrems-I] ● Also when transferring personal data on the basis of Article 46 GDPR, using appropriate safeguards like Standard Contractual Clauses (SCCs), (...) such appropriate guarantees must be capable of ensuring that data subjects whose personal data are transferred to a third country (...) are afforded, as in the context of a transfer based on an adequacy decision, a level of protection essentially equivalent to that which is guaranteed within the European Union. [Schrems-II]
  12. 12. 12 What does this Decision mean for Privacy Shield participants? ● Privacy Shield is no longer a valid legal basis for transferring data from the 30 European Economic Area (EEA) countries to the U.S. ● The Swiss-U.S. Privacy Shield is unaffected at this time. ● Privacy Shield remains an operational privacy program in the U.S., and participants are required to continue to protect data received under Privacy Shield consistent with its requirements. ● The EU and the U.S. have stated that they will work together on a replacement for Privacy Shield. This may take months to years. ● The EU has not yet stated whether a grace period will apply, but more information is expected by or before next week. (By way of reference, that this took over a week when Safe Harbor was invalidated in 2015.) ● While other data transfer mechanisms remain valid under GDPR, determining which ones to use requires a case-by-case review and assessment of data flows from and/or outside the EEA.
  13. 13. 13 TrustArc Insights and Expectations On a Replacement to Privacy Shield Transatlantic data flows are critically important to the EU and U.S. economies, so authorities on both sides of the Atlantic have already committed to development of a replacement arrangement. ● When the former “Safe Harbor” was invalidated by the Court in Schrems I close to 5 years ago, a similar commitment was made. ● The process to develop a replacement to Safe Harbor took approximately 9 months. ● Following the Safe Harbor invalidation, an enforcement grace period was announced by the EU regulators, initially for 3.5 months, but extended while the EU-US Privacy Shield was negotiated, to enable companies to establish alternative legal basis for transferring data to the U.S. and to allow a negotiated alternative to be found. During this grace period, no coordinated enforcement action would take place, even though individual complaints on EU-U.S. data transfers could be handled.
  14. 14. 14 TrustArc Insights and Expectations On the Effects of the Decision for Participants The Court did not raise any concerns about the commercial privacy standards of Privacy Shield. ● The core issue with respect to data transfers under both Privacy Shield and SCCs is disproportionate government access to private sector data related to electronic communications surveillance for national security purposes ● U.S. organizations that: ○ are not subject to access to their data by the U.S. intelligence authorities, ○ that continue to comply with the Privacy Shield Principles, and ○ that continue to provide an independent recourse mechanism for individuals, are likely to be in a better position to demonstrate that they meet the Court’s expectations that the level of protection for individuals guaranteed by GDPR is not undermined when the data are transferred
  15. 15. 15 TrustArc Insights and Expectations The European Response ● EDPB and most DPAs: analysing the verdict; further guidance to follow ● European Commission: working with the U.S. on finding a solution; updating the SCCs to align with GDPR and take into account Schrems-II verdict ● EDPS: review of international transfers by EU Institutions, Agencies and Bodies started ● Hamburg: Hard times are dawning for international data traffic. ● Berlin: Data needs to come home if it can’t be protected ● Switzerland: No consequences on Swiss-U.S. Privacy Shield yet ● UK: Continue to use Privacy Shield until further notice; don’t start using it if you haven’t done so before
  17. 17. 17 © 2020 TrustArc Inc. Proprietary and Confidential Information. Can I transfer personal data from the EU to the U.S. under SCCs?
  18. 18. 18 © 2020 TrustArc Inc. Proprietary and Confidential Information. Can I transfer personal data from the EU to other countries under SCCs?
  19. 19. 19 © 2020 TrustArc Inc. Proprietary and Confidential Information. What assessment criteria should I consider for whether the data importer can meet its obligations under the SCCs?
  22. 22. 22 How TrustArc Helps Data Transfer Risk Solution The new Data Transfer Risk algorithm automatically detects data flows with data transfer risk International Data Transfer Assessment Advanced logic in our assessments addresses data transfer requirements in 92 countries Privacy Assurance in Privacy Profile Centralized location to review, action and report on the status of your Data Transfer RiskDTR & Assurance Operational Templates Get started faster with templates for simplified implementation of new data transfer mechanisms
  23. 23. 23 More Resources https://trustarc.com/trustarcs-privacy-shield-schrems-resource/
  See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.

