TataKelola dan KamSiber Kecerdasan Buatan v022.pdf
Privacy shield what you need to know about storing eu data slideshare
1. Privacy Shield – What You Need To Know About Storing EU Data | 1
Privacy Shield
What You Need to KnowAbout Storing EU Data
2. Privacy Shield – What You Need To Know About Storing EU Data | 2
Overview & Agenda
• Overview on global data protection
• The Past: EU-U.S. Safe Harbour
• The Present: EU-U.S. Privacy Shield
• How the Privacy Shield Differs from the Safe Harbour
• Deep Dive: The Framework
• Options to Prove You’re Compliant
• What is the Future?
• Q/A
3. Privacy Shield – What You Need To Know About Storing EU Data | 3
Overview on Global
Data Protection
4. Privacy Shield – What You Need To Know About Storing EU Data | 4
Overview
Regulate the collection, use, storage, disclosure,
and other processing of “personally identifiable
information” or “PII”
• Name and other “identifiers,” and any other data that can be
linked with the identified or identifiable person or device.
• Employees, consumers, contractors, corporate customer
contacts, supplier contacts, website visitors, business partner
contacts, end users, and other individuals.
5. Privacy Shield – What You Need To Know About Storing EU Data | 5
Overview
Two approaches to regulation globally:
• United States: Sector-specific (HIPAA/HITECH, GLBA/FCRA,
and the like) and data-specific (SSNs, bank account, credit/debit
card numbers, username/password to online account)
• European Union: Omnibus privacy laws applicable to all personal
data, regardless of sector, category of individual, or type of
personal data; local hurdles on collection and processing +
additional restrictions on cross-border transfers
• EU tends to lead the rest of the non-US world
6. Privacy Shield – What You Need To Know About Storing EU Data | 6
Some Examples
Privacy Shield – What You Need To Know About Storing EU Data | 6
• Business manifestations
• Cloud and sourcing
• Global HR databases
• Customer relationship management (CRM) applications
• Websites and mobile apps
• Mergers and acquisitions
7. Privacy Shield – What You Need To Know About Storing EU Data | 7
Some Examples
Privacy Shield – What You Need To Know About Storing EU Data | 7
• Compliance manifestations
• Whistleblower hotlines
• Email and internet monitoring
• Internal investigations
• E-discovery and legal demands
• Data security and breach notice
8. Privacy Shield – What You Need To Know About Storing EU Data | 8
1995 EC Data Protection Directive
(95/46/EC)
• Omnibus regulation for industry sectors
• Implemented by Member States into
national data protection laws
• Local compliance issues
• Cross-border data transfer restrictions
9. Privacy Shield – What You Need To Know About Storing EU Data | 9
The Past:
EU Safe Harbour
10. Privacy Shield – What You Need To Know About Storing EU Data | 10
11. Privacy Shield – What You Need To Know About Storing EU Data | 11Privacy Shield – What You Need To Know About Storing EU Data | 11
12. Privacy Shield – What You Need To Know About Storing EU Data | 12
Background on Schrems
Who is Max Schrems?
He is an Austrian privacy activist who campaigns against Facebook for
privacy violation, including its violations of European privacy laws and
alleged transfer of personal data to the US National Security
Agency (NSA) as part of the NSA's PRISM programme. He has founded
a group called Europe v Facebook and as of February 2015 has initiated
two lawsuits involving Facebook.
13. Privacy Shield – What You Need To Know About Storing EU Data | 13
Background on Schrems
How did the invalidation process get started?
• On 20 November 2014, Schrems said at a conference convened in
Brussels by the International Association of Privacy Professionals that
his group would go on a head-on collision with Safe Harbour, an E.U.-
U.S. agreement that allows over 3,000 U.S. companies, including
Google, Facebook, and Apple, to repatriate European personal data.
Schrems argues that in practice it does not give the consumer any
protection.[12]
14. Privacy Shield – What You Need To Know About Storing EU Data | 14
Background on Schrems
How did the invalidation process get started?
• In Schrems, the European Court of Justice (Court) invalidated the US-EU
Safe Harbor Privacy Arrangement (“Safe Harbor) on October 6, 2015
• Safe Harbor had served as the EC adequacy finding for the United
States for fifteen years
• The Court specified that Safe Harbor was not adequate because of the
apparent absence of sufficient protections within Safe Harbor against US
government surveillance and corresponding redress for EU citizens (not
“essentially equivalent”)
15. Privacy Shield – What You Need To Know About Storing EU Data | 15
Current Developments
• Initial Article 29 Working Party Opinion on Schrems (Oct 16, 2015):
– Transfers relying solely on Safe Harbor unlawful
– Model contracts and binding corporate rules can be used at present, although under
examination for concerns about government surveillance
– Collective action to be considered if no resolution on “Safe Harbor 2.0” by the end of
January 2016
• Various individual data protection authority opinions (e.g., German data protection
authorities, UK Information Commissioner, and the like).
• EU-US Privacy Shield (Safe Harbor 2.0) announced as agreed upon between the
European Commission and the US Department of Commerce and other
authorities on February 2, 2016 (ahead of WP meeting)
• Other developments (to be discussed after Privacy Shield overview)
16. Privacy Shield – What You Need To Know About Storing EU Data | 16
The Present: EU-U.S.
Privacy Shield
17. Privacy Shield – What You Need To Know About Storing EU Data | 17
"The EU-U.S. Privacy Shield is
a tremendous victory for privacy,
individuals, and businesses on both
sides of the Atlantic."
- U.S. Secretary of Commerce Penny Pritzker
18. Privacy Shield – What You Need To Know About Storing EU Data | 18
EU-U.S. Privacy Shield
Privacy Shield – What You Need To Know About Storing EU Data | 18
19. Privacy Shield – What You Need To Know About Storing EU Data | 19
Why Was It Designed?
https://www.e-education.psu.edu/cloudGIS/node/91
• The EU-U.S. Privacy Shield Framework was designed by the U.S.
Department of Commerce and European Commission to provide companies
on both sides of the Atlantic with a mechanism to comply with EU data
protection requirements when transferring personal data from the European
Union to the United States in support of transatlantic commerce.
20. Privacy Shield – What You Need To Know About Storing EU Data | 20
Why Was It Designed?
https://www.e-education.psu.edu/cloudGIS/node/91
• The Privacy Shield Framework provides a set of robust and enforceable
protections for the personal data of EU individuals. The Framework provides
transparency regarding how participating companies use personal data,
strong U.S. government oversight, and increased cooperation with EU data
protection authorities (DPAs). The European Commission deemed the
Privacy Shield Framework adequate to enable data transfers under EU law.
Commerce will allow companies time to review the Framework and update
their compliance programs and then, on August 1, will begin accepting
certifications
• On February 29, 2016, the European Commission issued its draft decision
and the US documents for the EU-US Privacy Shield Arrangement.
21. Privacy Shield – What You Need To Know About Storing EU Data | 21
Why Was It Designed?
https://www.e-education.psu.edu/cloudGIS/node/91
• The US-issued Privacy Shield documents are:
– A commitment from the US Secretary of Commerce to devote all necessary
resources to adhere fully to the requirements of the Privacy Shield
– Twenty Two Privacy Shield Principles, along with Arbitration Procedures
– Letters from the Federal Trade Commission and the Department of
Transportation (commercial enforcement authority)
– Letters from the Office of the Director of National Intelligence (ODNI)
(surveillance law and policy), the Department of State (surveillance redress), and
the Department of Justice (criminal law enforcement law and policy)
22. Privacy Shield – What You Need To Know About Storing EU Data | 22
Why Was It Designed?
https://www.e-education.psu.edu/cloudGIS/node/91
• The European Commission is now (i) evaluating the non-binding views of
the Article 29 Working Party of Data Protection Authorities, the European
Parliament, the European Data Protection Supervisor, and (ii) consulting
with the Article 31 Member State Representatives
• Finalized and went into affect June 2016.
23. Privacy Shield – What You Need To Know About Storing EU Data | 23
Certification
https://www.e-education.psu.edu/cloudGIS/node/91
• Self-certify
• Department of Commerce
• Voluntary
• Eligible - Committed
24. Privacy Shield – What You Need To Know About Storing EU Data | 24
How the Privacy Shield
Differs from the Safe Harbour
25. Privacy Shield – What You Need To Know About Storing EU Data | 25
Enhancements from the Safe Harbour
https://www.e-education.psu.edu/cloudGIS/node/91
• Expanded privacy notices
• Strengthened standards on data transfers
• Reinforced certification/ recertification
• Clarified retention standards
• Commissioned recourse mechanisms
26. Privacy Shield – What You Need To Know About Storing EU Data | 26
Deep Dive: The
Framework
27. Privacy Shield – What You Need To Know About Storing EU Data | 27
Key Definitions and Clarifications
https://www.e-education.psu.edu/cloudGIS/node/91
• Personal and sensitive information
• Controllers vs. processors
• Publicly available data
• Exceptions
Privacy Shield – What You Need To Know About Storing EU Data | 27
28. Privacy Shield – What You Need To Know About Storing EU Data | 28
Notice
https://www.e-education.psu.edu/cloudGIS/node/91
• Required points of presentation
• Must detail:
– Commitment to the Privacy Shield
– Aspects of the privacy life cycle and individual rights
– Recourse, enforcement and liability
• Exceptions
29. Privacy Shield – What You Need To Know About Storing EU Data | 29
Choice
https://www.e-education.psu.edu/cloudGIS/node/91
• Required points of presentation
• Opt-out vs. opt-in mechanisms
• Exceptions
Privacy Shield – What You Need To Know About Storing EU Data | 29
30. Privacy Shield – What You Need To Know About Storing EU Data | 30
Accountability for Onward Transfer
https://www.e-education.psu.edu/cloudGIS/node/91
• Contracting with third parties acting as
controllers and agents
• Limiting transfers to specified purposes
• Noncompliance remediation and
processing cessation
• Exceptions
31. Privacy Shield – What You Need To Know About Storing EU Data | 31
Security
https://www.e-education.psu.edu/cloudGIS/node/91
Privacy Shield – What You Need To Know About Storing EU Data | 31
32. Privacy Shield – What You Need To Know About Storing EU Data | 32
Data Integrity and Purpose Limitation
https://www.e-education.psu.edu/cloudGIS/node/91
• Collection and processing limitation
• Data veracity controls
• Retention standards
33. Privacy Shield – What You Need To Know About Storing EU Data | 33
Access
https://www.e-education.psu.edu/cloudGIS/node/91
• Fielding requests for access to and the
correction and deletion of data
• Communications
• Facilitating requests
• Exceptions
34. Privacy Shield – What You Need To Know About Storing EU Data | 34
Recourse, Enforcement and Liability
https://www.e-education.psu.edu/cloudGIS/node/91
• Direct handling of individuals’ complaints
• Independent recourse mechanisms
• Cooperation with DPAs
• Arbitration
35. Privacy Shield – What You Need To Know About Storing EU Data | 35
Government Surveillance
https://www.e-education.psu.edu/cloudGIS/node/91
Privacy Shield – What You Need To Know About Storing EU Data | 35
36. Privacy Shield – What You Need To Know About Storing EU Data | 36
Options to Prove
You’re Compliant
37. Privacy Shield – What You Need To Know About Storing EU Data | 37
Certification and Periodic Assessment
https://www.e-education.psu.edu/cloudGIS/node/91
• Initiation
• Self-assessment vs. outside reviews
38. Privacy Shield – What You Need To Know About Storing EU Data | 38
What is the Future?
39. Privacy Shield – What You Need To Know About Storing EU Data | 39
• Pivoting on updates
• Challenges
• Iterations
• Verification
• Enterprise adoption
The Near Term and Long Term
Privacy Shield – What You Need To Know About Storing EU Data | 39