[Webinar Slides] Privacy Shield is Here – What You Need to Know

1
vPrivacy Insight Series - truste.com/insightseries
v
Privacy Shield is Here: What You
Need to Know
July 21, 2016

2
Today’s Speakers
Chris Babel,
CEO
TRUSTe
Caitlin Fennessy
Senior Policy Advisor
Data Flows and Privacy Team
International Trade Administration
U.S. Department of Commerce

3
• Welcome & Introductions
• Understanding the Differences between Safe Harbor & Privacy Shield
• How the Department of Commerce will Operate the Program
• Working with Third Party Verification & Dispute Resolution Providers
• Looking Forward
• Q&A
Today’s Agenda

4
v
Understanding the Differences between
Safe Harbor & Privacy Shield
Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team,
U.S. Department of Commerce

5
Understanding the Privacy Shield Framework
What does the Privacy Shield contain?
Privacy Shield Principles
–Requirements to which U.S.-based organizations can make an enforceable
commitment to receive data in compliance with EU data protection laws
Letters Describing Oversight and Enforcement from:
–Secretary of Commerce and Under Secretary for International Trade
–Chairwoman of the Federal Trade Commission
–Secretary of Transportation
Government Access to Data
−Letter from the Secretary of State on the new Privacy Shield Ombudsperson
−Letter concerning safeguards and limitations from the Office of the Director of
National Intelligence
−Letter concerning safeguards and limitations from the Department of Justice
5

6
What should your company focus on to come into compliance?
What’s new compared to Safe Harbor
1. New Privacy Protections
Notice requirements
Accountability for onward transfer
Purpose limitation and data retention
Note: Companies should review the Framework in its entirety. These
slides are only meant to highlight certain aspects.
6

7
2. Enhanced Complaint Resolution
Response time to EU individuals
Free dispute resolution
Binding arbitration as last-resort option
7

8
3. Improved Cooperation and Transparency
Monitoring and dispute resolution requires cooperation with
ITA Privacy Shield Team
Ongoing requirements (if withdraw and maintain data)
Publication of FTC compliance reports (if subject to
enforcement action)
8

9
v
Department of Commerce
How the Department of Commerce will
Operate the Program

10
Joining the Privacy Shield Program
How will a company join Privacy Shield?
1. Confirm Your Organization’s Eligibility to Participate
2. Develop a Compliant Privacy Policy
3. Establish an Independent Recourse Mechanism (IRM)
4. Ensure a Verification Mechanism is in place
5. Identify your Privacy Shield Point of Contact
6. Self-certify Using the Privacy Shield Website
7. Reaffirm Self-certification Annually
8. Reply to Inquiries from EU citizens, IRM, Commerce, and/or DPAs
as Required
10

11
ITA Administration: What’s new that matters to you?
Maintenance of the Privacy Shield Website
Verification of Self-Certification Requirements
Monitoring of Compliance
Facilitating Resolution of Complaints Referred by EU DPAs
11

12
FTC Enforcement: What has changed (and what hasn’t)?
Prioritization of DPA Referrals
Enforcement Cooperation
Investigatory Assistance
Publication of FTC Compliance Reports
12

13
v
Chris Babel, CEO, TRUSTe
Third Party Verification &
Dispute Resolution Providers

14
•Companies must take steps to verify assertions made around Privacy
Shield compliance are true
•Third party compliance reviews can be used to satisfy this requirement
•Third party reviews must:
–Verify privacy policies are being complied with
–Consumers are informed of how they can file a compliant
• Companies must be able to demonstrate an external review has been
successfully completed annually
–This can be provided by the external compliance review provider
•Companies must retain records of their implementation of the Privacy
Shield Principles and privacy policies
–Records must be provided upon request in context of a Privacy Shield related
investigation
Privacy Practices Verification

15
•Companies must respond to initial complaint within 45-days
•Alternative mechanism must be in place to address Privacy Shield
related complaints
–Independent Dispute Resolution Provider (IDR) can be used for consumer data
–DPAs must be used for employee data
• Must be provided free of charge to individuals
• Companies must provide information regarding their IDR Provider in
their privacy notice
– Name of the designated provider and how to contact them
–Whether the provider is EU or U.S. based
–That it is available free of charge
•Binding arbitration is available after other mechanisms have been
exhausted
Dispute Resolution

16
• Make information available to consumers about Privacy Shield and the
IDR Provider’s role under Privacy Shield
–Needs to be accessible from IDR Provider’s website
–Link to the DOC’s Privacy Shield site
–Explanation of how to file a complaint, dispute resolution process and
timeframes, and potential remedies
•Report annually to the DOC regarding number, types, and outcomes of
complaints received, and length of time to resolve.
–Reporting in the aggregate
• IDR Providers must notify DOC of companies that fail to resolve
Privacy Shield related complaints.
New requirements for IDR Providers

17
Impacts on Business
• Companies face stronger obligations for data transfers
• Increased risk stemming from 3rd party processors, partners,
and vendors
• Privacy Shield language needs to be added to contracts,
and be provided to the DOC upon request
• Companies must respond to disputes faster through
additional channels
• Increased regulatory focus
• Companies must document, maintain records and deliver
reports on their compliance efforts

18
Levels of Third Party Assistance
18
Verification Assessment
Dispute
Resolution
Dispute Resolution mechanism (non
HR)
✔ ✔ ✔
Dispute Resolution Seal/Button (non
HR)
✔ ✔ ✔
Comprehensive Assessment –
Customer and / or HR Data
✔ ✔
Online Asset Review and Scanning ✔ ✔
Findings Report ✔ ✔
Searchable Audit Trail ✔ ✔
DOC Registration Assistance ✔ ✔
Ongoing Guidance ✔ ✔
Remediation Assistance ✔
Verification Seal ✔
Verification Letter of Attestation ✔
Verification Listing for DOC ✔

19
v
Department of Commerce
Looking Forward

20
Looking Forward
The GDPR
European Court of Justice
Cooperation with EU DPAs
20
How was the Framework designed to remain durable?

21
v
Chris Babel cbabel@truste.com
Contacts

22
v
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on August 18 “Brazil & Beyond: Privacy Trends in
Latin America”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!

[Webinar Slides] Privacy Shield is Here – What You Need to Know

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (10)

Similar to [Webinar Slides] Privacy Shield is Here – What You Need to Know

Similar to [Webinar Slides] Privacy Shield is Here – What You Need to Know (20)

More from TrustArc

More from TrustArc (20)

Recently uploaded

Recently uploaded (20)

[Webinar Slides] Privacy Shield is Here – What You Need to Know