Embed Size (px)
Citation preview
#EATPconf
EU/US Privacy: It’s Just Not that Simple
September 29, 2016
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ Dr Hielke Hijmans is Special Advisor at the Offices of the European Data Protection Supervisor
■ Alan Thiemann is ATP’s Legislative Counsel
THIS SESSION IS INTENDED TO BE INTERACTIVE; ASK YOUR QUESTION WHENEVER YOU HAVE ONE
12/2/2014 2
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ Background of the situation
Original Safe Harbor
October 2015 European Court of Justice decision invalidating the Safe Harbor
Lengthy negotiations between US and EU and modifications in February, especially more explicit obligations on companies as regards limits on retention and onward transfers
July 12, 2016 – announcement of new safety net called “Privacy Shield”
US Department of Commerce began accepting self-certifications from US companies on August 1. DOC Guidance is found at
https://www.privacy shield.gov/article?id=How-to-Join-Privacy-Shield-part 2
9/22/2016 3
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ EU PERSPECTIVE
Privacy Shield is the answer to the Schrems-case (on Safe Harbor).
Privacy Shield imposes clear and strong obligations on companies handling personal data and makes sure that these rules are followed and enforced in practice.
Privacy Shield already includes elements of the new EU General Data Protection Regulation, which officially goes into effect in the EU in May 2018.
However, the big question remains whether its safeguards are sufficient, to be upheld by the European Court of Justice.
Future will tell: now we will work on this basis.
9/22/2016 4
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ EU PERSPECTIVE
General Data Protection Regulation – the main instrument of EU privacy law
The new GDPR(applicable May 2018) is the main instrument to ensure that individuals are indeed effectively protected.
Fairness is the core of the system.
Accountability data controllers: ensuring and demonstrating compliance.
NB: Privacy Shield contains similar principles as GDPR.
9/22/2016 5
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ EU PERSPECTIVE
Towards a single European space with global reach
The GDPR: one law for the European Union. Rationale of the internal market, one European legal space for companies.
Control with national authorities, but strong incentives for cooperation amongst these authorities (“one stop shop”).
Main link for applicability of EU law: the place where data are controlled by a company, not the place where data are processed.
Wide scope EU rules, also covering controllers not established in EU.
GDPR applies to non EU companies offering services to persons in EU (such as on line testing) and to monitoring behaviour of EU persons (such as by search engines).
9/22/2016 6
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ EU PERSPECTIVE
Key Point for testing business To the extent personal data of EU residents are processed, EU Privacy rules apply.
Testing companies must fulfil all obligations of the GDPR (from 2018). New rules (e.g.) for Data Protection Impact Assessment and Data
breaches. If one considers testing “risky processing”: Data Protection Officer
must be appointed.
When data are transferred to US, in addition, Privacy Shield applies.
9/22/2016 7
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ US PERSPECTIVE
Under self-certification, a US company commits to provide "equivalent" protections to EU citizen data to what those data would receive if handled, processed, or stored in the EU.
US companies must also submit to free arbitration if an EU citizen brings a complaint - and the Department of Commerce will appoint and operate an Ombudsman's Office to help resolve any disputes.
The new Privacy Shield will be subject to annual review, so there is the chance the initial requirements could change in the future.
Privacy Shield requires US companies start now to mirror the new EU General Data Protection Regulation, which officially goes into effect in the EU in October 2018.
The Privacy Shield continues the enforcement of a US company’s privacy policy by the Federal Trade Commission.
9/22/2016 8
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ US PERSPECTIVE (Cont.)
In addition to the DOC Guide (see above) a company looking to self-certify must carefully examine Annex 2 – there are 7 Principles and 16 Supplemental Principles. http://ec.europa/justice/data-protection/files/annexes_eu-us_privacy_shield_en.pdf
The Privacy Principles apply immediately upon certification.
Recognizing that the Principles will impact commercial relationships with third parties, a company that certifies before September 30 shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which it certifies.
During that interim period, where a company transfers data to a third party, it shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles. This requires a written contract that data may only be processed for limited/specified purposes consistent with consent and that recipient will provide same protection as Principles.
9/22/2016 9
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ US PERSPECTIVE (Cont.)
Steps for Self-Certification
1. Confirm that your company is eligibility to participate in the Privacy Shield by verifying that you are subject to the jurisdiction of the Federal Trade Commission (FTC)
2. Develop a privacy policy that complies with the Privacy Shield before submitting your certification to the Department of Commerce
3. Identify how your company will provide the required independent recourse mechanism that is available to investigate unresolved complaints at no cost to the EU citizen. (See Supplemental Principle 11 (Dispute Resolution and Enforcement) for more information regarding dispute resolution under Privacy Shield)
9/22/2016 10
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ US PERSPECTIVE (Cont.)
4. Ensure that your company has its required verification mechanism is in Place (Supplemental Principle 7). To meet this requirement, your company may use either a self-assessment or an outside/third-party assessment program
5. Designate a contact within your company who will handle questions, complaints, access requests, and any other issues arising under the Privacy Shield. This contact can be either the corporate officer that is certifying your compliance with the Framework, or another official, such as a Chief Privacy Officer. Under the Privacy Shield, you must respond to any EU citizen complaint within 45 days after receipt
6. Cost to self-certify ranges based on your annual revenue from $250 to $3,250
9/22/2016 11
#EATPconf
EU/US Privacy: It’s Just Not that Simple
US PERSPECTIVE (Cont.)
Keys Issues
• Self-certifying is voluntary. But once you commit to comply with the Privacy Shield principles, the commitment is enforceable under U.S. law through the FTC
• You must self-certify annually
• The preceding slides provide a summary of what you need to do. However, your compliance and legal staff should review carefully the complete set of Privacy Shield Principles and Supplemental Principles
9/22/2016 12
#EATPconf
EU/US Privacy: It’s Just Not that Simple
■ EU and US PERSPECTIVES
WHAT’S NEXT?
9/22/2016 13
#EATPconf
EU/US Privacy: It’s Just Not that Simple
REMAINING QUESTIONS?
THANK YOU FOR ATTENDING
9/22/2016 14
#EATPconf
EU/US Privacy: It’s Just Not that Simple
12/2/2014 15
