Upload
truste
View
7
Download
1
Tags:
Embed Size (px)
DESCRIPTION
With the recent CJEU ruling on the invalidity of Safe Harbor, companies should focus on Interoperable Privacy Frameworks to tackle cross border data transfers with a BCR (Binding Corporate Rules) platform.Watch the complete webinar on how APEC, CBPR & BCR should come together for global interoperability https://info.truste.com/On-Demand-Webinar-Reg-Page-V3.html?asset=XCPH8VUG-586
Citation preview
1 v Privacy Insight Series v
Solutions for Cross Border Data
Transfers: APEC CBPRs, BCRs
and Global Interoperability
December 9, 2015
2 v Privacy Insight Series
Today’s Speakers
Josh Harris
Director of Policy
TRUSTe
Hilary Wandall
AVP Compliance & Chief Privacy Officer
Merck & Co., Inc
Melinda Claybaugh
Counsel for International Consumer Protection,
Federal Trade Commission
3 v Privacy Insight Series
Agenda
• Welcome
• Global Interoperability and the Safe Harbor Ruling Josh Harris
• Interoperability in Practice: Utilizing CBPR Certification to
Demonstrate Requirements for BCR Approval Hilary Wandall
• Cross-Border Enforcement Co-operation Melinda Claybaugh
• Q&A
4 v Privacy Insight Series v
Josh Harris, Director of Policy, TRUSTe
Global Interoperability and the
Safe Harbor Ruling
5 v Privacy Insight Series
• US Secretary of Commerce: "A solution is within hand. We had an
agreement prior to the court case. I think with modest refinements that
are being negotiated we could have an agreement shortly.”
• EU Justice Commissioner Jourová: “… The Commission aims to
conclude negotiations in January 2016.”
• Current Negotiation Activities:
- EU Delegation to DoC in November
- December 17 Stocktake
Prospects for a Renewed Safe Harbor
6 v Privacy Insight Series
Economy-Level Updates:
• Japan
• China
• Mexico
• Singapore
• Hong Kong
• Australia
• Peru
Practical Interoperability:
• CBPR as basis for global privacy policy
• CBPR as basis for Safe Harbor?
• CBPR as basis for BCR…
APEC Update
7 v Privacy Insight Series
Creation of Joint EU-APEC Working Team:
– Recognized value of collaboration to provide industry greater clarity on how to
meet requirements of EU and APEC simultaneously
Development of “Referential”:
‒ Mapped requirements of APEC CBPR System and EU BCR System
‒ Identified common and divergent elements to help inform companies seeking
to develop policies and practices in compliance with both systems
‒ APEC Data Privacy Subgroup expression of interest to Article 29 Working
Party regarding tools recommended by joint working team in January 2015
Next Steps:
‒ Work together to develop practical tools to facilitate dual certification to
complement referential: Meetings held in most recently in Amsterdam,
discussions to continue at APEC 2016 in Peru.
Status of APEC-Art. 29 Interoperability Project
8 v Privacy Insight Series v
Interoperability in Practice: Utilizing CBPR
Certification to Demonstrate
Requirements for BCR Approval
Hilary Wandall
AVP Compliance & Chief Privacy Officer, Merck & Co., Inc.
9 v Privacy Insight Series
Benefits of Framework Approaches to Cross-Border Compliance
• competitive advantage – frameworks (e.g., CBPR, BCR, Safe Harbor)
provide a legal basis for efficiently transferring data across country
borders in compliance with the data transfer restrictions of the privacy
laws in these regions
• compliance advantage – they are based on demonstration of
organisational accountability and stewardship in how we operate rather
than complicated transactional documentation that is resource-intensive
to maintain
• reputational advantage among regulators, customers and the public
based on trust that the certified organisation responsibly protects data
across countries, regions, and ultimately globally
10 v Privacy Insight Series
Our Approach to Interoperable Privacy Frameworks
10
BCRs
http://www.msd.com/privacy/cross-border-privacy-policy/
11 v Privacy Insight Series
Framework Interoperability Gap Analysis
12 v Privacy Insight Series v
Cross-Border Enforcement Co-operation
Melinda Claybaugh, Counsel for International Consumer Protection,
Federal Trade Commission
Note: The views expressed are mine alone and not necessarily those of the Federal Trade
Commission or any individual Commissioner.
Melinda Claybaugh Counsel for International Consumer Protection,
Federal Trade Commission
14 v Privacy Insight Series
Overview of Cross-Border Enforcement Cooperation
• Authority: US SAFE WEB Act
• Mechanisms: GPEN, CPEA, MOUs
• Examples of successful cooperation
The Federal Trade Commission
16 v Privacy Insight Series
SAFE WEB Act Enhanced Enforcement Powers
• Information Sharing: FTC may share confidential
information with foreign law enforcers.
• Investigative Assistance: FTC may provide
investigative assistance to foreign law enforcers in
certain cases by, for example, issuing a Civil
Investigative Demand.
17 v Privacy Insight Series
FTC Use of SAFE WEB Tools
• Information Sharing: Provided evidence in
response to 63 information-sharing requests from 17
foreign law enforcement agencies in 9 countries (as of
mid-2012).
• Investigative Assistance: The FTC has issued 52
civil investigative demands in 21 investigations on
behalf of 9 agencies in 5 countries (as of 2012).
18 v Privacy Insight Series
Global Privacy Enforcement Network (GPEN)
• Network of public privacy enforcement authorities
• Range of Activities
• “GPEN Alert” secure information-sharing system
19 v Privacy Insight Series
APEC Cross-Border Privacy Enforcement Arrangement
• 26 members from 9 economies
• Practical mechanism allowing PEAs to cooperate in cross-
border privacy enforcement by sharing information and
providing assistance.
20 v Privacy Insight Series
Memoranda of Understanding
• MOUs with Dutch, Irish, and UK Data Protection Authorities
• Sets out the agencies’ intent regarding mutual assistance
and procedures for sharing information and providing
assistance.
21 v Privacy Insight Series
Examples of Successful Cooperation
• Many public examples in fraud cases
– In Canadian Competition Bureau case against a phone company, District Court of
MD ordered compliance with FTC civil investigative demand.
– Robocalls, spam
• GPEN Alert
• Under CPEA: Australia/Canada cooperation on data breach
investigation.
22 v Privacy Insight Series v
Questions?
23 v Privacy Insight Series v
Josh Harris [email protected]
Hilary Wandall [email protected]
Melinda Claybaugh [email protected]
Contacts
24 v Privacy Insight Series v
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
Thank You!