Cross Border Data Transfers and the Privacy Shield
3 likes574 views
The document discusses the history and implications of the EU-U.S. Data Privacy Framework, particularly focusing on the transition from the Safe Harbor agreement to the Privacy Shield. It outlines compliance requirements for U.S. entities processing EU citizens' data and highlights legal challenges, including the Schrems v. Data Protection Commission case, which raised concerns about U.S. surveillance practices undermining EU privacy rights. Finally, it provides guidance on preparing for compliance, including creating privacy policies and notices that meet specified principles.
Cross Border Data Transfers and the Privacy Shield
- 1. CROSS BORDER TRANSFERS AND THE PRIVACY SHIELD Tsutomu Johnson October 31, 2017 Salt Lake City parsonsbehle.com Cybersecurity Series from Parsons Behle & Latimer
- 2. 2 Safe Harbor History Privacy Shield Components Steps to Comply with the Privacy Shield Outline
- 3. 3 European Union Data Protection Directive (“Directive”) – Came into effect in 1995 and defined how organizations in Europe must protect personal data. – Organizations outside of Europe that processed European citizens’ personal data had to comply with the Directive’s privacy obligations. – If an organization did not comply with the Directive, that organization had to sign Standard Contractual Clauses to process information outside of Europe. – The EU also created a list of countries whose laws provided the same level of protection as the Directive; however, the US never made that list. Safe Harbor History
- 4. 4 Safe Harbor – The EU and the US created the Safe Harbor Framework which established privacy requirements for US entities who processed personal data from the EU. – If US entities certified their compliance with the Safe Harbor Framework and paid an annual fee, those entities could freely transfer information from the EU to the US. – Problematically, neither European nor US regulators checked to make sure US companies actually complied with Safe Harbor’s requirements. Safe Harbor History
- 5. 5 Schrems v. Data Protection Commission – The plaintiff, Max Schrems, sued the Data Protection Commission of Ireland because that Commission allowed Facebook Ireland to transfer his information to Facebook US. – Schrems argued Facebook US, despite Facebook US’ Safe Harbor certification, did not provide the same level of protection as the Directive. – Highlighting revelations from Edward Snowden, Schrems argued that U.S. foreign surveillance programs: 1) contravened the privacy principles in the directive; 2) contravened the fundamental right of privacy for European citizens; and 3) prevented US companies from providing an adequate level of privacy protection for EU citizens. Safe Harbor History
- 6. 6 Schrems v. Data Protection Commission – The case went all the way to the Court of Justice for the European Union (a court similar to the Supreme Court of the United States). – The CJEU agreed with Schrems and ruled that US foreign surveillance programs undermined the fundamental privacy rights of European citizens. Accordingly, it forbid all companies from transferring data from the EEA to the US. Safe Harbor History
- 7. 7 EU-U.S. Privacy Shield Framework – By the end of the first quarter in 2016, the EU and the US adopted the Privacy Shield Framework which allowed information to flow between the EU and the US once again. – Under the Privacy Shield, US entities had to comply with a new set of privacy principles, subject themselves to decisions from European Data Protection Authorities (“DPAs”), and allow the FTC and the Department of Commerce to sue certified US companies who failed to actually comply with the Privacy Shield. Safe Harbor History
- 8. 8 The European Commission has approved the EU-U.S. Privacy Shield Framework for transferring information from the EU to the US, but no one knows whether the CJEU will accept this framework. Schrems has said he will challenge the Privacy Shield in court citing the same concerns he had with Safe Harbor: US surveillance programs undermine EU citizens’ fundamental privacy rights. The Article 29 working party in Europe did not recommend adoption of the Privacy Shield Framework because of US surveillance programs. Mike Pompeo, the head of the CIA, has said he plans to expand the CIA’s bulk data collection programs to gather lifestyle and metadata information from people all over the globe. There is a good chance the CJEU invalidates the Privacy Shield Framework given the above. Caution
- 9. 9 Notice – Participants must notify an individual about how the entity processes the individuals information. Choice – Participants must, where applicable, give the individual choices about how the participant will process the individual’s information. Accountability for Onward Transfer – If the participant transfers personal data to third parties, the third party must comply with the Privacy Shield Principles. Security – Participants must take reasonable and appropriate measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Privacy Shield Principles
- 10. 10 Data Integrity and Purpose Limitation – Participants must limit the use of information so the use is relevant to the purpose of processing that information. Participants also must take reasonable steps ensuring personal data is reliable for its intended use. Access – Participants must provide an individual access to their personal information so the individual has the ability to correct, amend, or delete information that is inaccurate. Recourse, Enforcement, and Liability – Participants must include mechanisms for assuring compliance with the Principles, provide individuals recourse for non-compliance, and submit to consequences for failing to comply after certification. Privacy Shield Principles
- 11. 11 There are supplemental principles that modify or add obligations for participants. You will want to read those supplemental principles and determine which apply to your organization. An important supplemental principle relates to HR data from the EU. If your organization processes HR data from the EU, your organization cannot avail itself of the self-regulating parts of the Privacy Shield Framework. Instead, it must submit to DPAs, the Privacy Shield arbitration rules, and create an HR privacy policy. Privacy Shield Supplemental Principles
- 12. 12 Prepare a list of applications, websites, software, hardware, and third-party entities that collect any information that could be used to identify an individual. Once you have created that list, find out the reason why that information is collected. Determine where personal information from each application, website, software, hardware, and third party ultimately resides. Does it stay with the organization or does it go to a third party or affiliate. Determine whether that information crosses borders from the EU to the US. Determine who will be the point of contact for privacy questions. Create a list of European countries who send information to the US, find the contact for each DPA within those countries. Figure out how personal information is protected while it transfers from the EU to the US, and where it ultimately rests (even if the final resting point is with a third party). Determine whether your organization processes HR data from the EU. Compliance – Prep Work
- 13. 13 Gap Analysis: Compliance – Prep Work
- 14. 14 Create a Privacy Shield Policy addressing the gaps in the previous step. – Include an introduction explaining the policy’s goals, applicability, and legal/regulatory scope; – Include a list of definitions; – List the Privacy Shield Requirements; – Provide a Document Control Statement; and – Attach Schedules for additional policies or documents that flesh out your organization’s adherence to the Privacy Shield Framework. Compliance
- 15. 15 Create a Privacy Shield Policy: Sample TOC Compliance
- 16. 16 Create an Online Privacy Policy – This will serve as your organization’s privacy policy website and will state your organization’s intent to comply with the Privacy Shield Framework. – When you submit your Privacy Shield application, the Department of Commerce will review your organization’s Online Privacy Policy and Privacy Notice as the basis for certification. The Department of Commerce is looking for magic phrases in your Online Privacy Policy such as: • A statement that your organization complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce; • A statement that your organization will apply Privacy Shield principles when processing data from the EU; • Your organization’s accountability for information received from Europe; and • A “Contact Us” section with your Privacy Officer’s contact information. – Example: https://privacy.microsoft.com/en-us/microsoft-eu-us-privacy-shield Compliance
- 17. 17 Create a Privacy Notice website – That website should explain how each application, website, software, hardware, or third party processes personal information – Use the checklist of requirements from the Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse Principles and make sure your Privacy Notice meets every requirement. – If you need help, look at other companies’ Notice policies as a guide. For example, Adobe’s Notice policy is at: • http://www.adobe.com/privacy/eudatatransfers.html. Compliance
- 18. 18 Create internal policies that comply with the Principles and Supplemental Principles on: – Notice – Choice – Accountability for Onward Transfer – Security – Data Integrity and Purpose Limitation – Access – Recourse, Enforcement, and Liability Compliance
- 19. 19 Sample Self-Audit Checklist Compliance
- 20. 20 Extraneous Items – You may need to create consent forms to process information from the EU, if so, attach those consent forms to your EU-U.S. Privacy Shield Policy – Even if your organization is Privacy Shield compliant, your organization needs to sign Standard Contractual Clauses with organizations that send information from the EU to your organization in the US. – An organization can create an internal process for dealing with complaints, but if you process HR data from the EU, your organization will need to adhere to rulings from European DPAs. – Your organization can create an arbitration or mediation process and agreement for people who aren’t satisfied with your organization’s complaint resolution process, but it may be best to adopt the arbitration process from the Privacy Shield Framework. – If your organization processes HR data from Europe, you will need to create an HR Privacy Policy for employee information that comes from the EU to the US. Compliance
- 21. 21 Our next presentation is on November 7th. We will discuss the European General Data Protection Directive If you have any questions, please contact me at: Tsutomu Johnson Tjohnson@parsonsbehle.com 801.536.6903 Thank You