Damon Greer Safe Harbor Program October 15, 2007

Slides:



Advertisements
Similar presentations
MEDEFs View on Dot EU Domain Day – 5 novembre 2002 – Palazzo Stelline – Milano Catherine GABAY – Director Innovation and Research - Medef.
Advertisements

Data Privacy and Security in the Cloud Presented by Robert J. Scott Managing Partner Scott & Scott, LLP
EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
External Trade 1 5th Global Congress Combating Counterfeiting and Piracy Global and Regional IPR Enforcement Initiatives Luc-Pierre Devigne Head of Intellectual.
1 n European Commission 4th Global Congress: Combating Counterfeiting and Piracy Dubai – 3 February 2008 An Urgent Need to Better Respond to the Global.
SPS Information Management System (SPS IMS). 2 Why SPS IMS? Since 1995 > 10,000 SPS notifications > 2,000 other SPS documents > 300 specific trade concerns.
DG Energy and Transport, European Commission Fabrizio Barbaso 17/04/2008 EU RENEWABLE ENERGY PROPOSALS ARF Energy Security Seminar EUROPEAN COMMISSION.
1 THE WHITE PAPER ON SPORT THE EU AND SPORT: MATCHING EXPECTATIONS MICHELE COLUCCI Tilburg University, Spring semester 2012
1 FPEG Identity theft & payment fraud point December 2007.
The EU framework for integration of third-country nationals: a focus on the role of cities and on funding opportunities Martin Schieffer, Immigration and.
European Commission Jacques McMillan Enterprise Directorate-General Legal aspects linked to internal market EUROPEAN CONFERENCE ON MARKET SURVEILLANCE.
1 n European Commission Third Global Congress on Combating Counterfeiting and Piracy Geneva – 30 and 31 January 2007 The European Union: Coordination and.
Transborder Data Flows & Privacy Contractual clauses in the practice Tanguy Van Overstraeten Washington DC October 16, 2007.
1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
European CommissionDirectorate-General Justice, Freedom and Security Data Protection 1 Conference on Cross Border Data Flows & Privacy October 15-16, 2007.
Yukiko Ko Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
1 The European Union. 2 Some basic information The EU currently includes 27 states It has 23 official languages The EU has a population of over 500 million.
1 State Service of Ukraine on Personal Data Protection. Volodymyr Kozak, State Service of Ukraine on Personal Data Protection, Deputy Head, PhD Prague,
PERSPECTIVES OF THE COMMON BALTIC ELECTRICITY MARKET Prof. Inna Steinbuka, Chair, Public Utilities Commission, Latvia The Institute of Economic Affairs.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
1 The interconnection of business registers Judit Fischer – DG Internal Market and Services Budapest, 14 June 2010.
Steel Import Monitor Tutorial Overview of the Import Monitor.
1 Budapest, June 14, Cross border communication among registers - Practical aspects - Yves Gonner Managing director - Trade and Companies Register.
Sarah Branam Mehmet MunurDino Tsibouris
The Geopolitics of Personal Data and the Governance of Privacy Colin J. Bennett Department of Political Science University of Victoria BC, Canada
September 2006 The effect of the pending privacy legislation on the Direct Marketing and Contact Centre Industries… Catastrophe or Opportunity?
The Internet industry’s privacy seal program Silicon Valley Web Guild.
CONFIDENTIAL1 TRUSTe Certification & APEC FTC Workshop on Enforceable Codes of Conduct Panel on APEC’s CBPR System November 29, 2012.
An instrument to facilitate exports from developing countries into the European Union A service provided by the European Commission.
What if my organization conducts business across borders ? Your footnote Privacy and “Personal Information” have different meanings in different countries;
Mediation for direct selling in Europe. The creation of the ECA : a political will of the EU Legislation : A European directive on alternative dispute.
Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
Transborder dataflows Flow of information across national borders Much of this data involves personal information.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
From European to international standards on data protection (1/2)
Class 13 Internet Privacy Law European Privacy.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Opinion about the draft privacy regulation of the EC Frank Robben General manager eHealth-platform Willebroekkaai 38 B-1000 Brussels
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
1 Click to Check Public FTAA.ecom/inf/122 February 13, 2002 Original: English.
1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /
The European influence on privacy law and practice Nigel Waters, Pacific Privacy Consulting International Dimension of E-commerce and Cyberspace Regulation.
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
BC Public Libraries November, 2008 Privacy Principles.
Forum INFOBALT 2002 Vilnius, October 21, 2002 Current ICC Initiatives Relating to Data Protection Christopher Kuner Hunton & Williams, Brussels Vice-Chair,
McGraw-Hill/Irwin Copyright © 2013 by The McGraw-Hill Companies, Inc. All rights reserved. BUSINESS PLUG-IN B19 Global Information Systems.
Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.
Privacy: An International Perspective Marty Abrams August 18, 2008.
Issues Related to Global Information Systems A business can’t just worry about its home- country laws, rules and regulations. If a business has global.
DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.
1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:
1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
Data Protection – the Lisbon Effect Billy Hawkes Data Protection Commissioner Institute of International and European Affairs Dublin, 17 September 2009.
International Conference ADDRESSING QUALITY OF WORK IN EUROPE Sofia, Bulgaria October 2012.
Privacy and Data Security in an Increasingly Globalized World
Data Protection: EU & International
Data Protection The Current Regime
Information Governance and Data Privacy: A World of Risk
Cross-National Cooperation and Agreements
Stewart Dresner Chief Executive, Privacy Laws & Business
Cross-National Cooperation and Agreements
Employee Privacy and Privacy of Employee Information
activistpost Being connected to the largest information.
EU Data Protection Legislation
Presentation transcript:

Damon Greer Safe Harbor Program October 15, 2007 The U.S.-E.U. Safe Harbor Framework Cross Border Data Flows, Data Protection, and Privacy Good Afternoon!. I’m pleased to be here today at the Conference to talk about the Safe Harbor Program. First, I thought it would be useful to spend a little time to provide some context to the evolution of the legal framework for privacy in the European Union. We study privacy, data protection, and collection from the 20-21st century perspective but these issues have been around for a long time. For example: Livy wrote in his History of Rome from its Foundation that the five year census dating back to 518 B.C. included similar data elements and EPIC’s Privacy and Human Rights survey released last week at the National Press Club notes that privacy is mentioned in the Bible, the Torah, and the Koran. So, in one form or another, data protection and privacy have been around for millennia. So what’s the impetus for creating an overarching framework in the EU? in the 30’s and 40’s, personal data was used to identify classes of individuals by ethnicity, religious belief, medical status, and political views. After the devastating consequences of WWII, it became apparent in Europe that there must be some way to protect individuals’ right to privacy. Three important steps: Article 8 of the European Convention of Human Rights; Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS Article 108), and the EU Charter of Fundamental Rights Article 8. Then, in 1980, the Organization for Economic Cooperation and Development (OECD) released its Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. In 1995, the Directive 95/46/EC of the European Parliament and of the Council was approved went into effect in 1998. Member states had 3 years to implement the law by enacting implementation or national laws that incorporated the directive as a foundation of what we have today. Damon Greer Safe Harbor Program October 15, 2007

Different Approaches to Data Privacy  Why it matters European Union’s Data Protection Directive creates a barrier for those countries, including the U.S., that do not meet the EU’s “adequacy” requirements for data protection. U.S. Department of Commerce and European Commission negotiated the SAFE HARBOR to provide U.S. companies with a simple, streamlined means of complying with the adequacy requirement. Trans-Atlantic Trade in 2006 reached $630 billion The European system of privacy protection is based on overarching legislation. The Directive prohibits the transfer of personal data to non-EU countries that do not provide “adequate” privacy protection. The Directive covers all industry sectors and virtually all personally identifiable information: any commercial transaction (B2B or B2C); broad jurisdiction. The U.S. – EU Safe Harbor was negotiated over a two-year period and in July 2000, the U.S. received an adequacy finding from the European Commission. The SH became effective in November 2000. The adequacy finding is limited to those organizations that certify to Safe Harbor. What’s at stake: more than $630 billion in trade could be affected by restrictions to data transfers without Safe Harbor not to mention the cost efficiencies reaped by consolidating data center operations in one, efficiently secured location. (Note: only adequate findings: SH, Canada, Switzerland, Argentina, Guernsey & Isle of Man.)

Adequacy via the Safe Harbor Safe Harbor registration is a voluntary representation to European business partners and European citizens that U.S. companies will comply with the Safe Harbor framework. Administered by the DOC, enforced in the United States by the FTC and DOT Currently nearly 1,300 U.S. organizations, including multinationals and SMEs. The FTC Act permits the EU & U.S. to maintain their positions re: personal information protection…U.S. companies make voluntary commitments, yet the EU is satisfied because the FTC Act makes those commitments legally binding. SH benefits for U.S. firms include: Predictability & continuity: all 27 EU member states, plus European Economic Area countries (Lichtenstein, Norway, Iceland) are BOUND by the adequacy finding; Companies participating in the SH will be deemed adequate and data flows to those companies will continue; Eliminates the need for prior approval to begin data transfers Flexible privacy regime congenial to U.S. approach Positive public/privacy image; and Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.

7 Safe Harbor Principles (SHFIPPs) NOTICE CHOICE SECURITY ONWARD TRANSFER DATA INTEGRITY ACCESS ENFORCEMENT The SH framework includes the seven principles listed here: Notice: purpose; how to contact organization; info. transferred to any 3rd parties Choice: option to opt-out of 3rd party disclosures or purposes other than those originally collected; opt-in for other sensitive information. Onward Transfers: to disclose info. to a 3rd party, organizations must apply NOTICE & CHOICE principles, unless its an agent & that agent either 1) complies with the SH principles or 2) is subject to the Directive or other adequacy finding or 3) enters into a written agreement with the organization. Review APEC’s consent or accountability principles. Security: reasonable precautions must be taken, but SH does not specify how. Data Integrity: has to do w/the relevance of the purpose of use. Access: individuals must have access except when expense of providing access is disproportionate to the individual’s risk. Enforcement: Basically the organization must have 1) verification, 2) dispute resolution & 3) remedies mechanism in place BEFORE certifying to the SH.

Where to Find Safe Harbor Information http://export.gov/safeharbor/ website includes: Safe Harbor List Safe Harbor Workbook Compliance Checklist/Helpful Hints Safe Harbor Documents (including principles, FAQ’s, correspondence, etc.) Historical documents (including public comments) Should familiarize yourself w/the info. on our website. The SH list is a public record of all those companies adhering to the SH principles. You’ll see a number of large multinationals, including Eli Lilly, J&J, Merck, Pfizer, P&G, but interestingly about 55% are SMEs. The FAQ’s are an important resource to provide greater insight and clarification into things like sensitive data, human resources, and for this audience, secondary liability, Pharmaceutical & Medical Products (FAQ 14). When this body of information doesn’t answer a question, we consult with our legal counsel, the FTC, and with the European Union on specific interpretations of the Directive.

Compliance & Enforcement U.S. culture of customer service is highly effective in addressing customer complaints/concerns, perhaps more than comprehensive legislation. Independent recourse mechanisms are required to notify DoC of a company’s failure to comply with the Safe Harbor principles, and FTC has authority to take action. Results: No referrals and no complaints filed with the EU DPAs. TRUSTe, BBB, DMA, and others report internal complaints resolved! In general, enforcement will take place in the U.S., in accordance with U.S. law, & will rely, to a great extent, on private sector enforcement, which includes verification (your annual affirmation that your org. continues to comply w/the SH principles), dispute resolution (by 3rd party or EU DPAs), & remedies. In general, enforcement will take place in the U.S., in accordance with U.S. law, & will rely, to a great extent, on private sector enforcement, which includes verification (your annual affirmation that your organization continues to comply with the SH principles), dispute resolution (by 3rd party or EU DPAS), & remedies. On reason why has to do w/the corporate culture in the U.S. & the other is the 3rd party enforcement. Martha Landesberg of Truste who is on our panel will explain how third party dispute resolution works under the Safe Harbor Framework. With regard to transferring HR data, everyone should understand: you are required to use the EU DPA for your recourse mechanism as well as comply with member state law re: the Use of info. as well as any restrictions under national law for the transfer of such data (so you basically need to be aware of the national laws for Use…the SH is not enough).

Other Options for Meeting the EU Directive’s Requirements Joining Safe Harbor is not the only means of meeting the EU Directive’s requirements Other alternatives include: “Unambiguous” consent Necessary to perform contract Codes of Conduct Model Contract Clauses Direct compliance/registration with EU Authorities http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm Now, I’d like to mention some OTHER options for meeting the EU Directive’s requirements. You’ll here more about these options during tomorrow’s sessions. These are the Article 26 derogations: Unambiguous consent: the Directive contains a derogation/exception that allows for the use of “unambiguous consent” from a data subject to effectuate a data transfer. Some question whether HR data allows for the freedom to provide or decline consent, which is one reason the EU DPA is the dispute mechanism required. Codes of Conduct or BCRs: this is a tempting option, but has yet to emerge as a powerful tool for compliance; there is no streamlined review process and, thus far, only the application has been standardized for use in all 27 member states. You’ll hear more about BCRs during tomorrow’s sessions. Model Contract Clauses: again, an option to achieve adequacy but may be overly burdensome & no consistent interpretation among the Member States. Also enforced in the EU.

In November 2000, there were 6 Safe Harbor companies; Since 2000, we’ve built credibility and confidence in Safe Harbor in the E.U. In November 2000, there were 6 Safe Harbor companies; Today, we are approaching 1,300 organizations spanning industries from consumer goods to aviation; Average 35 new members per month; EU view SH as a “Best Practice” and Gold Standard for data protection. By “we” I mean both government and the business community…without the due diligence and compliance discipline that Safe Harbor members exercise, Safe Harbor would not be held up by EU data protection authorities as a “gold standard” by which other frameworks are measured. It is recognized as a best practice in compliance and risk management. Further, both the Department and the Federal Trade Commission are serious in executing their respective roles in administering the program. I’d like to cite a testimonial from a SH member to illustrate SH’s value from a business perspective: P&G was quoted as stating that “the SH works for us. SH supports a global business model and P&G has one global privacy policy.” With 140,000 employees in 80 countries and sales to 160 countries that’s significant. Businesses are also afforded some degree of positive branding b/c inclusion in the SH demonstrates publicly that they take their privacy policy seriously.

Moving Forward — The Challenge Continues Expanded dialogue with the European Commission; Conference on International Transfers of Personal Data, Brussels, October 2006 More needs to be done by EU to harmonize Data Directive; educate data subjects; we raised this specific issue in Brussels in bilateral negotiations last fall Increased Emphasis by Industry on Harmonizing Approval Process for Binding Corporate Rules Last October, the Department of Commerce co-sponsored the conference on international transfers of personal data in Brussels at the Commission’s conference center. Although we were somewhat skeptical about how we would be received, the outcome was somewhat unexpected in that the Commission and the Article 29 Working Party on Data Protection publicly announced that Safe Harbor was a success story for international cooperation on protecting and securing personal information for commercial purposes. In Brussels, we dispelled the belief that Safe Harbor was a rubber stamp for certification and in later E.U. data protection meetings, we were cited as being “tough” on approving applications to Safe Harbor. We were determined to underscore our determination to fulfill our obligations under the agreement. Today, more than 70 nations have some form of data protection/privacy framework and more plan to enact data protection or privacy legislation. ChinaDaily recently reported that the country has completed a draft data protection law and may consider its implementation next year; Korea has at last reporting three versions of law on data protection, and Mexico’s efforts to pass a law perhaps modeled on Spain’s legislation will present challenges and opportunities for all in the privacy sphere.

Safe Harbor Program Membership 2000 – Oct. 2007

Safe Harbor Program – Top 20 Industries

For additional information or questions Contact me at: Damon C. Greer U.S. Department of Commerce HCHB 2003 1401 Constitution Avenue, N.W. Washington, D. C. 20230 Telephone: (202) 482-5023; Fax: (202) 482-5522 Email: damon.greer@mail.doc.gov Thank you and enjoy the conference!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.