Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Data Security in an Increasingly Globalized World

Published byRoland Pearson Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy and Data Security in an Increasingly Globalized World"— Presentation transcript:

1 Privacy and Data Security in an Increasingly Globalized World
Q2 Phoenix ISSA Chapter Meeting April 11, 2017

2 Today’s Objectives We will discuss the following during this session:
US Privacy Laws and Regulatory Framework High level overview of the Fluctuating Global Legal Framework of Privacy Laws and Regulations History of EU US Safe Harbor The Privacy Shield Options for Cross-Border Transfers of Data The General Data Protection Regulations

3 Overview of the Fluctuating US Legal Framework
US Sectorial Privacy Laws and/or Standards Healthcare Industry - HIPAA Education - FERPA Financial Services – SEC; NYDFS Insurance – NAIC Energy – NERC CIP Requirements Nuclear - NRC FTC Enforcement Actions

4 Where we’ve been – Safe Harbor
1995 Data Protection Directive EU’s 1995 Data Protection Directive only allows transfer of personal data to third countries providing “adequate” level of protection – U.S. not deemed adequate. Safe Harbor developed by U.S. Department of Commerce in consultation with European Commission. Received an adequacy finding from the Commission in 2000

5 Safe Harbor – what was it?
Companies would self-certify compliance with Safe Harbor principles of Notice, Choice, Onward Transfer, Access, Security, Data Integrity, and Enforcement. Publish a privacy statement that company adheres to Safe Harbor. Enforced by FTC

6 Safe Harbor – what happened?
Snowden revelations of mass surveillance by U.S. government. Austrian law student Max Schrems, sued Facebook, claiming that the mass surveillance violated the EU Charter of fundamental human right to privacy. Court of Justice of the European Union invalidated Safe Harbor October 6, 2015. EU Data Protection Authorities (Article 29 Working Party) gave deadline of January 31 for U.S. and EU to come up with solution. Deadline also a grace period for compliance.

7 Between Safe Harbor and Privacy Shield
Data kept flowing under Standard Corporate Clauses (SCCs) and Binding Corporate Rules Data transferred under Model Clauses and Binding Corporate Rules subject to same U.S. government access issues For 21 days in February and March of 2017, Max Schrems, Round 2, claims that SCCs are not adequate to protect US citizens because Facebook still subject to government surveillance Facebook lawyers relied upon Privacy Shield

8 Between Safe Harbor and Privacy Shield
Commissioner argues that Facebook was relying on provisions of the Privacy Shield which aren’t generally binding Will Privacy Shield, SCCs and Binding Corporate Rules (“BCRs) continue to be valid? Chances are unclear

9 Privacy Shield Privacy Shield announced February 2, 2016; Text //Adequacy Decision released February 29, 2016. Annually self-certify compliance with Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. Publicly declare commitment to comply with Principles Privacy Shield Privacy Policy

10 Privacy Shield Addressing deficiencies cited by EU
U.S. Government Access Judicial Redress Act/Ombudsman Annual Joint Review Enforcement Department of Commerce will: Verify self-certification requirements Expand efforts to follow up with organizations that have been removed from the Privacy Shield list Search for and address false claims of participation Increase cooperation with DPAs

11 Privacy Shield Operational Impacts for Participants
Additional information required to be provided for Notice principle (Privacy Shield privacy policy) Tightened conditions for onward transfer to third parties(contractual requirements for third party controllers) 45 days to respond to individual complaints Additional avenues to address individual complaints (take complaint to home DPA which can refer to FTC; Privacy Shield Panel)

12 Privacy Shield – what’s changed
Organizations processing HR data must cooperate with and respond directly to DPAs regarding processing of such data Liability for third party agent violation of Principles Participants that drop out must continue to comply with respect to personal data collected under Privacy Shield

13 Alternatives to Safe Harbor and Privacy Shield
Standard Corporate Clauses PROs Cheaper and faster than binding corporate rules No annual recertification High level of certainty for compliance Easy to monitor when relatively few contractual relationships are implicated

14 Alternatives to Safe Harbor and Privacy Shield
Directly enforceable by data subjects Must be changed over time to account for new data and entities Title and Content Layout Click in text box to insert text Use “Increase/Decrease List Level” to format each level of sub-bullets No limitation of liability Strict subcontracting requirements May require filing or approval depending on EU member state

15 Alternatives to Safe Harbor and Privacy Shield
Standard Contract Clauses, cont’d CONs Non-negotiable

16 Alternatives to Safe Harbor and Privacy Shield
Binding Corporate Rules – Legally enforceable privacy rules for the transfer of personal information between entities in the same corporate group PROS Provides enterprise-wide approach for cross border data transfers Can be tailored to a company’s culture and processes Encourage implementation of privacy program within corporate group

17 Alternatives to Safe Harbor and Privacy Shield
CONS Takes time and money to implement Only valid for transfers between entities in the corporate group Revisions to BCRs would require approval by DPAs, making change difficult

18 Alternatives to Safe Harbor-Consent
Consent – agreement of data subject to transfer of their data. PROS Less burdensome than execution of multiple model clauses or implementation of BCRs CONS Interpreted restrictively Precise requirements to obtain voluntary, informed, unambiguous consent must be met (including affirmative action under new GDPR)

19 Alternatives to Safe Harbor-Consent
CON’s Continued Consent can be withdrawn at any time Need to keep good records of consent Data subjects may not consent Freely given consent difficult to establish in employment context May be effective solution for B2C websites requiring consent for specific transactions

20 GDPR: some headline points
“Privacy by design and default” Accountability - Record keeping requirements Privacy Impact assessments Data Mapping and Data Classification Data protection officers Breach notification Fines and penalties

21 Appointing a processor
Definitions of Controller and Processor won’t change Processor = anyone who processes personal data on behalf of the Controller Can your processor guarantee data security? Processors are now directly responsible for compliance Some companies will be acting as both depending on the circumstances

22 Territoriality and General Concepts
Widening the net – offering goods/services to Europeans The “one stop shop” and the controller’s “main establishment” Penalties and Enforcement Increased Fines 20 million EURO 4% of global turnover

23 GDPR – what will change (1)
Now Notification No longer needed What is “personal data” Some changes – needs client review to assess impact on them (particularly direct marketing) Consent to processing Expanded requirement requires greater clarity

24 GDPR – what will change (1)
Now Subject information Broad requirements to tell data subject what is going on – one to watch out for, since it is currently ignored Data accuracy No change – keep it accurate

25 GDPR – what will change (2)
NOW 2018 Data security No change – keep it safe Standards evolve over time Data retention No change – keep it only for so long as possible. NB enhanced rights of data subject to enforce this, and also “right to be forgotten” Export outside No substantial change EEA

26 GDPR – what will change (2)
Use of third party More of the same. “processors” This will need contracts to (e.g payroll) be updated Subject Access Requests Clients need to become familiar with the new text – potentially broader requirements and shorter time to respond Data portability right New

27 GDPR – what will change (2)
Now Intra-group transfers No substantial change

28 GDPRs and the US Perspective-Where do we go from here?
Breach notification – 72 Hours (New) Contracts with transfers of personal data to the United States GDPR implementation

29 Attendee Questions & Insights

Download ppt "Privacy and Data Security in an Increasingly Globalized World"

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Sarah Branam Mehmet MunurDino Tsibouris

Sarah Branam Mehmet MunurDino Tsibouris
Per Anders Eriksson

Per Anders Eriksson
The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.
Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.
THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.

THE CHOICES WE MAKE THAT MATTER – International Data Privacy/Protection JILL L. UREY, ASSISTANT GENERAL COUNSEL MID-ATLANTIC CIO FORUM NOVEMBER 20, 2014.
Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.

Draft EU Privacy Regulation Corporate Privacy Forum January 26, 2012.
Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.
1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC 20006 202/887-1549

1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.

European Data Protection Supervisor Pharmaceutical Regulatory & Compliance Congress, Brussels, 7 June 2007 European Privacy and Data Protection Policy.
1 Copyright © 1999-2008 International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.
DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.

DR ANDREA MULLIGAN BARRISTER-AT-LAW LLB, LLM(HARV.), PH.D Safe Harbor and Schrems v DPC.
1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:

1 Agencia Española de Protección de Datos The Use of Contracts and BCRs to Transfer Personal Data The European Union – United States Safe Harbor framework:
1 TAIEX JHA 52182 - Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.
The EU General Data Protection Regulation Frank Rankin.

The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]

Data protection—training materials [Name and details of speaker]
Key Points for a Privacy Programme for Multinationals Steve Coope.

Key Points for a Privacy Programme for Multinationals Steve Coope.
General Data Protection Regulation (EU 2016/679)

General Data Protection Regulation (EU 2016/679)

Similar presentations

Ads by Google