roadmap to the gdpr - privacy shield

EU-U.S. Privacy Shield: Practical Considerations for Business

August 24, 2016

Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2

Speakers

Peter SwireSenior Counsel, Atlanta

Alston & Bird

Jan DhontPartner, Brussels

Alston & Bird

David KeatingPartner, Atlanta

Alston & Bird

https://twitter.com/AlstonPrivacy

http://www.alstonprivacy.com/


Overview

Some Facts

Scope

What’s New?

DPA Views on the Privacy Shield

Certification Benefits and Risks

Alignment with other Transfer Mechanisms

Privacy Shield and the GDPR

Implementation: Customer Relationships, Vendor Management and Governance

Self-certification: Additional Considerations

Q&A




Some Facts and Observations

Commission Adequacy Decision of July 12, 2016

Privacy Shield entered into effect on August 1

Nine-month grace-period in case of early sign-up (until September 30)

63 Companies signed up

DOC website: www.privacyshield.gov

Citizens’ guide to the EU-U.S. Privacy Shield: http://ec.europa.eu/justice/newsroom/data-protection/news/160801_en.htm

Privacy Shield as possible basis for business certainty

Role of the ECJ

Role of the Ireland Schrems case

Schrems/FB round 2

If broad holding on contracts, effects on Shield

Facts

Observations



http://www.privacyshield.gov/

http://ec.europa.eu/justice/newsroom/data-protection/news/160801_en.htm


Scope

Geographical scope Data exporters in EEA (subject to approval of EEA Joint Committee) and importers in U.S.

Switzerland?

UK and the Brexit?

Material scope Personal information in scope of the Directive/key-coded data considered not personal information

Intracompany / extra-company transfers

Personal scope U.S.-based entities subject to FTC/DOT jurisdiction

Controllers and Processors

Mere conduit providers (ISPs) are not liable when merely transmitting/routing/switching or cashing information (Supplementary principle 3)




What’s New?

More granular notice requirements

Restrictions on onward transfers

Stricter purpose limitation and data retention

More information security

Enhanced right of access

New redress mechanisms

Restrictions when departing Shield




Notice

Safe Harbor Privacy Shield GDPR

- Purposes for collection of use of data- Contact information - Types of third parties to which data is

disclosed- Choices and means for individuals to limit use

and disclosure

IN ADDITION to Safe Harbor: - Participation to Shield and web-info- Personal data types - Covered entities- Commitment to subject all personal data

received from the EU in reliance on the Privacy Shield

- Relevant EU establishment (if any) to answer inquiries and complaints

- Types or identity of third parties and purposes of disclosures

- Individuals’ access right- Relevant dispute resolution body and option

for individuals to invoke binding arbitration- Relevant U.S. investigatory body (FTC, DOT, or

other)- Disclosure obligations to public authorities- Liability in cases of onward transfers to third

parties

IN ADDITION to Safe Harbor- Identify of data controller/representative- DPO contact details (if applicable)- Legal basis of processing- Legitimate interests of processing- Data country transfers and references of

applicable safeguards- Data retention policy/criteria- Existence of individuals’

rectification/erasure/restriction of processing/objection/portability rights

- Right to withdrawal of consent- Right to lodge complaints with a SA- Whether provision of personal information is

a contractual/statutory obligation- Use of automated-decision making/profiling,

explanation of logic and consequences




Accountability for Onward Transfers

To Data Controller Notice and choice

Contract with recipient to respect purpose limitation and “provide same level of protection as the Principles”

To Data Processor Ascertain that processor provides same level of data protection as under Principles

Contract with processor setting forth specific requirements (purpose limitation, information security, notification if standard cannot be respected and effective remediation measures, possibility to provide copy/summary to DOC)

Note that:- Privacy Shield companies are liable for processors’ violations of Principles- Transfers within a controlled group of corporations/entities does not require contract if recipient provides adequate protection

(Supplemental Principle 10 (b))- Onward transfers to controllers for occasional employment-related operational needs do not require contract (Supplemental

principle 9 (e)(i)).




DPA views on Privacy Shield

Article 29 Working Party/CNIL concerned about: Lack of specific rules on automated decisions and general right to object

How principles apply to processors

The independence and powers of Ombudsman and public sector access

ICO remains neutral but recognizes the risk that Privacy Shield may be challenged in court

German DPAs are divided but some are critical (e.g., Hamburg v. Bavaria)

Austria, Slovenia and Croatia seem skeptical about Shield

DPAs are gradually starting to publish guidance (e.g., Italy)

DPAs should update registration forms




Certification Benefits and Risks

Benefits Risks

- Practicality- multitude of data exporters in the EU- transfers initiated by individual consumers (not

under GDPR) - Similarity to Safe Harbor- No data transfer permits for data exporters - Relatively secure - Quick launch time- Benefit of quick registration

- Legal uncertainty:- Potential challenging in court- Annual review of framework

- FTC/DOT jurisdiction - Effective enforcement expected (often DPA triggered)- Growing consumer awareness- New higher standard requires careful gap assessment

and cost analysis - Expected focus on onward transfers




Alignment with other Transfer Mechanisms

Transfers to processor in U.S. require an additional data protection agreement

Combination with other transfer mechanisms: “Belt and suspender” approach ?

Flexibility for extragroup data imports

EU clients may insist on model clauses

BCRs v. Model clauses v. Privacy Shield Fates of Model clause and Privacy Shield are linked

BCRs arguably more resistant to invalidation (approved by DPAs/no Commission Decision)

DPAs likely to require “contract should follow data approach”

U.S. Data Importer (Shield certified)EU Data Exporter

U.S. Data Processor

Onward Transfer Agreement ?

C-P Model Contract ?

Data Flow




Privacy Shield and the GDPR

Adequacy under the GDPR (Article 45 (9) GDPR)

DPA notifications replaced by internal processing records/accountability

Generally no added value for U.S. companies selling to EU consumers => GDPR will apply directly

Privacy Shield contains elements of the GDPR but is lighter: Examples (notices/automated decision making/DPIAs/legal basis for processing/accountability)

Privacy Shield can nonetheless serve as “common denominator” for global privacy program with regional variations




Implementation: Customer Relationships, Vendor Management and Governance




Customer Relationships

The Privacy Shield as a market differentiator?

Streamlining of the customer contracting process





Standardize a Customer-Facing Data Processing Agreement

Allocation of Cost

Compliance with instructions

Exercise of data subject rights

Changes required by law

Clawback / destruction of personal data





Allocation of Risk

Violation of law

Security incidents

Customer assurances concerning rights in data and approvals

Liability for agents – unique issue





Onward Transfers

Structure back-end agreements

Audit and Oversight Rights

Customer assurance program

Supervisory Authority audits

The Independent Recourse Mechanism

Governmental Disclosures





Standardize Processes

Access, Rectification, Blocking and Deletion Requests

Incentive to automate

Document decisions on exclusions (trade secrets, etc.)

Consider periodic disclosures

Choice Settings

Customer Assurance Program / Audit Program

Data Return and Destruction

Transparency Reports




Vendor Management

“[O]rganizations must:

Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles.

Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.”

EU-U.S. Privacy Shield Principles, Sec. II.3.b.




Vendor Management

Vendor Due Diligence Process

Screening

Questionnaires

Third Party Assessments and Audits

Vendor passes the commercial and technical review; fails the privacy and security assessment




Vendor Management

Data Processing Agreements

Compliance with Instructions

Access, Rectification, Blocking and Deletion

Data Aggregation / Monetization Rights

Cooperation with Your Independent Recourse Mechanism

Vendor Audit Program




Governance Considerations for Privacy Shield Participants

Verification Mechanism

Enhanced Choice – Technical and Procedural Challenges

Data Subject Access Policy and Procedure

Retention Limits




Governance Considerations for Privacy Shield Participants

Human Resources Data

Employee Privacy Statement

Enhanced Substantive Requirements

Data Protection Authority Oversight




Self-Certification: Additional Considerations

Eligibility

Budget the Mandatory Costs

Initial and Annual Certifications Required

Internal Processes and Controls

Verification Mechanism

Implement the Independent Recourse Mechanism

Downstream Contracts




New York Webcast Participation

If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet

[AB102278]




About Alston & Bird’s Privacy and Data Security Practice:

Follow us: @AlstonPrivacy

www.AlstonPrivacy.com

Cybersecurity Preparedness & Response Team

Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in

both preventing and responding to security incidents and data breaches, including all

varieties of network intrusion and data loss events.

www.alstonsecurity.com

Privacy & Data Security Team

Our team helps clients at every step of the information life cycle, from developing and

implementing corporate policies and procedures to representation on transactional

matters, public policy and legislative issues, and litigation.

www.alston.com/privacy

Questions





http://www.alstonsecurity.com/

http://www.alston.com/privacy

roadmap to the gdpr - privacy shield

Documents