Follow us: @AlstonPrivacy www.AlstonPrivacy.com 2
Speakers
Peter SwireSenior Counsel, Atlanta
Alston & Bird
Jan DhontPartner, Brussels
Alston & Bird
David KeatingPartner, Atlanta
Alston & Bird
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 3
Overview
Some Facts
Scope
What’s New?
DPA Views on the Privacy Shield
Certification Benefits and Risks
Alignment with other Transfer Mechanisms
Privacy Shield and the GDPR
Implementation: Customer Relationships, Vendor Management and Governance
Self-certification: Additional Considerations
Q&A
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 4
Some Facts and Observations
Commission Adequacy Decision of July 12, 2016
Privacy Shield entered into effect on August 1
Nine-month grace-period in case of early sign-up (until September 30)
63 Companies signed up
DOC website: www.privacyshield.gov
Citizens’ guide to the EU-U.S. Privacy Shield: http://ec.europa.eu/justice/newsroom/data-protection/news/160801_en.htm
Privacy Shield as possible basis for business certainty
Role of the ECJ
Role of the Ireland Schrems case
Schrems/FB round 2
If broad holding on contracts, effects on Shield
Facts
Observations
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 5
Scope
Geographical scope Data exporters in EEA (subject to approval of EEA Joint Committee) and importers in U.S.
Switzerland?
UK and the Brexit?
Material scope Personal information in scope of the Directive/key-coded data considered not personal information
Intracompany / extra-company transfers
Personal scope U.S.-based entities subject to FTC/DOT jurisdiction
Controllers and Processors
Mere conduit providers (ISPs) are not liable when merely transmitting/routing/switching or cashing information (Supplementary principle 3)
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 6
What’s New?
More granular notice requirements
Restrictions on onward transfers
Stricter purpose limitation and data retention
More information security
Enhanced right of access
New redress mechanisms
Restrictions when departing Shield
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 7
Notice
Safe Harbor Privacy Shield GDPR
- Purposes for collection of use of data- Contact information - Types of third parties to which data is
disclosed- Choices and means for individuals to limit use
and disclosure
IN ADDITION to Safe Harbor: - Participation to Shield and web-info- Personal data types - Covered entities- Commitment to subject all personal data
received from the EU in reliance on the Privacy Shield
- Relevant EU establishment (if any) to answer inquiries and complaints
- Types or identity of third parties and purposes of disclosures
- Individuals’ access right- Relevant dispute resolution body and option
for individuals to invoke binding arbitration- Relevant U.S. investigatory body (FTC, DOT, or
other)- Disclosure obligations to public authorities- Liability in cases of onward transfers to third
parties
IN ADDITION to Safe Harbor- Identify of data controller/representative- DPO contact details (if applicable)- Legal basis of processing- Legitimate interests of processing- Data country transfers and references of
applicable safeguards- Data retention policy/criteria- Existence of individuals’
rectification/erasure/restriction of processing/objection/portability rights
- Right to withdrawal of consent- Right to lodge complaints with a SA- Whether provision of personal information is
a contractual/statutory obligation- Use of automated-decision making/profiling,
explanation of logic and consequences
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 8
Accountability for Onward Transfers
To Data Controller Notice and choice
Contract with recipient to respect purpose limitation and “provide same level of protection as the Principles”
To Data Processor Ascertain that processor provides same level of data protection as under Principles
Contract with processor setting forth specific requirements (purpose limitation, information security, notification if standard cannot be respected and effective remediation measures, possibility to provide copy/summary to DOC)
Note that:- Privacy Shield companies are liable for processors’ violations of Principles- Transfers within a controlled group of corporations/entities does not require contract if recipient provides adequate protection
(Supplemental Principle 10 (b))- Onward transfers to controllers for occasional employment-related operational needs do not require contract (Supplemental
principle 9 (e)(i)).
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 9
DPA views on Privacy Shield
Article 29 Working Party/CNIL concerned about: Lack of specific rules on automated decisions and general right to object
How principles apply to processors
The independence and powers of Ombudsman and public sector access
ICO remains neutral but recognizes the risk that Privacy Shield may be challenged in court
German DPAs are divided but some are critical (e.g., Hamburg v. Bavaria)
Austria, Slovenia and Croatia seem skeptical about Shield
DPAs are gradually starting to publish guidance (e.g., Italy)
DPAs should update registration forms
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 10
Certification Benefits and Risks
Benefits Risks
- Practicality- multitude of data exporters in the EU- transfers initiated by individual consumers (not
under GDPR) - Similarity to Safe Harbor- No data transfer permits for data exporters - Relatively secure - Quick launch time- Benefit of quick registration
- Legal uncertainty:- Potential challenging in court- Annual review of framework
- FTC/DOT jurisdiction - Effective enforcement expected (often DPA triggered)- Growing consumer awareness- New higher standard requires careful gap assessment
and cost analysis - Expected focus on onward transfers
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 11
Alignment with other Transfer Mechanisms
Transfers to processor in U.S. require an additional data protection agreement
Combination with other transfer mechanisms: “Belt and suspender” approach ?
Flexibility for extragroup data imports
EU clients may insist on model clauses
BCRs v. Model clauses v. Privacy Shield Fates of Model clause and Privacy Shield are linked
BCRs arguably more resistant to invalidation (approved by DPAs/no Commission Decision)
DPAs likely to require “contract should follow data approach”
U.S. Data Importer (Shield certified)EU Data Exporter
U.S. Data Processor
Onward Transfer Agreement ?
C-P Model Contract ?
Data Flow
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 12
Privacy Shield and the GDPR
Adequacy under the GDPR (Article 45 (9) GDPR)
DPA notifications replaced by internal processing records/accountability
Generally no added value for U.S. companies selling to EU consumers => GDPR will apply directly
Privacy Shield contains elements of the GDPR but is lighter: Examples (notices/automated decision making/DPIAs/legal basis for processing/accountability)
Privacy Shield can nonetheless serve as “common denominator” for global privacy program with regional variations
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 13
Implementation: Customer Relationships, Vendor Management and Governance
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 14
Customer Relationships
The Privacy Shield as a market differentiator?
Streamlining of the customer contracting process
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 15
Customer Relationships
Standardize a Customer-Facing Data Processing Agreement
Allocation of Cost
Compliance with instructions
Exercise of data subject rights
Changes required by law
Clawback / destruction of personal data
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 16
Customer Relationships
Allocation of Risk
Violation of law
Security incidents
Customer assurances concerning rights in data and approvals
Liability for agents – unique issue
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 17
Customer Relationships
Onward Transfers
Structure back-end agreements
Audit and Oversight Rights
Customer assurance program
Supervisory Authority audits
The Independent Recourse Mechanism
Governmental Disclosures
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 18
Customer Relationships
Standardize Processes
Access, Rectification, Blocking and Deletion Requests
Incentive to automate
Document decisions on exclusions (trade secrets, etc.)
Consider periodic disclosures
Choice Settings
Customer Assurance Program / Audit Program
Data Return and Destruction
Transparency Reports
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 19
Vendor Management
“[O]rganizations must:
Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles.
Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.”
EU-U.S. Privacy Shield Principles, Sec. II.3.b.
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 20
Vendor Management
Vendor Due Diligence Process
Screening
Questionnaires
Third Party Assessments and Audits
Vendor passes the commercial and technical review; fails the privacy and security assessment
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 21
Vendor Management
Data Processing Agreements
Compliance with Instructions
Access, Rectification, Blocking and Deletion
Data Aggregation / Monetization Rights
Cooperation with Your Independent Recourse Mechanism
Vendor Audit Program
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 22
Governance Considerations for Privacy Shield Participants
Verification Mechanism
Enhanced Choice – Technical and Procedural Challenges
Data Subject Access Policy and Procedure
Retention Limits
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 23
Governance Considerations for Privacy Shield Participants
Human Resources Data
Employee Privacy Statement
Enhanced Substantive Requirements
Data Protection Authority Oversight
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 24
Self-Certification: Additional Considerations
Eligibility
Budget the Mandatory Costs
Initial and Annual Certifications Required
Internal Processes and Controls
Verification Mechanism
Implement the Independent Recourse Mechanism
Downstream Contracts
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 25
New York Webcast Participation
If you are requesting CLE credit in New York, please enter the following code on the Attorney Affirmation sheet. Refer to your webcast confirmation for a link to the sheet
[AB102278]
Follow us: @AlstonPrivacy www.AlstonPrivacy.com 26
About Alston & Bird’s Privacy and Data Security Practice:
Follow us: @AlstonPrivacy
www.AlstonPrivacy.com
Cybersecurity Preparedness & Response Team
Alston & Bird’s Cybersecurity Preparedness & Response Team specializes in assisting clients in
both preventing and responding to security incidents and data breaches, including all
varieties of network intrusion and data loss events.
www.alstonsecurity.com
Privacy & Data Security Team
Our team helps clients at every step of the information life cycle, from developing and
implementing corporate policies and procedures to representation on transactional
matters, public policy and legislative issues, and litigation.
www.alston.com/privacy
Questions