By Kate Barecchia, Infor Associate General Counsel and Global Data Privacy Officer
In the modern economy, personal data is the currency that enables business to function. Personal data flies around the world at the speed of light with little physical restriction. Given how far and fast personal data can travel, it is important that people can trust the companies that are holding their personal data. Companies have an obligation to keep personal data private, safe, and secure. Frequently, we hear our customers voicing concerns about what might be happening to their personal data when they license our solutions.
We often say that respect for individuals’ privacy rights is a fundamental value at Infor. While the tone from the top is critically important, we also realize that words matter less than actions. Knowing that, Infor sought independent certification and verification that its privacy practices are meeting the highest global standards.
We are delighted to announce that TrustArc, a leader in data privacy compliance, has assessed Infor’s data privacy practices. After their in-depth review of Infor’s handling of personal data on behalf of its business partners and employees, TrustArc determined that Infor meets TrustArc certification and compliance verification program criteria in the following three areas:
- APEC Cross Border Privacy Rules System (CBPRs)
- GDPR Program Validation
- EU-US Privacy Shield and Swiss-US Privacy Shield Verification
APEC CBPR Certification
The Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System (CBPRs) is the first framework to provide standards for the transfer of personal data between all 21 APEC member countries. Companies participating in the CBPR program do so by choice, after establishing that they provide meaningful protection for the privacy and security of personal data.
Not every company can achieve APEC CBPR Certification. Infor’s achievement of that milestone evidences our commitment to transferring personal data efficiently, securely, and safely, while respecting data privacy.
GDPR Program Validation
Although the EU General Data Protection Regulation (GDPR) was adopted in 2016, the European Commission and other EU regulators have not yet specified the criteria required to achieve GDPR certification under Articles 42 and 43. The purpose of that GDPR certification is to provide stakeholders with independent assurances that an organization is complying with the requirements of GDPR.
Until a formal certification process is established by the EU, companies must rely upon third-party assessments of their GDPR compliance. TrustArc’s GDPR Program Validation assessed 40 specific objective validation requirements, including whether Infor has established a governance strategy for our privacy program, whether we have appointed a privacy leader, how we vet our vendors, our security program, our ability to produce required records of processing, Infor’s preparedness for a data incident, as well as how we manage the rights of individuals.
After their review, TrustArc determined that Infor, as an organization, meets the TrustArc Program Validation requirements. This Validation is an important distinguisher between Infor and its competitors in the marketplace. Learn more about Infor’s GDPR Program Validation here: https://www.infor.com/about/gdpr-validation.
EU-US Privacy Shield and Swiss-US Privacy Shield Verification
The EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks require that companies comply with a set of privacy principles to transfer data from the EU and Switzerland. After a comprehensive review of Infor’s practices, TrustArc has authorized Infor’s use of the TRUSTe Verified Privacy Seal, which provides real-time verification of Infor’s commitment to data privacy.
Sometimes, it can be easy to take data privacy for granted. In today’s world, with nearly daily reports of personal data being taken and used for unanticipated purposes, we can see the heavy price that lack of appreciation can cause.
At Infor, data privacy is always front of mind. From the early days of our product design to our day-to-day operations, privacy is at the forefront of everything we do. Our customers trust us with their most important assets—their personal data—and Infor’s successful achievement of these three assessments proves how seriously we take our commitment to data privacy.
Read the original post here.
As previously described on the TrustArc Blog (“ Privacy Shield Approaching Its 3 Year Anniversary”, the European Union (EU)-U.S. Privacy Shield Framework has received two successive annual approvals from the European Commission (EC) since its July 2016 adoption, and currently serves as an EU-to-U.S. personal data transfer mechanism for more than 4,700 U.S. organizations.
Separately, pre-approved standard contractual clauses (SCCs), the most recent version of which was issued in 2010, are also recognized by the EC as valid transfer mechanisms to non-European Economic Area “third countries.” On June 13th, the European Commissioner for Justice and Consumers confirmed in a speech that SCCs are in the process of being updated for the post-GDPR world: “We are already working to modernise standard contractual clauses. This will make it easier for companies to share data when they contract processing services, within the EU or abroad.”
This update to SCCs is occurring concurrently with a legal action challenging the validity of SCCs as a transfer mechanism to the United States, in a case brought against Facebook Ireland by Austrian privacy advocate Maximillian Schrems. The case, dubbed Schrems II?—following the 2015 decision of the European Court of Justice (ECJ) that resulted in the invalidation of the EU-U.S. Safe Harbor Agreement on grounds that it did not provide EU citizens with protections “essentially equivalent” to that of the EU due to U.S. intelligence agencies’ surveillance practices, and thus that any EU-to-U.S. personal data transfers made on that basis were not legal–proceeds to oral arguments before the ECJ on July 9th. In this case, the Irish High Court has referred eleven questions to the ECJ relating to whether entering into SCCs, by itself, provides an adequate level of data protection for EU personal data transferred to the U.S. The Irish Supreme Court recently dismissed Facebook’s appeal of the Irish High Court’s decision to refer these items to the ECJ.
Meanwhile, the EU-U.S. Privacy Shield Framework is similarly undergoing a legal challenge on grounds that the United States does not adequately protect EU citizens’ personal data by virtue of U.S. intelligence agencies’ activities. The case, brought by three French non-governmental organizations, seeks to revoke Privacy Shield as a valid EU-to-U.S. personal data transfer mechanism as occurred with Safe Harbor in Schrems I. On July 1-2, the NGOs will argue before the General Court of the EU that Privacy Shield is not “essentially equivalent” to EU data protection law, even if it is more protective than Safe Harbor was. The losing party in this matter could then appeal to the ECJ for a final determination.
Decisions in both matters are expected within a year or less. It is unclear what effect, if any, the entry into force of new European Commission-approved SCCs would have on the ripeness of the case if introduced prior of the ECJ’s Schrems II ruling. Moreover, in the event the ECJ were to eventually invalidate both SCCs and Privacy Shield–the latter of which was specifically drafted by EU and U.S. officials to withstand judicial scrutiny—it is uncertain what course of action most organizations–small and medium-sized enterprises in particular—would undertake to effectuate their data transfers. With binding corporate rules (BCRs) and reliance on derogations such as explicit consent for cross-border data transfers being expensive, time-consuming or disfavored options for many businesses, it remains to be seen what effect on digital commerce such legal actions would have in practice (including with respect to data transfers to the U.K., in the event of an eventual “Brexit”). TrustArc will continue to follow developments closely and will provide regular updates.
This update was provided by the TrustArc Privacy Intelligence News and Insights Service, part of the TrustArc Platform. To learn how you can get full access to the daily newsfeed, contact us today!
The U.S. Department of Commerce recently issued a communication highlighting the growing industry interest in participating in both EU-U.S. and Swiss-U.S. Privacy Shield certification programs. There are currently over 3,300 organizations in the program and over 1,000 more who have submitted their first time certification applications in recent months – which will likely bring the number of participants to over 4,000.
Dave Deasy, SVP Marketing at TrustArc, commented “we are continuing to see high interest in Privacy Shield from companies of all sizes to ensure they can demonstrate a high commitment to privacy for international data transfers. This is consistent with the high demand we continue to see for companies looking for help to address the GDPR regulation. The good news is not only does Privacy Shield provide an approved mechanism to legally transfer data from the EU to the U.S., but it also addresses a number of GDPR requirements streamlining the work needed to reach and maintain GDPR compliance.”
This message was highlighted in a recent communication issued by the International Trade Administration's Privacy Shield Team shown below:
TrustArc offers solutions to help companies verify their privacy program and practices meet Privacy Shield requirements. In addition to providing third party verification, TrustArc offers an independent dispute resolution mechanism helping companies meet Privacy Shield requirements for handling questions and concerns regarding a company’s compliance with Privacy Shield. For more information on TrustArc’s breadth and years of experience in providing Privacy Shield verifications and independent privacy dispute resolution, visit TrustArc Privacy Shield.
The EU-U.S. Privacy Shield international data transfer framework had its first annual review; highlights are included below.
Andrus Ansip, Commission Vice-President for the Digital Single Market, said:
The Commission stands strongly behind the Privacy Shield arrangement with the U.S. Making international data transfers sound, safe and secure benefits certified companies and European consumers and businesses, including EU SMEs. This first annual review demonstrates our commitment to create a strong certification scheme with dynamic oversight work.
Overall, the report shows that European Commission (EC) feels that the Privacy Shield continues to ensure an adequate level of protection for the personal data transferred from the EU to participating companies in the U.S. Over 2,400 companies have now been certified by the U.S. Department of Commerce.
In addition to reaffirming their support of Privacy Shield, the EC made several recommendations to further improve the functioning of the Privacy Shield, which include:
- more proactive and regular monitoring of companies’ compliance with their Privacy Shield obligations by the U.S. Department of Commerce, including regular searches by the US Department of Commerce for companies making false claims about their participation in the Privacy Shield;
- increased awareness-raising for EU individuals about how to exercise their rights under the Privacy Shield, notably on how to lodge complaints;
- closer cooperation between privacy enforcers i.e. the U.S. Department of Commerce, the Federal Trade Commission, and the EU Data Protection Authorities (DPAs);
- enshrining the protection for non-Americans offered by Presidential Policy Directive 28 (PPD-28), as part of the ongoing debate in the U.S. on the reauthorisation and reform of Section 702 of the Foreign Intelligence Surveillance Act (FISA); and
- the appointment of a permanent Privacy Shield Ombudsperson, as well as filling empty posts on the Privacy and Civil Liberties Oversight Board (PCLOB).
Read the press release here.
Our Solutions for EU-U.S. Privacy Shield
We offer three separate packages to support companies in preparing for compliance with the EU-U.S. Privacy Shield Principles ahead of self-certification with the U.S. Department of Commerce. We offer Assessment and Verification Packages to help companies assess their policies and practices against the Privacy Shield Principles. These two packages include assessing practices related to non-HR data, HR/employee data or both.
In addition, we provide a Dispute Resolution Package, which helps companies meet the requirements under Privacy Shield for having an independent dispute resolution mechanism in place to efficiently manage privacy inquiries from customers or relating to non-HR data.
The TRUSTe assessment and verification packages for Privacy Shield are delivered and managed by a team of privacy professionals using our proprietary assessment methodology that is powered by TrustArc Assessment Manager. TrustArc’s award-winning SaaS-based privacy technology platform provides interactive compliance reviews, centralized on-demand reporting and searchable audit trails.
To learn more, contact us.
EBSCO Industries, Inc. and its subsidiaries (EBSCO) have completed their certification for EU-US Privacy Shield, which is the international data transfer framework requiring that companies meet rigorous obligations to protect the personal data of Europeans. View EBSCO’s Privacy Shield certification here. It is monitored and enforced by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC).
EBSCO’s certification demonstrates their commitment to consumer privacy and ensures that they transfer data in a safe way, in compliance with the Privacy Shield framework.
TRUSTe reviewed and verified that they comply with the EU-US Privacy Shield Framework; TRUSTe will also provide independent dispute resolution services to address privacy-related questions around customer data from users and ongoing access to privacy guidance.
“By working with TRUSTe, EBSCO is showing its commitment to protecting the privacy of its customers,” said Josh Torres, EBSCO’s Associate Counsel and Compliance Director. “This is one of many privacy and compliance initiatives at EBSCO, all being performed in an effort to ensure that our products and services directly and continually align with our core company values.”
Congratulations to EBSCO on its Privacy Shield Certification!
Find out more about TRUSTe Privacy Shield Solutions here: Privacy Shield