By Hilary Wandall, TrustArc General Counsel & Chief Data Governance Officer
I provided some highlights of the first day at the 39th ICDPPC conference in Hong Kong. Now I will share some additional insights.
It was a remarkable week in Hong Kong with current and former IAPP Board members and other privacy friends and colleagues most of whom I’ve known for decades, but also a few I had the pleasure of meeting for the first time as we explored global issues and local culture together.
Over 750 delegates representing more than 65 data protection authorities, the United Nations, industry privacy leaders, think tanks, universities and civil society joined together to discuss the connections between western and eastern approaches to privacy and impact on policy and regulation across the globe. Conference host, Hong Kong Privacy Commissioner Stephen Wong, summarized the experience well with a thoughtful keynote and a special tutorial for current and former members of the IAPP board on the different approaches to writing “privacy” in Chinese at the closing data protection authority luncheon hosted by the IAPP on Friday afternoon.
The growing significance of regulatory interoperability to drive cooperation, simplicity – and by extension – prioritization, including a broad range of approaches from CBPRs and Privacy Shield to GDPR certification, BCRs and adequacy, dominated panel discussions from the main stage to side events such as the Centre for Information Policy Roundtable on CBPRs and GDPR. In addition to our own Josh Harris, TrustArc Director of International Regulatory Affairs, who spoke at multiple sessions on CBPRs, CBPR participating companies, such as Apple and Cisco, discussed the importance of CBPRs to global accountability at both the Roundtable and on the main stage.
GDPR preparedness also permeated discussions, including those at the IAPP KnowledgeNet on Wednesday, where we heard the perspectives of local and regional colleagues in Hong Kong and Asia Pacific, respectively, on coordinating with their privacy teams in Europe and the U.S. for effective implementation. It was a special honor to join IAPP Board Member and Promontory Managing Director, Simon McDougall, to discuss the operational impact of GDPR. Most expect that the impact of GDPR on both regulators and organizations will only have begun to be understood over the next year, and that May 25, 2018 will be only the beginning of GDPR compliance.
I am looking forward to the timely opportunity of next year’s 40th ICDPPC, which will take place in Brussels, to get a comprehensive read out on global progress on both GDPR implementation and regulatory interoperability and to exploring how our work on comprehensive DPIAs will tie into next year’s theme of digital ethics.
Until then, learn more about GDPR compliance and how TrustArc can help your organization here: TrustArc GDPR Privacy Solutions.
By Hilary Wandall, TrustArc General Counsel & Chief Data Governance Officer
This week I am attending the International Conference of Data Protection and Privacy Commissioners from September 25 – 29 in Hong Kong. This conference has convened since 1979 and serves to provide leadership on privacy and data protection at the international level.
I will be sharing some of the highlights on the evolution of privacy and its importance for all organizations.
Privacy Shield Declared a Success!
The U.S. Department of Commerce, the Federal Trade Commission and the European Commission kicked off the conference with a session reporting out on last week’s Joint Annual Review of the Privacy Shield. They highlighted key presentations and discussions that contributed to demonstrating the effective functioning of the Privacy Shield, including the Independent Recourse Mechanism and Verification presentation we provided on behalf of TrustArc. While the European Commission’s official report is not expected until the second half of October, Bruno Gencarelli declared that “from the perspective of the European Commission, Privacy Shield is a success!”
Privacy Regulation Expanding
As we kick of the 39th Annual ICDPPC here in Hong Kong today, I am surrounded by many familiar faces as the East and West connect here on privacy. We’ve marveled at how much the privacy and data protection landscape continues to evolve not only in terms of substantive challenges related to transparency and fairness in artificial intelligence and machine learning or data transfers among countries in the west and east, but also the 110 regulatory authorities that now comprise the ICDPPC. In fact, since the 32nd ICDPPC in Jerusalem, where I moderated a session on the then novel topic of personalized medicine, 26 new regulatory authorities have been accredited as members of the ICDPPC.
Next Generation Technologies Necessitate Comprehensive DPIAs
Our policy partners, the Information Accountability Foundation (IAF) and the Future of Privacy Forum (FPF), co-hosted a session on Sustainable Innovation with Effective Data Protection. Researchers identified some of the privacy challenges in artificial intelligence and machine learning, and policy leaders, including Singapore Deputy Data Protection Commissioner, Yeung Zee Kin, proposed solutions such as procedural safeguards, principles and the type of comprehensive DPIA that we have been partnering with IAF to develop.
Tomorrow I will share additional highlights from the conference.
Adding Swiss-US Privacy Shield self-certification.
As part of the TRUSTe Privacy Insight Webinar Series, Nasreen Djouini, Michelle Sylvester-Jose of the U.S. International Trade Administration, and Josh Harris of TRUSTe discussed the rollout of Swiss-US Privacy Shield.
Some examples of where the Swiss-US Privacy Shield framework and the EU-US Privacy Shield framework vary are:
- When covering HR data received from Switzerland, an organization must commit to cooperating with the Swiss Federal Data Protection Information Commissioner authority (FDPIC) as the independent recourse mechanism. However, for non-HR data, an organization can elect to use the Swiss Federal Data Protection Information Commissioner or use another Independent Dispute resolution Provider (IDR).
- The Choice Principle has been modified. The definition of “Sensitive Data” has been expanded upon.
- For the EU-US Privacy Shield, there was a grace period; however, there is no grace period for the Swiss-US Privacy Shield.
- The binding arbitration option will be put in place at the first annual review of the Swiss-US Privacy Shield.
Although there are a few places where these frameworks vary, the Swiss-US Privacy Shield and EU-US Privacy Shield frameworks touch back to the same core principles. Companies should be able to use the work done to become compliant with one framework toward compliance with the other.
While we highlighted one of the webinar topics in this blog post, the webinar covered several additional topics:
- How the Swiss-U.S. Privacy Shield was developed
- What you should do to prepare to self-certify to Privacy Shield for the first time, or to add the Swiss – U.S. Privacy Shield to your EU-U.S. Privacy Shield certification
- How to navigate the self-certification process on privacyshield.gov
- How to re-certify on an annual basis
To view, listen to all topics covered, and share the webinar recording, please find a shareable link here.
By Emily S. Yu, Privacy Solutions Manager, TRUSTe
These requirements are addressed in the supplemental principles of Privacy Shield and can be found here on the Department of Commerce’s website.
Collection and Processing Before Onward Transfer
Pursuant to Privacy Shield Supplemental Principles III Section 14.a which discusses “Pharmaceutical and Medical Products”, EU Member State laws apply to the collection of personal data and to any processing that takes place for pharmaceutical research and other scientific or medical purposes prior to the data’s transfer to the United States. Anonymization of that data is also required where appropriate and if the Member State requires it. Companies will need to determine whether personal data needs to be transferred in an identifiable form or if the data should instead be pseudonymised or anonymized prior to transfer. Appropriate situations for anonymization may include any circumstance that does not require personal information, such as using the information for historical or scientific research purposes. For more information on anonymization techniques, please see Article 29 Working Party’s Opinion 05/2014 on Anonymisation Techniques.
Additional Notice Requirements
There are several disclosures that a company will need to provide to patients prior to the collection of their personal data for scientific research purposes.
Notice should be provided to a patient prior to personal data collection if a company will use that personal data in new and future research studies. This will give the company permission to use an individual’s personal data without additional permissions if the collection of the data is consistent with its original purposes.
In general, the notice must include information regarding any future specific uses of the data, such as periodic follow-up, related studies, or marketing.
The notice provided must also explain that personal data may be used for future research that may be unanticipated but is consistent with the original research study’s purposes.
If, however, there are new research purposes that are not consistent with why the patient’s personal data were originally collected, companies would need to obtain consent for those new purposes.
It is also recommended that companies disclose to the patient that the company may still use the data even if the patient decides or is asked to withdraw from a clinical trial. This disclosure should also take place prior to any personal information collection, and it ensures that the company will still have a right to process any personal data they have collected prior to the patient’s withdrawal for the company’s research.
Access and Notice Requirements for “Blinded” Studies
The nature of blinded studies doesn’t always permit companies to provide individuals access to their personal data. Providing information about medication or other test factors to a patient may jeopardize the results of these studies.
In order to ensure that companies who participate in Privacy Shield can also meet access requirements under these conditions, notice must be provided to the patients that disclosure of this information may jeopardize the integrity of the research effort. At the conclusion of the trial and analysis of the study’s results, participants should have the right to request access to their data. Usually, this access would be provided through their healthcare physician or treatment facility.
Transfers for Regulatory and Supervision Purposes
Pharmaceutical and medical device companies are allowed to provide personal data from clinical trials in the EU to regulators in the US. This transfer must specifically be for regulatory or supervision purposes. Similar transfers for the same purposes are also permitted to other parties, such as other company locations or other researches, but they must be consistent with Privacy Shield Principles, in particular Notice and Choice.
Under Certain Circumstances, Privacy Shield Principles Not Required for Product Safety and Efficacy Monitoring
Under some circumstances, a pharmaceutical company may be required to provide reports for adverse events or safety reporting requirements. Pharmaceutical companies may have information that identifies an individual (such as gender, medical condition, age, etc.), but they do not have a direct means of receiving consent from that individual under these circumstances.
Fortunately, a pharmaceutical or medical device company does not have to comply with the Privacy Shield Principles if the purpose of the data is for product safety or efficacy monitoring activities and that the Principles (Notice, Choice, Accountability for Onward Transfer and/or Access) interfere with a company’s compliance with regulatory requirements. This exception includes reports from healthcare providers to pharmaceutical and medical device companies, as well as reports by pharmaceutical and medical device companies to government agencies, such as the US Food and Drug Administration.
Key-Coded Data is Not Personal Data
Key-coded data is not considered personal data if:
- The research data was uniquely key-coded by the principal investigator;
- The key-coded data does not reveal the identity of any individuals;
- The sponsor pharmaceutical company does not receive the key; and
- The unique key is held only by the researcher so that she can identify research subjects under special circumstances only.
If all of these elements are met, then the key-coded data is not subject to the Privacy Shield Principles.
TRUSTe offers a comprehensive Privacy Shield Assessment and Verification program. To schedule a consultation and learn how Privacy Shield can help your organization, contact us.
Soon companies that self-certified with the Department of Commerce (DOC) last fall before the September 30, 2016 deadline will have the 9 month “grace period” come to a close. The grace period was given to these companies so that they could ensure that all of their third party vendors met the Accountability for Onward Transfer principle. The grace period ends soon, meaning that the deadline is fast approaching.
The Privacy Shield Accountability for Onward Transfer principle, Section II, 3.b., states:
To transfer personal data to a third party acting as an agent, organizations must: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.
In sum, maintaining your Privacy Shield certification by adhering to the Accountability for Onward Transfer principle requires a lot of due diligence. When your company has a relationship with a third party vendor involving the transferring personal information to that vendor, your company has to ensure that the vendor will process personal information in a manner consistent with your company's obligations under the Principle. Your company’s contract with the vendor also has to state that the data your company transfers to it can only be used for limited and specified purposes. What’s more, vendors acting as agents have to cease and take steps to remediate unauthorized processing.
For most companies, this is a lot of work that is quite time consuming; the initial grace period concession was given in light of the time it may take a company to comply with this principle. For example, a few of the hundred vendors that a typical mid-sized business uses are: a marketing automation system, a customer relationship management system, an administrative services system, and a payroll system. Larger organizations may use thousands of vendors.
How will companies adhere to this principle? One option is to compile a large spreadsheet and call, email, or meet with internal business or process owners. Though this option is cost effective in terms of dollars, it is not cost effective in terms of time, productivity, and data integrity. Technology solutions to automate the process and provide an easily accessible digital repository may have up-front costs. However, long term savings in terms of time, productivity, and maintaining data integrity will far outweigh initial up-front costs.
If you have any questions about the requirements of this Principle, contact us.