Hilary Wandall, General Counsel & Chief Data Governance Officer at TRUSTe summarizes the top 10 reasons to implement the new EU-U.S. Privacy Shield even if you’ve implemented or have been working on implementing Model Contractual Clauses (MCCs).
At TRUSTe, we have nearly 20 years of experience working with thousands of companies to assess their privacy practices, and with many others to verify their compliance with regulatory frameworks like APEC CBPR system and the former U.S.-EU Safe Harbor. This work has taught us that there are a number of legal, compliance and business benefits to implementing comprehensive privacy programs to manage international data transfers versus a transactional approach to transfers using MCCs. Below is a list of the top 10 reasons for organizations to self-certify their adherence to the EU-U.S. Privacy Shield:
- Speed – Unlike transfers on the basis of MCCs, transfers on the basis of Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities, which can delay a project that relies on MCCs for data transfers by weeks to months.
- Less paperwork – While organizations must stand ready to demonstrate compliance with both Privacy Shield and MCCs, transfers on the basis of Privacy Shield do not require updates to and new signatures on contractual clauses each time a business process or data flow changes.
- Better recourse options – Instead of limiting individuals to bringing legal claims for breach of the MCCs, Privacy Shield provides individuals with opportunities to raise concerns directly with the certified organization, with independent dispute resolution providers, like TRUSTe, as well as new options, such as the independent arbitration panel and ombudsperson.
- Executive Support – Like its predecessor, Privacy Shield drives corporate sponsorship of privacy programs by requiring a corporate officer of the certifying organization to:
- annually sign a statement verifying the company’s self-assessment of compliance, if compliance verification is done in house; and
- sign a self-certification submission annually, subject to criminal enforcement under the U.S. False Statements Act for compliance misrepresentations, including a persistent failure to comply.
- Sustainability – Since it requires annual compliance verification and self-certification, Privacy Shield drives ongoing organizational engagement to demonstrate compliance better than MCCs that may be sitting in organizational filing cabinets once signed.
- Risk of existing MCC invalidation – Since the ECJ’s Schrems decision of 2015, the EU adequacy decisions regarding certain MCCs have been called into question. At the end of May 2016, the Irish Office of the Data Protection Commissioner applied to the Irish High Court for a referral to ECJ to determine the legal status of data transfers under the MCCs. Privacy Shield certification mitigates the risk of data transfers based on existing MCCs being invalidated overnight like the U.S.-EU Safe Harbor.
- APEC CBPR Readiness – the governance and privacy principles necessary to comply with Privacy Shield are similar to the requirements for APEC CBPR certification. Organizations that operate in APEC member economies can leverage their Privacy Shield compliance to demonstrate readiness for APEC CBPR certification.
- EU BCR Readiness – the principles necessary to comply with Privacy Shield are similar to the data protection safeguards necessary for organizations seeking EU BCR approval. Organizations interested in EU BCR approval can leverage their Privacy Shield compliance as a starting point for their binding corporate rules, which will also require establishment of additional accountability, program governance and enforceability mechanisms.
- EU GDPR Readiness – the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance. Organizations that operate or do business in the EU can leverage their Privacy Shield compliance as a starting point for the additional obligations they will have under GDPR, such as additional accountability and program governance, broader individual rights, privacy by design and default, PIAs and breach notification.
- Adequacy Readiness – in our policy and regulatory affairs work around the globe, we often hear “adequacy” referred to as the gold standard for privacy and data protection compliance. Since Privacy Shield is the first of the next generation adequacy frameworks determined to provide adequacy post-Schrems, we believe it provides organizations with the best readiness assessment currently available for future data transfer adequacy requirements, such as transparency regarding government access, accountability for onward transfers and broad mechanisms for individual recourse.
For more information about TRUSTe’s Privacy Shield solutions see here or call 1-888- 878-7830.
Following formal adoption today of the EU-U.S. Privacy Shield, TRUSTe has announced a full set of solutions for companies to address the assessment, verification and dispute resolution requirements in the new framework. TRUSTe will help companies to review compliance with the new Privacy Shield principles for transfers of customer and HR data out of the EU, prior to self-certification with the Department of Commerce. Companies choosing to use TRUSTe technology for handling customer disputes will be entitled to display a new “Powered by TRUSTe – Privacy Feedback Button”.
The EU-U.S. Privacy Shield is the new international data transfer framework published in February to replace Safe Harbor. The new framework requires that companies meet stronger obligations to protect the personal data of Europeans and introduces stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). TRUSTe will amend its certification standards to reflect the changes. The Department of Commerce is expected to start accepting submissions to the program from August 1.
TRUSTe Solutions for EU-U.S. Privacy Shield
TRUSTe is offering three separate packages to support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles ahead of self-certification with the U.S. Department of Commerce. The Assessment Package and Verification Package can include customer data, HR/employee data or both.
In addition, TRUSTe provides a Dispute Resolution Package, which helps companies to efficiently manage privacy inquiries from customers, and addresses the dispute handling requirements of the EU-U.S. Privacy Shield Framework.
The TRUSTe assessment and verification solutions for EU-U.S. Privacy Shield are managed by a team of privacy professionals using our proprietary assessment methodology and powered by TRUSTe Assessment Manager. This award-winning SaaS-based privacy technology platform provides interactive compliance reviews, centralized on-demand reporting and searchable audit trails.
For more information on TRUSTe’s EU-U.S. Privacy Shield solutions visit www.truste.com/privacy-shield or call on 1-888-878-7830.
Today the EU-U.S. Privacy Shield cleared one of the final hurdles on the path to regulatory approval as representatives from EU Member States voted to support the new EU data transfer framework. The “Article 31” Committee is made up of representatives from the EU Member States and their endorsement is binding. The vote today was overwhelmingly positive with just Austria, Croatia, Slovenia, and Bulgaria abstaining.
This is the vital last step before formal adoption of the new international data transfer framework published in February to replace Safe Harbor. The EU-U.S. Privacy Shield framework is the product of two years of intensive negotiations and represents the commitment of the EU and the U.S. Government to securing the vital transatlantic data flows which are such an integral part of the information economy.
In a press statement this morning Vice-President Ansip and Commissioner Jourová from the European Commission said:
“Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.”
Path to EU Regulatory Approval
Before Privacy Shield could be up and running a draft adequacy decision from the European Commission had to be approved by a European “comitology” procedure, which involved (i) insight from the Article 29 Working Party (formed of EU regulators), (ii) a binding opinion from the EU Member State representatives, and (iii) formal adoption of the adequacy decision by the EU College of Commissioners.
In April the Article 29 Working Party asked for clarification in a number of areas to address their ongoing concerns. Now according to Commission officials the revised draft includes a number of additional clarifications and improvements on U.S. mass surveillance powers, the role of the “ombudsperson” who will adjudicate complaints from EU citizens about their data, and the onward transfer of EU citizens’ data to other companies. The final text places the obligation on the third party to tell the company on the Privacy Shield register when they cannot offer sufficient protection to EU citizens’ data.
Formal Adoption expected by July 12
After today’s positive vote the final stage in the EU Regulatory approval process is formal adoption by the EU Commissioners which is expected to take place on Monday July 11 with an official announcement and copy of the final text on Tuesday, July 12. The Department of Commerce is expected to start accepting submissions to the program in August.
How TRUSTe can help?
Once the EU-U.S. Privacy Shield is formally adopted TRUSTe will amend its certification standards to reflect the new framework and support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles and ready for self-certification with the U.S. Department of Commerce.
TRUSTe has a range of solutions to address both customer and HR / employee data transfer components of the EU-U.S. Privacy Shield. For more information on TRUSTe’s EU Data Transfer solutions visit www.truste.com/privacy-shield or call on 1-888-878-7830.
After months of intensive negotiations, today (February 2) the European Commission and the United States announced agreement on a new framework for transatlantic data flows: the EU-US Privacy Shield.
This new framework will protect the rights of Europeans where their data is transferred to the United States and provide a path to legal certainty for the thousands of businesses that had previously relied on Safe Harbor for their international data transfers. The framework should be in place within three months.
Addressing the ECJ concerns
The EU-US Privacy Shield addresses the requirements set out by the European Court of Justice in its ruling last October 6 which declared the old Safe Harbor framework invalid. The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities. There will also be the creation of a new Ombudsperson to address complaints about possible access by national intelligence agencies.
Vice-President Ansip, European Commission said: “We have agreed on a new strong framework on data flows with the US. Today’s decision…further strengthens our close partnership with the US. We will work now to put it in place as soon as possible.”
While further details of the new framework are still to be released it’s clear that the EU-U.S. Privacy Shield will be robustly monitored with an annual review by the European Commission and the U.S. Department of Commerce. This review will also involve the U.S. national intelligence experts from the U.S. and European Data Protection Authorities.
What happens next?
The European Commission will now draft an “adequacy decision” which would be reviewed by the Article 29 Working Party and then adopted by the Commission after consulting a committee composed of representatives of the Member States. In the meantime, the U.S. Department of Commerce together with the European Commission will continue preparations to put in place the new framework, monitoring mechanisms and new Ombudsman. If agreed before the final adoption of the European General Data Protection Regulation then this adequacy decision would ensure that the Privacy Shield could be a valid method of international data transfers through 2018 and beyond.
There should be further details following tomorrow’s Article 29 Working Party meeting and in subsequent briefings by the Department of Commerce on what requirements will be necessary for companies to stay compliant until the Privacy Shield is in place. The TRUSTe EU Data Privacy Transfer Assessment package will ensure you’re compliant with each of these requirements once they’re made available.
As the EU compliance grace period ends this month, new research amongst companies who previously relied on the Safe Harbor framework shows that three-quarters (78%) are holding out for a new Safe Harbor 2.0, but many are hedging their bets and looking to a combination of solutions to ensure EU data transfer compliance in 2016. With limited time and budget and increased regulatory scrutiny as major concerns, TRUSTe announced today a new EU Data Transfer Privacy Assessment solution that provides a flexible approach to the changing compliance requirements ahead.
TRUSTe conducted research between December 15-29 2015 with 248 US companies that had used Safe Harbor prior to the European Court of Justice (CJEU) ruling on October 6. Three-quarters (78%) of companies are continuing with Safe Harbor and preparing for the announcement of Safe Harbor 2.0. Half (53%) of these companies are also now using or preparing to use Model Contract Clauses. A quarter (24%) are now considering localized data centers in the EU and 4% are looking to scale back their EU investment. Limited time and resources (72%), limited budget (56%) and an unclear or unwieldy assessment process (57%) are the major concerns around managing EU data transfers. Compliance is a high priority with 87% thinking there will be increased regulatory scrutiny should a new Safe Harbor 2.0 framework be introduced.
The new TRUSTe EU Data Transfer Privacy Assessment privacy solution uses both TRUSTe’s team of privacy experts and the SaaS-based TRUSTe Assessment Manager to help companies quickly and efficiently assess compliance versus any combination of Safe Harbor and Model Contract Clauses they select. Assessment Manager helps automate the review process providing an easy path across the different standards, enabling companies to move from Safe Harbor 1.0 to Model Contract Clauses and / or Safe Harbor 2.0 and produce a compliance report to support their work.
For further details see EU Data Transfer Privacy Assessment Solution and for pricing call 1-888-878-7830.