In order to manage the privacy and operational challenges of implementing Model Contract Clauses (MCC) to maintain compliance with EU data protection laws, TRUSTe has introduced a new Model Contract Clause privacy assessment and partnered with PactSafe and a number of leading law firms.
This solution comes after the Oct. 6th ruling by the European Court of Justice, which invalidated the U.S.-EU Safe Harbor framework.
“The Safe Harbor Ruling has left many companies rudderless without a clear way to stay compliant with EU rules,” said Chris Babel, CEO of TRUSTe. “While the prospect of a new Safe Harbor 2.0 agreement appears promising, our new assessment and these partnerships we’re announcing today, will help companies act now to streamline their Model Contract Clause compliance and meet the January 31st deadline.”
TRUSTe has partnered with a number of leading international law firms who can advise companies with the legal aspects of Model Contract Clause compliance. Once the appropriate Model Contract Clauses are identified, PactSafe and TRUSTe work together to streamline the process of contract agreement with clients and partners, and provide risk assurance that the privacy components are being honored throughout the business.
PactSafe handles contract distribution with its automated contract management tools. TRUSTe provides a full privacy assessment against the requirements under the EU Data Protection Directive 95/46/EC using its automated Assessment Manager platform.
Further details about this new Model Contract Clause / Standard Contract Clause privacy assessment are available here and read the press release here.
There are indications that the U.S. and EU are close to a decision on Safe Harbor according to this Nov. 30 article in Politico, “EU hopes for new ‘safe harbor’ deal with US by January.”
The article states:
- “The United States and European Union will take stock December 17 on negotiations over data transfers across the Atlantic.”
- EU Justice Commissioner Vera Jourová is quoted as saying:
- “… replacement legislation to the safe harbor pact will be reviewed. The Commission aims to conclude negotiations in January 2016.”
- “the Commission is looking to involve European privacy watchdogs more closely.”
- “both European data protection authorities and the Federal Trade Commission of the United States will implement the requirements and deal with the complaints of citizens.”
There have also been several articles regarding Jourová’s speech at the Brookings Institution on Nov. 13 showing confidence that the U.S. and EU are on track to reach an agreement on a new Safe Harbor before the Jan. 31 deadline. Click the links below to read what Jourová is saying about the status of the new Safe Harbor:
- E.U.: New Safe Harbor Deal will be done by deadline via FedScoop
- Speech by Commissioner Jourová: The future of U.S.-EU data transfer arrangements at the Brookings Institution via Europa.eu
- Jourová: New Safe Harbor Deal Will Meet January Deadline via IAPP Daily Dashboard
With the Commerce Department committing to stronger oversight and with greater cooperation between European DPAs and the FTC, having accountability-on-demand against the new requirements will be crucial.
Do you have questions about U.S.-EU Safe Harbor? Contact TRUSTe at 1-888-878-7830.
This week, the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Program is no longer a valid method for ensuring adequacy under EU Data Protection Directive 95/46/EC for international data transfers. U.S.-EU Safe Harbor had been in place since 2000 and more than 4,000 U.S. companies relied on the framework.
Until the Department of Commerce and the European Commission can finalize a new Safe Harbor framework, many businesses are left wondering what to do.
We invited attendees to send in their questions in advance and were flooded with responses. Today’s webinar tackled these questions as Chris Babel, and Andrea Glorioso and Aymeric Dupont from the European Union Delegation to the USA discussed what other options companies have without Safe Harbor.
The speakers provided a lot of insight and answered a number of viewer questions. Read excerpts from a few responses below:
Q: What is the anticipated timeline for enforcement?
A: “The ruling of the court is effective immediately. The general principles — that the court highlighted and therefore they became part of European Union law — they’re effective today.” – Andrea Glorioso
Q: From the point of view of small companies, would you advise letting the Googles, Amazons and Facebooks lead the way here?
A: “This is an issue for everyone and while different resources can be expended against it based on your size and scope, that also typically represents the size and scope of the data that you might be transferring and the efforts it might take to think through these things, but it’s a dramatic enough change it has broad reaching implications such that hoping it goes away and hoping that big people that have higher risk profiles with higher data being moved to get in trouble first…The ostrich plan is not a good one.” – Chris Babel
Q: Do you think version 2.0 is around the corner? If not, in what timeframe do you think that will be released?
A: “We have been discussing with America about a revised Safe Harbor but whatever we come up with now, it will have to be compatible, it will have to respect the parameters that the European Court of Justice has given us with this ruling. We cannot give you timing for that except to say that we certainly have a common interest to find a new mechanism that is as efficient as Safe Harbor but at the same time respects European Union citizens’ rights in the way which the European Court of Justice told us.” – Andrea Glorioso
Today, Oct. 6th, the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Program is no longer a valid method for ensuring adequacy under EU Data Protection Directive 95/46/EC for international data transfers.
This significant change in data protection law removes an established data transfer compliance mechanism that has been in place since 2000 and relied on by more than 4,000 U.S. companies.
This ruling causes a period of uncertainty for businesses until the Department of Commerce and the European Commission can agree and put a new U.S.-EU Safe Harbor framework in place. This morning the Department of Commerce commented, “The court’s decision necessitates release of the updated Safe Harbor Framework as soon as possible,” and the UK ICO also added, “Concerns about the Safe Harbor are not new…We understand that these negotiations are well advanced.”
To ensure compliance in the interim, it’s essential to assess and prioritize current data transfers to evaluate the options for your organization. Main considerations include the nature and frequency of the data transfers that have relied on Safe Harbor for the legitimacy. Once a data transfer baseline has been determined, the alternative options include:
- Relying on consent as a justification for your data transfers.
- Introducing Model Clauses for data transfers into your contracts.
- Starting the process to apply for Binding Corporate Rules (BCRs)
- Waiting for a new U.S.-EU Safe Harbor 2.0 to be introduced.
On Friday, TRUSTe will be facilitating a webinar with the Delegation of the European Union to the U.S. This webinar will provide listeners with an opportunity to ask questions on next steps for U.S. companies previously in the Safe Harbor Program.
TRUSTe will continue to monitor the situation closely and provide updates on our blog and email.
At the end of each month we’ll compile a list featuring some of the most informative and interesting privacy blog posts to let you know what topics are driving the privacy agenda this month.
This month on the blog we covered data breaches, ‘Right to be Forgotten,’ and the new IoT Trust Framework, among other topics. This was the second month of our new series featuring the leading players in the Privacy Ecosystem. Check out the list below for some of the most popular blog posts this month:
New IoT Trust Framework Addresses Privacy Risks & Guidelines
On Aug. 11, the Online Trust Alliance released its Internet of Things Trust Framework to address IoT privacy and security risks. The Framework provides guidelines for IoT manufacturers, developers and retailers to follow when designing, creating, adapting and marketing connected devices in two key categories: home automation, and consumer health and fitness wearables.
Popular Webinar Tackles How Privacy Practices Can Help Prepare for a Data Breach
In this blog post, we introduce our first webinar teaser video. You’ll be seeing more of these short clips in future blog posts. The idea is to let visitors to the blog watch a minute of blog content before downloading the full version.
13 Companies Settle with FTC for False US-EU & US-Swiss Safe Harbor Claims
On Aug. 17, 13 companies settled with the Federal Trade Commission (FTC) for falsely claiming they were certified and in compliance with the US-EU or US-Swiss Safe Harbor Framework. Compliance with the Framework means companies must follow established requirements for meeting adequacy standards to transfer customer or employee data from the EU or Switzerland to the U.S. Then, companies must self-certify with the Department of Commerce. The self-certification needs to be renewed annually.
Survey Compares American and British Opinions on the ‘Right to be Forgotten’
This blog post coincided with the release of a new survey about the ‘Right to be Forgotten.’ Both American and British adults were asked their thoughts about this ruling and the results were interesting. While more British online adults (44%), than American online adults (29%), think that the ‘Right to be Forgotten’ ruling allows for censorship, both American and British adults’ responses were similar when it came to what type of data they would request removed from company databases.
This month in the Privacy Ecosystem series:
Meet the Leading Players in the Privacy Ecosystem: Craig Spiezle, Executive Director & President, Online Trust Alliance
Meet the Leading Players in the Privacy Ecosystem: Daniel J. Solove, Founder, TeachPrivacy
Meet the Leading Players in the Privacy Ecosystem: Gabe Totino, President & CTO, AssertID
What else would you like to read about on the TRUSTe blog?