truste privacy insight seriesinfo.truste.com/rs/truste/images/truste-webinar... · reviews every...
TRANSCRIPT
1 v Privacy Insight Series v
March 26, 2015
TRUSTe Privacy Insight Series
TRUSTe Privacy Insight Series: Cross Border Data Transfer Strategies
2 v Privacy Insight Series
Today’s Speakers
Anick Cousens,
Corporate Privacy IBM
Josh Harris,
Director of Policy,
TRUSTe
Caitlin Fennessy Policy Advisor,
Data Flows and Privacy Team, U.S.
International Trade Administration
(ITA)
Myriam Gufflet
Head of BCR Unit
CNIL
3 v Privacy Insight Series
Today’s Agenda
• Welcome & Introductions
– Josh Harris, Director of Policy TRUSTe
• The U.S. – EU Safe Harbor Framework
– Caitlin Fennessy Policy Advisor, Data Flows and Privacy Team, U.S. International Trade Administration (ITA)
• European Binding Corporate Rules (BCR)
– Myriam Gufflet, Head of BCR Unit, CNIL
• APEC Cross-Border Privacy Rules (CBPR) System & EU-APEC Interoperability
– Josh Harris, TRUSTe; Caitlin Fennessy, U.S. International Trade Administration
• Dual Certification – A Business Perspective
– Anick Cousens – Corporate Privacy IBM
• Next Steps
• Q&A
The U.S.-EU Safe Harbor Framework
& EU-APEC
Interoperability
Caitlin Fennessy
Office of Digital Services Industries
International Trade Administration
U.S. Department of Commerce
U.S.-EU Safe Harbor Framework
How did we get here?
1995: European Commission (EC) Data Protection Directive 95/46/EC
– Prohibits transfer of personal data to countries that do not meet the EU
standard for “adequate” data protection
1998-2000: U.S.-EU Safe Harbor Framework Negotiated
– The U.S. Department of Commerce and European Commission negotiate the Safe Harbor Framework to bridge the differences between the U.S. and EU systems of data protection
2000: U.S.-EU Safe Harbor Framework Finalized
– Safe Harbor receives an adequacy determination from the European Commission
Today: Over 4,000 organizations are currently participating in Safe Harbor
– Over 60 percent of companies are SMEs and half cover HR data
5
U.S.-EU Safe Harbor Framework
How does a company join Safe Harbor?
1. Develop Internal Policies that Comply with Safe Harbor Seven principles and 15 FAQs, including annual verification mechanism and
contact point
2. Establish an Independent Recourse Mechanism Identify which dispute resolution provider the organization will use and
establish a relationship, where required, in advance of self-certification
3. Self-certify using the Safe Harbor website Provide contact information and compliant privacy policy, describe covered
and relevant processing (whether includes HR data), identify a dispute resolution provider, indicate method of annual verification, etc.
4. Publicly declare commitment to Safe Harbor Include an affirmative commitment to Safe Harbor in public privacy policy
5. Reaffirm self-certification annually A company’s certification status can be verified at export.gov/safeharbor
No recertification = no longer assured Safe Harbor benefits; upon exiting program, affirmative commitment must be removed from privacy policies
6
U.S.-EU Safe Harbor Framework
What is the role of the U.S. Department of Commerce?
1. Oversight and Administration Reviews every company’s annual certification to ensure all of the elements
required by the Framework are included (contact information, description of activities, covered information, dispute resolution provider, website privacy policy with Safe Harbor commitment, verification method . . .)
Finalizes certification only once required elements provided, otherwise not on public list or “not current”
Coordinates with the FTC on jurisdictional questions, DPA and consumer concerns, and outreach to participants regarding FTC enforcement
2. Outreach Participates in privacy conferences around the world to discuss Safe Harbor’s
operation and role in regulatory cooperation and trade facilitation
Engages in bilateral and multilateral outreach to share information about the program’s operation and address common misperceptions
3. Education Conducts Safe Harbor seminars around the United States for current and
future participants, focusing on compliance and best practices
Makes staff available to provide one-on-one guidance to companies daily
7
U.S.-EU Safe Harbor Framework
What is the role of EU DPAs?
Where HR data is covered (approximately 50%) – Companies must agree to cooperate with DPAs and comply with DPA guidance.
DPAs can be selected as individual dispute resolution provider for HR-data only or for all covered data.
Where HR data is not covered ‒ Companies can choose EU DPAs as their dispute resolution provider. Disputes
are heard by EU Data Protection Panel
Referrals to the FTC ‒ EU DPAs can refer cases of suspected non-compliance to the FTC
‒ FTC has committed to review DPA referrals on a priority basis
Cooperation on investigations – The FTC has worked to develop cooperative relationships with DPAs to facilitate information sharing during investigations
8
U.S.-EU Safe Harbor Framework
Has there been enforcement (what are lessons learned)?
Three-layer approach to dispute resolution/enforcement Resolution with the company
Referral to a dispute resolution provider
FTC Enforcement (http://www.business.ftc.gov/us-eu-safe-harbor-framework)
FTC false claims cases (2014) Apperian, Atlanta Falcons Football Club, Baker Tilly Virchow Krause, BitTorrent,
Charles River Laboratories International, DataMotion, DDC Laboratories, Level 3 Communications, PDB Sports, Reynolds Consumer Products, Receivable Management Service Corporation, Tennessee Football, Fantage, American Apparel
- Violations of consent orders may result in civil penalty up to $16,000 per violation
(same for cases below)
Major FTC cases (2011-2012) Myspace, Facebook, Google
- Consent orders requiring 20 years of third-party privacy audits
- Comprehensive privacy program defined and mandated by FTC
FTC cases on Safe Harbor misrepresentation (2009) Progressive Gaitways, Directors Desk, Onyx Graphics, ExpatEdge Partners, World Innovators, Balls of Kryptonite, and Collectify
9
U.S.-EU Safe Harbor Framework
Are there any new developments?
European Commission 2013 Report on Safe Harbor – Presented 13 recommendations covering transparency, redress, enforcement, and
government access to data
– Consultations between Commerce and the European Commission ongoing
Proposed EU Data Protection Regulation ‒ Commission’s proposal grandfathered Safe Harbor; Parliament’s version included a
5-year sunset of all adequacy decisions, including Safe Harbor; Council still drafting proposal
Department of Commerce Administration of Safe Harbor ‒ Additional staff; enhanced focus on identifying and referring false claims
‒ Successfully worked with existing dispute resolution providers to eliminate fees for consumers
‒ European Court of Justice Safe Harbor Case – Oral arguments March 24, 2015
– Decision anticipated in approximately six months
10
EU Binding Corporate Rules (BCR) TRUSTe Privacy Insight Series-- Cross Border Data Transfer Strategies, 26 March 2015
Myriam Gufflet Head of BCR Unit, Directorate for Compliance
What are the EU Rules on Transfers of Data?
Principle: Data transfers outside EEA (EU + Iceland, Norway, Liechtenstein) are forbidden (Art. 25 Directive 95/46/EC).
Derogation: If the recipient country or organization ensures an adequate level of protection:
• Countries recognized by EC as offering an adequate level of protection; or
• US organization Safe Harbor certified; or
• Transfer framed by Standard Contractual Clauses;
• Transfer framed by Binding Corporate Rules (BCR); or
• Transfer covered by an exemption from Art. 26 Directive 95/46/EC.
EU BCR 12
What are BCR?
• Internal rules defining the global policy of a multinational group of companies with respect to transfers of personal data outside of the EEA
• Adapted to multinational organizations which operate mass and repeated transfers of data
• Compliance tool
• BCR-controller vs. BCR-processor: BCR-C cover intra-group transfers when the group acts as a controller; while BCR-P frame intra-group transfers when the group acts as a processor on-behalf and under the instructions of a controller
13 EU BCR
Customer (controller)
Service provider (processor)
Data centre (sub-processing)
Data centre (sub-processing)
Data centre (sub-processing)
Data centre (sub-processing)
Service agreement with BCR-P annexed
14
BCR-P
EU BCR
Why implementing BCR?
• Comply with EU legal requirements by ensuring an adequate level of protection to data transferred outside of the EEA;
• Avoid the conclusion of a contract for each transfer;
• Standardize the group practices relating to personal data protection;
• Prevent risks relating to transfers of personal data to third countries;
• Communicate on the group’s policy in terms of personal data protection;
• Provide internal guidance for personal data management;
• Anticipate EU draft regulation to be adopted by end of 2015. 15 EU BCR
What Elements and Principles shall be Found in BCR?
16
BINDING CORPORATE RULES
Description of processing & data
flows
Mechanisms for reporting &
recording changes
Binding nature Effectiveness Cooperation duty
Data protection safeguards
EU BCR
What is the Approval Procedure of BCR?
17
1 • The lead DPA reviews the draft BCR and provides comments.
2 • Once finalized with the lead DPA, the draft BCR is sent to 2 other DPAs (“co-
reviewers”). They have 1 month to review the BCR and provide comments.
3 • When the co-reviewers are satisfied with the BCR, the draft is sent to the
DPAs part of the mutual recognition procedure (acknowledge safe receipt).
3bis • At the same time, it is sent to the DPAs which are not part of the MR
procedure. They have 1 month to review the BCR and provide comments.
4 • The cooperation procedure is closed and the final BCR version is sent to all
the DPAs concerned by the transfers.
Controllers may have to apply before their competent DPAs for authorisations of transfers based on their BCR-C or their processor’s BCR-P
EU BCR
18 v Privacy Insight Series v
Josh Harris, Director of Policy, TRUSTe
TRUSTe Privacy Insight Series
APEC Cross Border Privacy
Rules (CBPR) System
APEC Electronic Commerce Steering Group Chair
CPEA Administrators
Privacy Enforcement Authority
Accountability Agent
ECONOMY “A”
Notification of Intent to Participate in the CPEA
Confirm that agency meets definition of PEA. Letter from appropriate government official verifying agency’s authority status Supply contact point. Provide statement of practices, policies, and activities.
Data Privacy Subgroup Chair
Joint Oversight Panel (JOP)
Letter of Intent to Participate in the CBPR System
Confirm participation in the CPEA. Confirm intent to use of at least one APEC- recognized Accountability Agent. Describe laws and regulations that apply to CBPR activities of an Accountability Agent. Complete APEC CBPR System Program Requirements Enforcement Map
Application for Accountability Agent through Nomination or Notification
Information about location in a CBPR participating Economy, or being subject to jurisdiction otherwise. Description of how the Accountability Agent Recognition Criteria have been met. Demonstration of how intake and review processes meet CBPR Program Requirements Map (if not using APEC intake document and program requirements).
APEC Member Economies
Structure of the APEC Cross-border Privacy Rules (CBPR) System
19
Designated APEC Government Delegate
Interoperability
Is EU-APEC interoperability foreseeable?
2012 Creation of Joint EU-APEC Working Team – Recognized value of collaboration to provide industry greater clarity on how to meet
requirements of EU and APEC simultaneously
Development of “Referential” ‒ Mapped requirements of APEC CBPR System and EU BCR System
‒ Identified common and divergent elements to help inform companies seeking to develop policies and practices in compliance with both systems
‒ Endorsed in 2014
Next Steps ‒ Work together to develop practical tools to facilitate dual certification to complement
referential
‒ APEC Data Privacy Subgroup expression of interest to Article 29 Working Party regarding tools recommended by joint working team in January 2015
20
Resources
Safe Harbor: www.export.gov/safeharbor
For further information on Safe Harbor, please contact the Safe Harbor team at [email protected]
EU-APEC interoperability: View the “referential” at www.cbprs.org/Business/BusinessDetails.aspx
For further information on EU-APEC interoperability work, please contact Caitlin Fennessy at [email protected]
For further information on BCR, please contact Myriam Gufflet at [email protected]
21
© 2015 IBM Corporation
APEC CBPRs & EU BCRs- A Company’s Point of View Anick Fortin-Cousens, J.D., LL.L., CIPP/C Privacy Officer, Canada, Latin America, Middle East & Africa Program Director, Corporate Privacy Office IBM Corporation
TRUSTe Privacy Insight Series-- Cross Border Data Transfer Strategies
________________________________________________________________
© 2015 IBM Corporation 23 23 23 23
IBM at a glance
400,000+ employees 170+ countries
Cloud Analytics Mobile
Cognitive Computing
Security Social
© 2015 IBM Corporation 24
Model Clauses
Data Protection Authority
International transfer mechanisms
© 2015 IBM Corporation 25
Certified accountability as a basis for cross border data transfers
Issue
Data flow is critical to trade, growth and innovation Individuals need assurance that their personal information will receive the same level of protection regardless of where it flows Compliance with various rules on cross border data flows can be difficult, and such rules do not necessarily guarantee adequate treatment
Solution: certified
accountability
Focuses on the adequacy of an organization’s policies and practices to protect data regardless of where it flows Requires organizations to be answerable to regulators for the effectiveness of those policies and practices Makes use of third party assessments and regulatory enforcement to provides credible evidence of trustworthiness
© 2015 IBM Corporation 26
Certified accountability as a basis for interoperability
1. Baseline level of privacy protection
2. Expressed through internal rules and policies
4.Demonstrated via initial and ongoing methods
3.Enforceable via redress mechanisms
Interoperability
Regional “interoperability”- the ability of diverse systems to work together- through certified accountability is already in effect in the EU and is underway in APEC Interoperability between countries and regions is desirable and achievable We must look for these building blocks
© 2015 IBM Corporation 27
Certified accountability- other benefits
Business
Increased trust from stakeholders
More robust privacy programs and practices
Improved compliance with local standard
Ability to demonstrate good faith efforts in case of enforcement
Individuals Enhanced privacy protection
User-friendly and streamlined complaint handling Coordinated government enforcement Ability to continue to embrace innovative products and services that benefit them
Government
Facilitate two important policy objectives: trade and privacy
Facilitate cross-border cooperation Provides for greater economic rewards
© 2015 IBM Corporation 28 28
Privacy management framework enables privacy on a global scale
https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.asp#m
Organizational commitment
Privacy
Officer
Privacy
Officer
Ongoing Assessment and Revision
Program controls
Training, education &
external communications
Personal information
inventory
Ongoing assessment and revision
Buy-in from the top
Privacy Officer Reporting
Privacy Office Breach
management response
Service provider
management
Policies Assessment
30 v Privacy Insight Series v
Josh Harris, Director of Policy, TRUSTe
TRUSTe Privacy Insight Series
Next Steps
31 v Privacy Insight Series
• Determine Your Eligibility for CBPR Certification
• Review APEC CBPR Certification Standards
• Review Possible Integration with other Global Frameworks:
1. Safe Harbor Program
2. APEC-Article 29 Working Party Common Referential: If you already
have an approved set of BCRs, these rules can be used to
demonstrate compliance with the CBPR system. Your CBPR
certification can also be used as the basis for a BCR approval,
although additional requirements under the EU Directive will apply.
Practical Steps to Streamline Your Cross-Border Data
Transfer Strategies
32 v Privacy Insight Series v
Don’t miss the next webinar in the Series –
Preparing for the EU Data Protection Regulation on April 9th
See http://www.truste.com/insightseries
TRUSTe Privacy Insight Series
Thank You!