EU-US Privacy Shield:

Understanding the New Framework

February 10, 2016

Privacy Insight Series

v

Todays Speakers
Josh Harris
Director of Policy
TRUSTe

Shannon Coe
Team Lead, Data Flows and Privacy
U.S. Department of Commerce

John Bowman
Senior Principal
Promontory

Privacy Insight Series

v

Agenda
Introduction and Overview
Josh Harris, Director of Policy, TRUSTe

EU-U.S. Privacy Shield Framework

Shannon Coe, Team Lead Data Flows & Privacy, U.S. Department of Commerce

Next Steps and EU Approval Process

John Bowman, Senior Principal, Promontory

Audience Q&A
Demo of TRUSTe EU Data Privacy Transfer Assessment
Privacy Insight Series
v

Introduction & Overview

Josh Harris
Director of Policy, TRUSTe

Privacy Insight Series

v

June 2013: Snowden revelations published by the Guardian

Timeline of Safe Harbor
Negotiations

Timeline of Schrems Case

June 2013: Schrems lodges complaint

with the Irish Privacy Commissioner

July 2013: Irish DPC declines

complaint

October 2013: Irish High Court agrees

to Judicial Review

November 2013: EC announces

results of review

June 2014 : Irish High Court refers

case to the Court of Justice of the
European Union(CJEU)

January 2014: Safe Harbor

consultations begin

September 2015: Advocate General

Opinion announced

July 2013: EU Parliament calls for

EC review of Safe Harbor
July 2013: EU VP Reding
announces EC review to commence

October 2015: Safe Harbor Invalidated

Privacy Insight Series
v

13 EC Recommendations
Transparency

Redress

Companies should publicly

disclose their privacy policies.

Companies should include a

link to ADR provider in
privacy policy.

Privacy policies should include a

link to the Department of
Commerce (DoC) Safe Harbor
website.
Companies should publish
privacy conditions of any
contracts they conclude with
subcontractors
DoC should flag all companies
which are not current members.

Privacy Insight Series

v

ADR should be readily

available and affordable.
DoC should monitor ADR
providers regarding the
transparency and
accessibility of information
they provide concerning the
procedure they use and the
follow-up they give to
complaints.

13 EC Recommendations
Enforcement

Access by US authorities

A certain percentage of companies should

be subject to ex officio investigations of
compliance of their privacy policies (going
beyond control of compliance with formal
requirements).

Privacy policies should include information

on the extent to which US law allows
public authorities to collect and process
data and should be encouraged to
describe the policies in place to comply.

Whenever there has been a finding of

non-compliance, following a complaint or
an investigation, the company should be
subject to follow-up specific investigation
after 1 year.

The national security exception be used

only when strictly necessary or
proportionate.

In case of doubts about a company's

compliance DoC should inform the
competent EU data protection authority.
False claims of Safe Harbor adherence
should continue to be investigated

Privacy Insight Series

v

EU-U.S. Privacy Shield

Shannon Coe, Team Lead Data Flows and Privacy
U.S. Department of Commerce

Privacy Insight Series

v

Overview of EU-U.S. Privacy Shield (1/3)

The EU-U.S. Privacy Shield significantly improves commercial oversight
and enhances privacy protections
The Privacy Shield strengthens cooperation between the Federal Trade
Commission and EU Data Protection Authorities, providing independent,
vigorous enforcement of the data protection requirements set forth in the
Privacy Shield.
EU individuals will have access to multiple avenues to resolve concerns,
including through alternative dispute resolution, now at no cost to the
individual.
The Department of Commerce will step in directly and use best efforts to
resolve referred complaints, including by dedicating a special team with
significant new resources to supervise compliance with the Privacy Shield.

The Privacy Shield adds an important new avenue to supplement the others.
Companies now will commit to participate in arbitration as a matter of last
resort to ensure that EU individuals who still have concerns will have the
opportunity to seek legal remedies.
Privacy Insight Series
v

Overview of EU-U.S. Privacy Shield (2/3)

The Privacy Shield embodies a renewed commitment to privacy by the U.S.
and the EU, and to ensure it remains a living framework subject to active
supervision, the Department of Commerce, the FTC, and EU DPAs will hold
annual review meetings to discuss the functioning of and compliance with the
Privacy Shield.
The Privacy Shield includes significant improvements to improve transparency
regarding personal data use, strengthen the protections participants provide,
and inform EU individuals more comprehensively about their rights under the
program.
The Privacy Shield includes new contractual privacy protections and oversight
for data transferred by participating companies to third parties or processed by
those companies agents to improve accountability and ensure a continuity of
protection.

Privacy Insight Series

v

10

Overview of EU-U.S. Privacy Shield (3/3)

The EU-U.S. Privacy Shield demonstrates the U.S. Commitments to
limitations and safeguards on national security.
Since 2013, President Obama, including through Presidential Policy Directive 28, has
directed several measures to enhance privacy protections for U.S. signals intelligence
activities, including protections that apply regardless of nationality; enhanced executive
oversight of intelligence activities; and implementation of new legislation that enhances
judicial review of certain intelligence collection activities, increases transparency, and further
ensures that collection of information for intelligence purposes is precisely focused and
targeted.

In connection with finalization of the new EU-U.S. Privacy Shield, the U.S. Intelligence
Community has described in writing for the European Commission the multiple layers of
constitutional, statutory, and policy safeguards that apply to its operations, with active
oversight provided by all three branches of the U.S. Government.

The Privacy Shield provides, for the first time, a specific channel for EU individuals to raise
questions regarding signals intelligence activities relating to the Privacy Shield. As a part of
this process, the United States is making the commitment to respond to appropriate requests
regarding these matters, consistent with our national security obligations.
Privacy Insight Series
v

11

Next Steps and EU Approval

Process
John Bowman, Senior Principal,
Promontory

Privacy Insight Series

v

12

European Commission Adequacy Decisions

The Council (the 28 EU member states) and the European Parliament have given the European
Commission the power to determine, on the basis of Article 25(6) of Directive 95/46/EC whether
a third country ensures an adequate level of protection by reason of its domestic law or of the
international commitments it has entered into.
European Commission Adequacy Decisions as at February 2016
AD - Andorra
AR - Argentina
CA - Canada
CH - Switzerland
FO - Faeroe Islands
GG - Guernsey

IL - State of Israel
IM - Isle of Man
JE - Jersey
NZ - New Zealand
US - United States - Safe Harbour
UY - Eastern Republic of Uruguay

The effect of these adequacy decisions is that personal data can flow from the 28 EU countries
and three EEA member countries (Norway, Liechtenstein and Iceland) to that third country
without any further safeguard being necessary.

Privacy Insight Series

v

13

Procedure for adopting the Privacy Shield

In order for the EU-US Privacy Shield to become law, a Commission Decision needs to be
adopted on the basis of Article 26(6) of Directive 95/46/EC. This process involves;
The proposal from the European Commission (the draft text of the new adequacy decision)
An opinion of the member states supervisory authorities and the European Data Protection
Supervisory (EDPS) in the framework of the Article 29 Working Party (WP29)
An approval from the Article 31 Committee (member states) under the comitology
examination procedure
The adoption of the decision by the College of Commissioners
Article 31 of Directive 95/46/EC sets out that the (Article 31) committee shall deliver its opinion
on the draft by a qualified majority vote of member states. However, if these measures are not
in accordance with the opinion of the committee, they shall be communicated by the
Commission to the Council forthwith. In that event:
the Commission shall defer application of the measures which it has decided for a period of
three months from the date of communication,
the Council, acting by a qualified majority, may take a different decision within a specified
time limit.

Privacy Insight Series

v

14

The path to approval in the EU

WP29 calls on the Commission to communicate all documents pertaining to the new
arrangement by the end of February
WP29 will conduct an assessment of the draft decision in light of the European
jurisprudence on fundamental rights which sets four essential guarantees for intelligence
activities:
Processing should be based on clear, precise and accessible rules
Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
An independent oversight mechanism should exist, that is both effective and impartial
Effective remedies need to be available to the individual

WP29 will then complete its assessment for all personal data transfers to the US before
holding an extraordinary plenary session where consideration will be given as to whether
other transfer mechanisms (e.g. Binding Corporate Rules and Standard Contractual
Clauses) can be used for personal data transfers to the US
The Commission and the Article 31 Committee will then consider the report of WP29 and
act on the recommendations accordingly
The European Parliament may in the meantime issue a letter, opinion or request that the
Commission attend the Parliament

Privacy Insight Series

v

15

Questions?

Privacy Insight Series

v

16

Contacts
Josh Harris
John Bowman

Privacy Insight Series

v

jharris@truste.com
jmbowman@promontory.com

17

Thank You!
Stay on the call for a
LIVE DEMO of TRUSTe EU Data Privacy Transfer Assessment

See http://www.truste.com/insightseries for details of our 2016 Privacy

Insight Series and past webinar recordings.
Privacy Insight Series
v

18

Todays LIVE DEMO Presenter

Joanne Furtsch
Director of Product Policy,
TRUSTe

Privacy Insight Series

v

19

TRUSTe Has You Covered

Whether you meet your EU Data Transfer compliance requirements through
the new Privacy Shield Framework, Model Contract Clauses, or a combination
of the two TRUSTe has you covered.
To find out more about TRUSTe Assessment Manager, and how TRUSTe can
help you with your EU compliance program,
Visit www.truste.com/business-products/eu-privacy/ or contact your TRUSTe
Rep at 888-878-7830
We have the resources and tools to help you quickly address the forthcoming
compliance deadlines.

Privacy Insight Series

v

20

Thank You!
Dont miss the next webinar in the Series Investment in Privacy Brings
Security Results with Chris Babel, TRUSTe and Sam Pfeifle, IAPP on
March 10th
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
v
Privacy Insight Series
v

21