EU Safe Harbor: What Next? October 9, 2015
Privacy Insight Series v
v
1
Today’s Speakers Mr Andrea Glorioso, Counselor, Digital Economy / Cyber Delegation of the European Union to the USA Aymeric Dupont, Counselor, Justice and Home Affairs Delegation of the European Union to the USA Chris Babel, CEO TRUSTe
Privacy Insight Series v
2
Today’s Agenda
• Recap of CJEU Ruling
• Clarification of the Status & Scope of the Ruling • Steps Companies Can Take Now
• Risk of Enforcement • Likelihood of Safe Harbor 2.0
• Additional Q&A
Privacy Insight Series v
3
Recap of CJEU Ruling
Privacy Insight Series v
v
4
Recap of CJEU Ruling • On October 6th the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Framework was: • no longer a valid method for ensuring adequacy under the EU Data Protection Directive 95/46/EC for international Data Transfers • European DPAs and courts can independently determine whether cross border transfer mechanisms comply with EU requirements, regardless of a finding by the European Commission • This means that companies relying on Safe Harbor to legitimize data transfers now need to consider alternative compliance mechanisms
Privacy Insight Series v
5
Clarification of the Scope of the Ruling
Privacy Insight Series v
v
6
Questions Clarifying the Status & Scope of the Ruling
“Is this ruling effective immediately?” “If we are transferring business data, with no consumer data, can we safely ignore the Safe Harbor decision, because the data transfer requirements only relate to consumer data?” “What are the implications for single sign-on systems that read from a corporate directory, like MSFT Active Directory or an LDAP server that's located in Europe?” “What are the implications for repositories of data in Europe that are routinely accessed by users outside of the EU?”
Privacy Insight Series v
7
Steps Companies Can Take Now
Privacy Insight Series v
v
8
Questions on Steps Companies Can Take Now “What steps can customers and technology providers take now? What should we be doing? What should we NOT be doing?” “My organization is evaluating the process of becoming Safe Harbour certified. Given this new ruling, would you recommend we proceed with this plan – knowing we might be asked to do more later? …..or would you recommend we wait until any new processes / procedures are in place?” “Do companies need to immediately suspend all transfers made under Safe Harbor until they put an alternative mechanism in place? “Are model clauses and Binding Corporate Rules really safe following this ruling?”
Privacy Insight Series v
9
Risk of Enforcement
Privacy Insight Series v
v
10
Questions Around Enforcement Risk “What is the anticipated timeline for enforcement?” “How long will the EU allow companies that relied on Safe Harbor to continue to transfer data until they find another program before violations or penalties kick in?” “According to Safe Harbor the only authority that can take direct enforcement action against a US company is the FTC. So for US companies which have no presence in the EU, is the risk for enforcement action actually very small since the FTC does not support this ruling?” “From the point of view of small companies, would you advise letting the Googles, Amazons and Facebooks lead the way here? Privacy Insight Series v
11
Likelihood of Safe Harbor 2.0
Privacy Insight Series v
v
12
Questions on Likelihood of Safe Harbor 2.0 “Is a diplomatic solution possible to an ECJ decision?” “Do you think version 2 is around the corner? If not, in what timeframe do you think that will be released? In the meanwhile, how much of what we've done can we leverage to show compliance as data controllers?” “Would a new Safe Harbor be valid under the proposed GDPR?”
“Would a TRUSTe seal of approval still carry value?
Privacy Insight Series v
13
Questions?
Privacy Insight Series v
v
14
Contacts Andrea Glorioso Aymeric Dupont Chris Babel
Privacy Insight Series v
andrea.glorioso@eeas.europa.eu aymeric.dupont@eeas.europa.eu cbabel@truste.com
v
15
Thank You! Don’t miss the next webinar in the Series – “Five Things to CISO Needs to Know About Privacy” on October 15th See http://www.truste.com/insightseries for details of future webinars and recordings.
Privacy Insight Series v
v
16