Swiss-US Privacy Shield Rollout: What to Expect April 13, 2017
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 1 © TRUSTe Inc., 2017
Today’s Speakers Michelle Sylvester-Jose Policy Advisor, International Trade Administration
Nasreen Djouini Policy Advisor, International Trade Administration
Josh Harris Director, International Regulatory Affairs, TRUSTe
Privacy Insight Series - truste.com/insightseries v
2 Š TRUSTe Inc., 2017
Today’s Agenda •
Welcome & Introductions
•
How the Swiss-U.S. Privacy Shield was developed and the differences between the Swiss and EU Privacy Shield Frameworks
•
What you should do to prepare to self-certify to Privacy Shield for the first time, or to add the Swiss – U.S. Privacy Shield to your EU-U.S. Privacy Shield certification
•
How to navigate the self-certification process on privacyshield.gov
•
How to re-certify on an annual basis.
•
Q&A Privacy Insight Series - truste.com/insightseries v
3 © TRUSTe Inc., 2017
Swiss-U.S. Privacy Shield – what’s different Nasreen Djouini, Policy Advisor, International Trade Administration
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 4 © TRUSTe Inc., 2017
Developing the Swiss-U.S. Privacy Shield •
The Swiss-U.S. Privacy Shield reflects our shared objectives of enhancing privacy protections for individuals and providing certainty for businesses.
•
Switzerland recognized the adequacy of protection provided by the Privacy Shield Principles as meeting the requirement of Article 6 of the Swiss Federal Act on Data Protection.
•
The Swiss-U.S. Privacy Shield includes the Privacy Shield Principles, along with letters describing oversight and enforcement by the U.S. Government and the broader U.S. privacy framework. Privacy Insight Series - truste.com/insightseries v
5 © TRUSTe Inc., 2017
Difference between the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?
•
Swiss Data Protection and Information Commissioner authority
•
Modification to the Choice Principle
•
Immediate applicability of Onward Transfer Principle
•
Will put in place the binding arbitration option at first annual review
Privacy Insight Series - truste.com/insightseries v
6 © TRUSTe Inc., 2017
Preparing to self-certify to Privacy Shield for the first time, or to add the Swiss-U.S. Privacy Shield
•
Removing references to the U.S.-Swiss Safe Harbor
•
Adding a commitment to the Swiss-U.S. Privacy Shield
•
Adding a reference to the Swiss FDPIC (if applicable)
•
Sample language to be used in a privacy notice
•
Self-certifying to one or both Frameworks
Privacy Insight Series - truste.com/insightseries v
7 © TRUSTe Inc., 2017
What to Expect When Applying Michelle Sylvester-Jose, Policy Advisor, International Trade Administration
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 8 © TRUSTe Inc., 2017
Payment Structures
Annual Revenue
Single Framework:
Add a Framework:
Both Frameworks:
$250
$125
$375
$650
$325
$975
$1,000
$500
$1,500
$2,500
$1,250
$3,750
$3,250
$1,625
$4,875
$0 to $5 million Over $5 million to $25 million Over $25 million to $500 million
Over $500 million to $5 billion Over $5 billion
Privacy Insight Series - truste.com/insightseries v
9 Š TRUSTe Inc., 2017
Application Process •
Organization Information –
First Time? Select Your Framework(s)
–
Display Name vs. Legal Name
–
Organization Contact vs. Corporate Officer
–
Covered Entities
Privacy Insight Series - truste.com/insightseries v
10 © TRUSTe Inc., 2017
Covered Data and Dispute Resolution •
Must opt-in for data you cover, and Recourse Mechanism
•
HR data for EU and DPA compliance
Privacy Insight Series - truste.com/insightseries v
11 © TRUSTe Inc., 2017
Adding Swiss
Privacy Insight Series - truste.com/insightseries v
12 © TRUSTe Inc., 2017
Last Steps and Finalizing your Self-Certification •
Last Steps: –
Must include policies for all data covered (HR and non-HR)
–
Payment Notification
•
•
Processing Self-Certifications –
Review Time
–
Case Comments
Viewing your record on the Privacy Shield List
Privacy Insight Series - truste.com/insightseries v
13 © TRUSTe Inc., 2017
FAQs •
FAQs on privacy policies, new requirements, etc. available on Privacy Shield website –
https://www.privacyshield.gov/Program-Overview
Privacy Insight Series - truste.com/insightseries v
14 © TRUSTe Inc., 2017
Third Party Verification & Dispute Resolution Providers Josh Harris, Director of International Regulatory Affairs, TRUSTe
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 15 © TRUSTe Inc., 2017
Privacy Practices Verification •
Companies must take steps to verify assertions made around Swiss Privacy Shield compliance are true
•
Third party compliance reviews can be used to satisfy this requirement
•
Third party reviews must: –
Verify privacy policies are being complied with
–
Consumers are informed of how they can file a compliant
•
Companies must be able to demonstrate an external review has been successfully completed annually –
•
This can be provided by the external compliance review provider
Companies must retain records of their implementation of the Privacy Shield Principles and privacy policies –
Records must be provided upon request in context of a Privacy Shield related investigation
Privacy Insight Series - truste.com/insightseries v
16 © TRUSTe Inc., 2017
Dispute Resolution •
Companies must respond to initial complaint within 45-days
•
Alternative mechanism must be in place to address Swiss Privacy Shield related complaints –
Independent Dispute Resolution Provider (IDR) can be used for consumer data
–
The Swiss DPA must be used for employee data
•
Must be provided free of charge to individuals
•
Companies must provide information regarding their IDR Provider in their privacy notice
•
–
Name of the designated provider and how to contact them
–
Whether the provider is Swiss Federal Data Protection and Information Commissioner (FDPIC) or U.S. based
–
That it is available free of charge
Binding arbitration is available after other mechanisms have been exhausted Privacy Insight Series - truste.com/insightseries v
17 © TRUSTe Inc., 2017
Requirements for IDR Providers Under Swiss Privacy Shield •
Make information available to consumers about Privacy Shield and the IDR Provider’s role under Privacy Shield –
Needs to be accessible from IDR Provider’s website
–
Link to the DOC’s Swiss Privacy Shield site
–
Explanation of how to file a complaint, dispute resolution process and timeframes, and potential remedies
•
Report annually to the DOC regarding number, types, and outcomes of complaints received, and length of time to resolve. –
•
Reporting in the aggregate
IDR Providers must notify DOC of companies that fail to resolve Privacy Shield related complaints.
Privacy Insight Series - truste.com/insightseries v
18 © TRUSTe Inc., 2017
Levels of Third Party Assistance
19
Verification
Assessment
Dispute Resolution
Dispute Resolution mechanism (non HR)
✔
✔
✔
Dispute Resolution Seal/Button (non HR)
✔
✔
✔
Comprehensive Assessment – Customer and / or HR Data
✔
✔
Online Asset Review and Scanning
✔
✔
Findings Report
✔
✔
Searchable Audit Trail
✔
✔
DOC Registration Assistance
✔
✔
Ongoing Guidance
✔
✔
Remediation Assistance
✔
Verification Seal
✔
Verification Letter of Attestation
✔
Verification Listing for DOC
✔
Privacy Insight Series - truste.com/insightseries v
19 © TRUSTe Inc., 2017
Questions?
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 20 © TRUSTe Inc., 2017
Contacts Josh Harris Michelle Sylvester-Jose Nasreen Djouini
Privacy Insight Series - truste.com/insightseries v
email: jharris@truste.com email: michelle.sylvester-jose@trade.gov email: nasreen.djouini@trade.gov
v
Š TRUSTe Inc., 2017 21 Š TRUSTe Inc., 2017
Thank You! Register now for the next webinar in our 2017 Winter/Spring Webinar Series on April 27, 2017 “ROI of Privacy: Building a Case for Investment” • https://info.truste.com/roi-of-privacy-webinar.html See http://www.truste.com/insightseries for the 2017 Privacy Insight Series and past webinar recordings. © TRUSTe Inc., 2017 v 22 Privacy Insight Series truste.com/insightseries v © TRUSTe Inc., 2017