160 likes | 188 Views
With the Court of Justice of the EU (CJEU) disavowing the US-EU Safe Harbor Framework, TRUSTe outlines the alternatives to comply with the EU Data Protection Directive for international data transfers and on what to expect in US-EU Safe Harbor Framework 2.0.<br>Access the complete webinar to anticipate the updated US-EU Safe Harbor Framework https://info.truste.com/lp/truste/On-Demand-109-Webinar-Reg-Page.html?asset=JEUYE80N-572
E N D
EU Safe Harbor: What Next? October 9, 2015 v v Privacy Insight Series 1
Today’s Speakers Mr Andrea Glorioso, Counselor, Digital Economy / Cyber Delegation of the European Union to the USA Aymeric Dupont, Counselor, Justice and Home Affairs Delegation of the European Union to the USA Chris Babel, CEO TRUSTe v Privacy Insight Series 2
Today’s Agenda • Recap of CJEU Ruling • Clarification of the Status & Scope of the Ruling • Steps Companies Can Take Now • Risk of Enforcement • Likelihood of Safe Harbor 2.0 • Additional Q&A v Privacy Insight Series 3
Recap of CJEU Ruling v v Privacy Insight Series 4
Recap of CJEU Ruling On October 6th the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Framework was: • no longer a valid method for ensuring adequacy under the EU Data Protection Directive 95/46/EC for international Data Transfers • European DPAs and courts can independently determine whether cross border transfer mechanisms comply with EU requirements, regardless of a finding by the European Commission This means that companies relying on Safe Harbor to legitimize data transfers now need to consider alternative compliance mechanisms • • v Privacy Insight Series 5
Clarification of the Scope of the Ruling v v Privacy Insight Series 6
Questions Clarifying the Status & Scope of the Ruling “Is this ruling effective immediately?” “If we are transferring business data, with no consumer data, can we safely ignore the Safe Harbor decision, because the data transfer requirements only relate to consumer data?” “What are the implications for single sign-on systems that read from a corporate directory, like MSFT Active Directory or an LDAP server that's located in Europe?” “What are the implications for repositories of data in Europe that are routinely accessed by users outside of the EU?” v Privacy Insight Series 7
Steps Companies Can Take Now v v Privacy Insight Series 8
Questions on Steps Companies Can Take Now “What steps can customers and technology providers take now? What should we be doing? What should we NOT be doing?” “My organization is evaluating the process of becoming Safe Harbour certified. Given this new ruling, would you recommend we proceed with this plan – knowing we might be asked to do more later? …..or would you recommend we wait until any new processes / procedures are in place?” “Do companies need to immediately suspend all transfers made under Safe Harbor until they put an alternative mechanism in place? “Are model clauses and Binding Corporate Rules really safe following this ruling?” v Privacy Insight Series 9
Risk of Enforcement v v Privacy Insight Series 10
Questions Around Enforcement Risk “What is the anticipated timeline for enforcement?” “How long will the EU allow companies that relied on Safe Harbor to continue to transfer data until they find another program before violations or penalties kick in?” “According to Safe Harbor the only authority that can take direct enforcement action against a US company is the FTC. So for US companies which have no presence in the EU, is the risk for enforcement action actually very small since the FTC does not support this ruling?” “From the point of view of small companies, would you advise letting the Googles, Amazons and Facebooks lead the way here? v Privacy Insight Series 11
Likelihood of Safe Harbor 2.0 v v Privacy Insight Series 12
Questions on Likelihood of Safe Harbor 2.0 “Is a diplomatic solution possible to an ECJ decision?” “Do you think version 2 is around the corner? If not, in what timeframe do you think that will be released? In the meanwhile, how much of what we've done can we leverage to show compliance as data controllers?” “Would a new Safe Harbor be valid under the proposed GDPR?” “Would a TRUSTe seal of approval still carry value? v Privacy Insight Series 13
Questions? v v Privacy Insight Series 14
Contacts Andrea Glorioso Aymeric Dupont Chris Babel andrea.glorioso@eeas.europa.eu aymeric.dupont@eeas.europa.eu cbabel@truste.com v v Privacy Insight Series 15
Thank You! Don’t miss the next webinar in the Series –“Five Things to CISO Needs to Know About Privacy” on October 15th See http://www.truste.com/insightseries for details of future webinars and recordings. v v Privacy Insight Series 16