Per Anders Eriksson

Slides:

Advertisements

Similar presentations

EU Privacy Directive. What is a directive? A piece of European legislation, passed by bureaucrats, addressed to member states Member states must ensure.

Advertisements

BIE SPECIAL EDUCATION ACADEMY PRESENTERS: JUDY WILEY AND NARCY KAWON I ntroduction to Procedural Safeguards Bureau of Indian Education.

The data retention directive: data protection aspects Frank Robben General manager Crossroads Bank for Social Security Sint-Pieterssteenweg 375 B-1040.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

The Data Protection (Jersey) Law 2005.

Silicon Valley Apps for Kids Meetup Laura D. Berger October 22, 2012 The views expressed herein are those of the speaker, and do not represent the views.

4th Annual Enterprise Security Asia Conference February 2007, Kuala Lumpur, Malaysia Bright Ideas on Business Privacy Stephen Cobb, CISSP Cobb Associates.

5/21/2015 (1) Complying with P2P Mandates in the HEOA of 2008 EDUCAUSE Live! 23 November 2009

Data Protection and the GRA. 1. Commentary on Data Protection 2. The GRA’s Role The Register Investigations, Mediation and Compensation Enforcement Notices.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

©2006 Prentice Hall Business Publishing, Auditing 11/e, Arens/Beasley/Elder Other Assurance Services Chapter 25.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley Other Assurance Services Chapter 24.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.

4/3/20011 Ethics in Special Education Assessment and Testing and Maintenance of Student Information.

A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.

The U.S.-E.U. Safe Harbor Framework The U.S.-E.U. Safe Harbor Framework New Developments in Data Flows, Standards, & Compliance Damon Greer U.S. Department.

Transborder dataflows Flow of information across national borders Much of this data involves personal information.

Anomalous Aspects of Transfer of Personal Data from the E.U. to the U.S. Stephen R. Bell Willkie Farr & Gallagher ABA Section of International Law New.

SARA IMG Event Johannesburg 10 April 2014 Changes in South African Immigration Law.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

Data Protection Overview

Protecting information rights – advancing information policy Privacy law reform for APP entities (organisations)

Data Protection for Church of Scotland Congregations

Internal Auditing and Outsourcing

DATA PROTECTION OFFICE

Federalwide Assurance Presentation for IRB Members.

Privacy Law for Network Administrators Steven Penney Faculty of Law University of New Brunswick.

HIPAA PRIVACY AND SECURITY AWARENESS.

1 INTERREG IIIB “ATLANTIC AREA” Main points of community regulation 438/2001 financial management and control systems EUROPEAN COMMISSION SPAIN.

Privacy Codes of Conduct as a self- regulatory approach to cope with restrictions on transborder data flow Dr. Anja Miedbrodt Exemplified with the help.

1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /

Considering Internal Control

Privacy & Personal Information Prepared by the CBC Law Department CONFIDENTIAL – FALL 2011.

Managing Risks Associated With Privacy Alison Baker- Senior Associate Hall & Wilcox 24 November

Investigating Rights and Responsibilities at work

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

The right item, right place, right time. DLA Privacy Act Code of Fair Information Principles.

1 Information Quality Act. Purpose- after this course you will be able to… define what is the Information Quality Act define what is the Information Quality.

BC Public Libraries November, 2008 Privacy Principles.

ANTI-MONEY LAUNDERING COMPLIANCE PROGRAM FCM TRAINING

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

CHAPTER 38 CONSUMER PROTECTION DAVIDSON, KNOWLES & FORSYTHE Business Law: Cases and Principles in the Legal Environment (8 th Ed.)

PROTECTION OF PERSONAL DATA. OECD GUIDELINES: BASIC PRINCIPLES OF NATIONAL APPLICATION Collection Limitation Principle There should be limits to the collection.

An Introduction to the Privacy Act Privacy Act 1993 Promotes and protects individual privacy Is concerned with the privacy of information about people.

Essentials Of Business Law Chapter 27 Conducting Business In Cyberspace McGraw-Hill/Irwin Copyright © 2007 The McGraw-Hill Companies, Inc. All rights reserved.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

DON Code of Privacy Act Fair Information Principles DON has devised a list of principles to be applied when handling Protected Personal Information (PPI).

1 TAIEX JHA Workshop on data protection and cloud computing Data transfers to third countries and standard contractual clauses Skopje, 29 May 2014.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Data protection—training materials [Name and details of speaker]

Presented by Ms. Teki Akuetteh LLM (IT and Telecom Law) 16/07/2013Data Protection Act, 2012: A call for Action1.

Protection of Personal Information Act An Analysis on the impact.

Clark Holt Limited (Co. No ), Hardwick House, Prospect Place, Swindon, SN1 3LJ Authorised and regulated by the Solicitors Regulation.

Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.

General Data Protection Regulation (EU 2016/679)

Agenda Introductions Background on the U.S.-EU Privacy Shield

Surveillance around the world

Privacy principles Individual written policies

Service Organization Control (SOC)

General Data Protection Regulation

APP entities (organisations)

Information Governance and Data Privacy: A World of Risk

Other Assurance Services

Employee Privacy and Privacy of Employee Information

European actions.

GDPR (General Data Protection Regulation)

IAPP TRUSTe SYMPOSIUM 9-11 JUNE 2004

Fines, Sanctions and Compensation The teeth in the GDPR & Data Protection Act 2018 by Simon McGarr, CIPP/E Data Compliance Europe.

Presentation transcript:

Per Anders Eriksson

Safe Harbour A U.S. Framework for adhering to the European Commission’s Directive on Data Protection

Safe Harbor Overview The European Commission’s Directive on Data Protection went into effect in October, It prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. The United States has taken a different approach to privacy from that taken by the European. Union.

Safe Harbor Overview The United States uses a sectoral approach that relies on a mix of legislation, regulation, and self regulation. The European Union relies on comprehensive legislation that, for example, requires creation of government data protection agencies, registration of data bases with those agencies, and in some instances prior approval before personal data processing may begin. As a result the Directive could have significantly hampered the ability of U.S. companies to engage in many trans-Atlantic transactions.

Safe Harbor Overview In order to bridge these different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework. Certifying to the safe harbor will assure that EU organizations know that the U.S. company provides "adequate" privacy protection, as defined by the Directive.

Safe Harbor benefits The safe harbor provides a number of important benefits to U.S. and EU firms. Benefits for U.S. organizations participating in the safe harbor will include: –All 15 Member States of the European Union will be bound by the European Commission’s finding of adequacy –Companies participating in the safe harbor will be deemed adequate and data flows to those companies will continue; –Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted; and –Claims brought by European citizens against U.S. companies will be heard in the U.S. subject to limited exceptions.

An EU organization can ensure that it is sending information to a U.S. organization participating in the safe harbor by viewing the public list of safe harbor organizations posted on the Department of Commerce’s website ( safeharbor). It will contain the names of all U.S. companies that have self- certified to the safe harbor framework. This list will be regularly updated, so that it is clear who is assured of safe harbor benefits. Safe Harbor benefits

How does an organization join ? The decision by U.S. organizations to enter the safe harbor is entirely voluntary. Organizations that decide to participate in the safe harbor must comply with the safe harbor's requirements and publicly declare that they do so.

How does an organization join ? To be assured of safe harbor benefits, an organization needs to self certify annually to the Department of Commerce in writing that it agrees to adhere to the safe harbor's requirements, which includes elements such as notice, choice, access, and enforcement. It must also state in its published privacy policy statement that it adheres to the safe harbor.

The Department of Commerce will maintain a list of all organizations that file self certification letters and make both the list and the self certification letters publicly available. To qualify for the safe harbor, an organization can –(1) join a self-regulatory privacy program that adheres to the safe harbor's requirements; or –(2) develop its own self regulatory privacy policy that conforms to the safe harbor. How does an organization join ?

What do the Safe Harbor principle require ? Organizations must comply with the seven safe harbor principles. The principles require the following: Notice: –Organizations must notify individuals about the purposes for which they collect and use information about them. –They must provide information about how individuals can contact the organization with any inquiries or complaints, the types of third parties to which it discloses the information and the choices and means the organization offers for limiting its use and disclosure.

Choice: –Organizations must give individuals the opportunity to choose (opt out) whether their personal information will be disclosed to a third party or used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. –For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual. What do the Safe Harbor principle require ?

Onward Transfer (Transfers to Third Parties): –To disclose information to a third party, organizations must apply the notice and choice principles. Where an organization wishes to transfer information to a third party that is acting as an agent(1), it may do so if it makes sure that the third party subscribes to the safe harbor principles or is subject to the Directive or another adequacy finding. –As an alternative, the organization can enter into a written agreement with such third party requiring that the third party provide at least the same level of privacy protection as is required by the relevant principles. What do the Safe Harbor principle require ?

Access: –Individuals must have access to personal information about them that an organization holds and be able to correct, amend, or delete that information where it is inaccurate, except where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy in the case in question, or where the rights of persons other than the individual would be violated. What do the Safe Harbor principle require ?

Security: –Organizations must take reasonable precautions to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Data integrity: –Personal information must be relevant for the purposes for which it is to be used. An organization should take reasonable steps to ensure that data is reliable for its intended use, accurate, complete, and current. What do the Safe Harbor principle require ?

Enforcement: –In order to ensure compliance with the safe harbor principles, there must be (a) readily available and affordable independent recourse mechanisms so that each individual's complaints and disputes can be investigated and resolved and damages awarded where the applicable law or private sector initiatives so provide; (b) procedures for verifying that the commitments companies make to adhere to the safe harbor principles have been implemented; and (c) obligations to remedy problems arising out of a failure to comply with the principles. What do the Safe Harbor principle require ?

Enforcement cont. –Sanctions must be sufficiently rigorous to ensure compliance by the organization. –Organizations that fail to provide annual self certification letters will no longer appear in the list of participants and safe harbor benefits will no longer be assured. What do the Safe Harbor principle require ?

How and where will the Safe Harbor be enforced ? In general, enforcement of the safe harbor will take place in the United States in accordance with U.S. law and will be carried out primarily by the private sector. Private sector self regulation and enforcement will be backed up as needed by government enforcement of the federal and state unfair and deceptive statutes. The effect of these statutes is to give an organization's safe harbor commitments the force of law vis a vis that organization.

The Department of Commerce will indicate on the public list it maintains of organizations self certifying adherence to the safe harbor requirements any notification it receives of persistent failure to comply and will make clear which organizations are assured and which organizations are no longer assured of safe harbor benefits. An organization applying to participate in a self-regulatory body for the purposes of re-qualifying for the safe harbor must provide that body with full information about its prior participation in the safe harbor. How and where will the Safe Harbor be enforced ?