#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER
The Privacy Shield
Jay Irwin, JDDirectorTeradata Center for Enterprise Security
Nelson Mangaali, MS CISSPSr. Security ArchitectTeradata Center for Enterprise Security
• Max Schrems• Austrian Citizen & Facebook User• Post-Snowden privacy concerns over his
personal data• Complaint rejected by Irish DPC• Requested a Judicial Review from Irish High
Court• Case Adjurned pending EU Court of Justice
Referral
Schrems v. Irish Data Protection Commissioner
2
• Aug. 6, 2015 – Safe Harbor Invalidated by EU Court of Justice (CJEU)• Insufficient legal remediation
channels• Inadequate restrictions on
government interference • Interferes with national authorities
ability to exercise data enforcement duties
Schrems v. Irish Data Protection Commissioner
3
• Safe Harbor Self-certification Replacement• Intended framework for transatlantic
data flows• Aims to regulate handling EU citizen
data transferred to &/or stored by US firms
• Self-certification begins 08/2016
“The Privacy Shield”
4
• Accountability Concerns Addressed• Codifies more robust violation
resolution process• Clarifies legal rights & obligations for
businesses relying on transatlantic data transfers
• Creates Privacy Shield Ombudsman
EU – U.S. Privacy Shield Provisions
5
• The Privacy Shield includes –• Provisions designed to ensure EU
citizens consent to data processing and sharing
• Ensures that third parties are validated before data can be shared with them
• Makes mandated avenues available for dispute resolution
• Adds strict breach notification requirements
EU – U.S. Privacy Shield Provisions
6
• Privacy International criticizes the weakness of control against unlawful surveillance
• Max Schrems & EU Parliament member Jan-Phillipp Albrecht criticize the agreement
• Allows data sharing for broad and generic purposes, undermining a crucial privacy protection
EU – U.S. Privacy Shield Critics
7
• The US Department of Commerce & State Department strongly support Privacy Shield
• Private Sector US tech firms support the agreement to root out regulatory uncertainty
• The law aims to restore trust in transatlantic data flows between EU & US
EU – U.S. Privacy Shield Proponents
8
• Directive 95/46/EC, aka DPD or The Data Protection Directive
• Created in 1995 to regulate personal data processing within the EU
• Implemented in 1998• DPD was a model for EU member
state local data protection legislation
Directive 95/46/EC
9
• Member States implemented their own local regulations per DPD
• Member State local legislation differed significantly
• The deltas between Member State laws frustrated multinational firms subject to regulation in multiple jurisdictions
Directive 95/46/EC
10
• GDPR Draft first published by the EU Commission in 2012• Intended to replace the Data
Protection Directive of 1995• DPD implementations differed
greatly among EU Member States• GDPR as a regulation intends to
eliminate interstate discrepancies between local EU member laws
General Data Protection Regulation
11
General Data Protection Regulation
12
December 2015 GDPR Agreement
Achieved
May 2016 GDPR Officially
Adopted
May 2018 GDPR
Compliance Deadline
• Explicit individual consent is needed for data processing & collection
• Privacy-by-design• Data protection must be designed into a large
variety of services• Opponents see this as overly broad
• Art. 37 requires Data Protection Officers be appointed
• For organizations operating in EU Member States• For public authorities in EU Member States
• EU Citizens have the right to get bad or incorrect data corrected or removed from databases
General Data Protection Regulation
13
GDPR suggests security actions that may “appropriate to risk”:
• Pseudonymization & encryption of personal data.• Ability to ensure ongoing confidentiality, integrity,
availability & resilience of processing systems & services.• Ability to timely restore availability & access to personal
data in the event of a physical or technical incident.• A process to regularly test, assess & evaluate
effectiveness of technical & organizational measures for ensuring data processing security.
• Controllers & processors adhering to an approved code of conduct or certification mechanism listed in Articles 40 & 42 may use them to demonstrate compliance.
Art. 32 – Security of Processing
14
• Art. 33 Supervisory Authority Notification Requirements for Personal Data Breaches
• Data Controllers must notify Supervisory Data Authority “without undue delay” (where feasible, within 72 hours)
• Notification periods over 72 hours must be accompanied with a explanation for the delay
• Notification not required if breach is unlikely to result in a risk to rights and freedoms of natural persons
• Data Processors must notify Data Controllers without undue delay
• Data Controllers must document any personal data breaches, noting relevant facts
• Likely Breach Effects• Remedial Action(s) taken
General Data Protection Regulation
15
• Art. 34: Data Subject Notification Requirements for Personal Data Breaches
• Data Controllers must notify Data Subjects when a breach is likely to result in a high risk to the rights and freedoms of natural person
• Data Subject Notification must include a clear and plain language explanation
• Name and Contact information for the DPO• Describe Likely Consequences• Describe measures or proposed measures to
be taken to address the breach• Data Controllers must document any personal data
breaches with relevant facts - including effects of the breach & any remedial action taken
General Data Protection Regulation
16
• When is Data Subject Notification not required under Article 34?
• Data Subject Notification not required under certain specific scenarios
• Data Controller has implemented protection measures on personal data that render the personal data unintelligible
• Data Controller has taken measures to ensure that no high risk to the rights and freedoms to data subjects exists
• Data Subject Notification would require disproportionate effort
• Public Notification required for this exemption
General Data Protection Regulation
17
• Penalties• GDPR violators may face severe fines
• Fines for severe violations can be the greater of 4% annual global turnover or €20 million
• Less severe violators are subject to fines up to 2% annual global turnover or €10 million
• Compensation to aggrieved parties• Data subjects can claim compensation for
damages suffered• Data subjects can sue data controllers or
processors
General Data Protection Regulation
18
• Achieving GDPR Compliance• Know where personal data is stored
& accessed in your environment• Plan for & execute regular risk
assessments• Interrogate all third parties receiving
personal data from your organization to ensure they have competent data protection practices
General Data Protection Regulation
19
Thank You
Questions/CommentsEmail:
Follow MeTwitter @
Rate This Session # with the PARTNERS Mobile App
Remember To Share Your Virtual Passes
[email protected]@teradata.com
TheCyberHunters
0797
20
Top Related