GDPR Watchdog: US Privacy Shield do NOT comply with GDPR, consequences are fines and blacklist!
PRIVACY is not a “Self-Certify” easy check-out option from “Google’s App Store”
GDPR is a risk mitigation process with strict focus on DATA (company data, personal data and delicate data). The company has to look at each single piece of old and new data and decide what to do with it. The longer they decide to keep it the bigger the privacy risk. Don’t forget GDPR also apply to any print, photocopy or documents in your filing cabinets. US Privacy Shield is smokescreen trying to circumvent EU’s data protection law looking for an easy solution to a very complex matter of giving the control of personal data back to its owner! While you are using it, you must “PROTECT IT” and subsequently “DELETE IT”, when it no longer serve its main purpose, or the “data subject”(Consumer) so requires!
DATA is the new gold, DATA has now taking its a form of its own and BIG DATA is what runs everything sales and health related, GDPR is the golden standard for privacy and protection of personal data belonging to the “data subject”. That’s why DATA must be accounted for!
GDPR therefore is not just another task for the IT department, they will be happy for you just to increase their budget, but this time it starts at Board Level and requires different processes and management oversight in each company. There are NO standard software program for for GDPR, no matter what you see advertised. Processes have to be analyzed and established to track personal or delicate data, and when the company have decided how to do it, then the task is passed on to the IT department. To be in compliance with GDPR you must be able to DEMONSTRATE how personal data is used or deleted, it must have “Privacy by Design” and some sort of encryption or similar system separating the data from the “data subject”(The Consumer).
Under GDPR the EU citizens have the right to ask how their data is used. Remember that under the General Data Protection Regulation, the personal data is no longer YOURS, it belongs to the consumer and have to be accounted for. The “data subject” (Consumer or Patient) must give THEIR explicit consent for his/her private data to be collected and used. And YOU have an obligation to demonstrate how its used, which means you must have tracking on the data like a digital ledger i.e. Blockchain or similar system. You MUST also upon request delete the personal data and be able to demonstrate that it is deleted!
So according to the EU General Data Protection Regulation you must have a DPO – Data Protection Officer to oversee how personal data is handled by your company. He must be independent from the board and the IT department. The DPO is informing the board of any irregularities and the DPO must report any data breaches to the DPA – Data Protection Authorities within 72 hours. The DPO works closely together with your IT department and the DPA in case of breaches to make sure the processes get back on track. You can consider the DPO your internal ombudsman. We all expect breaches to happen but with the right processes in place you will be able to minimize risk and therefore avoid the potential high fines. The fines are currently set at 4% of worldwide turnover or up to EUR 20 Million.
As DATA has now taken its own form and has become MONEY, like any other asset in your company, you should be able to ask two simple questions: How much do I have? And where is it? That leads us to the final GDPR compliance rule. ANNUAL AUDIT, just like with the rest of your company bookkeepings. Through ANNUAL AUDIT you demonstrate exactly How much you have, Where it is and if there were any breaches. If you can do that you can become GDPR CERTIFIED and get a GOLD TRUST SEAL, which means consumers will be able to trust you, driving more business your way. So GDPR is good for everyone!
“US Privacy Shield Certified” guarantees nothing to EU consumers. Currently this Certification is NOT in compliance with GDPR and EU “Data Subject’s” Rights!
So if you are one of the 2400+ companies which signed up under the US Privacy Shield you need to rethink that, or big fines are coming your way. GDPR Watchdog is Empowering EU Consumers and we will start to help them get the requested information about how their personal data is handled by US companies or any other company worldwide after MAY 25th 2018. And if the above can’t be demonstrated we will add YOUR company to our BLACKLIST! Monthly we send a general list of BLACKLISTED companies to the DPA in Brussels for potential fines.
Civil society letter: Without reforms in US surveillance laws, the Privacy Shield must be suspended!
EU data protection groups: Fix Privacy Shield or face lawsuit: ‘Significant concerns’ over transatlantic data flow deal
European data protection agencies have told authorities to address their “significant concerns” about Privacy Shield, or risk having the deal tested in court.
The Privacy Shield agreement governs transatlantic data flows and is the product of a lengthy wrangle after the Safe Harbor agreement was ruled invalid back in 2014.
Like its predecessor, Privacy Shield has come under fire from privacy campaigners and the Article 29 Working Party (WP29) – the name the merry band of European Union data protection agencies take when working together.
In a bid to garner trust and demonstrate there is more oversight this time around, the European Commission and the US government pledged to review the new deal on an annual basis.
The first such investigation reported in October, concluding that the deal provided an “adequate” level of protection for personal data. It saw the Commission praise even small achievements, while giving a much longer list of areas that needed improvement.
The WP29 has now released its own review of Privacy Shield, which isn’t quite so diplomatic, saying that – although it’s better than Safe Harbor, there are still “significant concerns” to be addressed.
The group called on authorities to “restart discussions” and “immediately” develop an action plan to address the concerns – or it would be happy to ask national courts to refer it the Court of Justice of the European Union, which struck Safe Harbor down.
Two of its top priorities are similar to those raised in the official review: filling the vacant posts on the Privacy and Civil Liberties Oversight Board and appointing a permanent ombudsman.
The EU data protection agencies also called for further explanation of the rules of procedure that support the operation of Privacy Shield, including by declassifying information.
This includes details of the exact powers of the ombudsperson mechanism, onward transfers of data and evidence that collection of data for national security purposes isn’t indiscriminate.
While the justice commissioner Věra Jourová has declined to set any deadlines, the WP29 says these concerns need to be resolved by May 25 2018 (for those who haven’t got that date burned into their brains, that’s when the General Data Protection Regulation comes into force).
Further concerns must be addressed “at the latest at the second joint review”, which would be in September.
“In case no remedy is brought to the concerns of the WP29 in the given time frames,” the group continued, “the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”
The group’s concerns fall into two main areas: the commercial aspects of the deal and the national security implications for EU citizens.
On the commercial side, the WP29 called for more guidance for companies, details on the handling of HR data and automated decision-making and clarity on available recourse for data subjects.
On the national security side, the group said that, although there is more transparency, there’s still room for improvement.
For instance, it said that it “regrets” that the report on Presidential Policy Directive 28 – which says surveillance activities need to safeguard personal information regardless of where the person resides – is still subject to Presidential privilege.
The group also suggested some improvements for US government to take into account as it battles to re-authorise the Foreign Intelligence Surveillance Act, which will expire at the end of the year.
“Instead of authorizing surveillance programs, section 702 [which allows US spies to search communications data] should provide for precise targeting, along with the use of the criteria such as that of “reasonable suspicion”, to determine whether an individual or a group should be a target of surveillance, subject to stricter scrutiny of individual targets by an independent authority ex-ante,” the EU data protection bods opined.
Below some articles to help you understand the deeper problem between US Privacy Shield vs GDPR – EU’s General Data Protection Regulation!
The lack of consensus between regimes makes compliance tricky to navigate
For years, citizens and consumers across the world have cheerfully handed over vast amounts of personal information to business and state organisations. The flow, exchange and monetisation of data underpin much of the digital economy and have made tech companies some of the most valuable and powerful global businesses. But regulators are cracking down on how organisations store, process and share personal data, in an effort to hand back at least some control to ordinary people — and, in some cases, ensure the authorities can keep a close eye on citizens.
The challenge for multinationals is to navigate competing and often divergent regulatory regimes without incurring huge costs, whether in the form of compliance measures, or financial penalties if they are deemed to have broken the rules, or in reputational damage from a public rebuke by a state watchdog. “Some [businesses] have the perception they can be compliant with all the data privacy regulations around the word,” says David Zetoony, head of consumer protection at law firm Bryan Cave. “But full compliance is more myth than reality. The real question is what level of compliance you want to achieve.”
High on the business agenda is the General Data Protection Regulation, a new EU-wide regime that will introduce tougher rules on processing and storing personal data, as well as on obtaining customer consent. Crucially, GDPR, which comes into force next May, will affect not just companies operating in the EU but any business outside it offering products and services to EU customers or employing EU workers. As such, the regulation has global reach — and with fines of up to 4 per cent of annual turnover, penalties for the most serious breaches, such as failure to protect personal data from hackers, could pose a serious threat to a company’s ability to operate.
The advent of the new regulation has caught out many businesses, especially small and medium-sized enterprises not used to worrying about data protection even if they do business across borders. It has also highlighted how organisations of any size might struggle if they are faced with a patchwork of regulatory environments. Businesses could spend vast sums on trying to keep on the right side of every existing data protection regime, says Mr Zetoony, turning them into “compliance companies” rather than real businesses. “There is a spectrum and, like any other business decision, you have to weigh the pros and cons and make a decision based on risk.”
Because there is so much trade between the EU and the US, the two sides have implemented a system called Privacy Shield. More than 2,400 US companies, including Microsoft and Google, have signed up to this data-sharing agreement — by which they agree to adhere to EU data protection standards — allowing them to transfer anything from pictures to payslips across the Atlantic without breaching EU laws on personal privacy. Yet Privacy Shield is far from perfect. The deal was done in a hurry after the European Court of Justice struck down its predecessor, Safe Harbour, in 2015 following the Edward Snowden revelations about mass surveillance by the US National Security Agency. Those concerns have not gone away. Brussels has voiced concerns that the Trump administration has yet to appoint an independent ombudsman to deal directly with data complaints from EU citizens, amid fears that the US president will prioritise national security and American commercial interests over data privacy.
Privacy Shield already faces two legal challenges, from France and Ireland, where campaigners claim the pact does not adequately protect EU citizens from snoopers. The EU-US tensions stem partly from procedural differences. While GDPR bolsters already broad laws on personal data covering almost every sector, such overarching legislation does not exist in the US. “We do not have a comprehensive data protection law in the US — we have a common law tradition of enforcing privacy in different contexts, and a robust Federal Trade Commission that enforces company obligations,” says Kendall Burman, Washington DC-based cyber security and data privacy counsel at law firm Mayer Brown, and a former deputy general counsel in the US department of commerce.
“Different sectors have different data protection laws, and states have their own laws on collection and use of data.” EU and US regulators also focus on different issues. In the EU, much of the emphasis post-Snowden is on surveillance and how personal information is transferred beyond the bloc’s borders; in the US, cyber attacks and data leaks are the bigger concern. Ensuring that you satisfy regulators on both sides of the Atlantic is “not inexpensive”, says Mr Zetoony. The more regulators there are with their own regimes, the harder — and costlier — full compliance becomes.
In June, China introduced its first cyber security law, ostensibly another post-Snowden effort to protect its people from prying American eyes. For instance, it requires data relating to Chinese citizens or national security to be held on Chinese servers. Russia has a similar law stipulating that the personal data of Russians must be stored within the country. The autocratic nature of those two governments means the suspicion is that the regulations are in place to assist monitoring of citizens, rather than enshrine their data privacy.
Either way, such a hodgepodge of rules presents multinationals with a dilemma: to apply a one-size-fits-all policy to data protection and keep out of jurisdictions where this does not work, or take a segmented approach and keep data from specific regions in localised hubs, with all the infrastructure and expertise costs that this entails. “It is not ideal compared with having a universal approach, but because there isn’t an international consensus on [data protection], it’s a problem businesses are going to have to continue to address,” says Ms Burman.
GDPR Watchdog comment: “Privacy by Design” and separating the data from the “data subject” with encryption is a whole new way of thinking. Most Lawyers and Corporate Cultures still don’t understand the concept of the fact, that the personal data no longer just can be used for profit, but that the data belongs to the “data subjects”.
GDPR is the new international golden standard, Its a human right and no way an impossible task, it just take some time to prepare and adjust. GDPR was put into place 2 years ago with compliance date MAY 25th 2018 – Companies had time, they are probably just not caring about the privacy of the consumers to whom they like to sell their products or services. Worse large social media platforms like FACEBOOK (potential massive lawsuit against Facebook here) who basically lives from mining free BIG DATA and sell it to advertisers need a wake-up call….., Looks like everyone just hoping consumers will not enforce their data protection rights. But that’s why GDPR Watchdog is here – Article 22 of the GDPR provides that “the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her” and to be FORGOTTEN!
EU Court Ruling May Signal Problems for Data Privacy Shield
A recent EU court opinion finding fault with a draft EU-Canada airline passenger data-sharing pact may cloud the future of the EU-U.S. Privacy Shield data transfer framework relied on by thousands of U.S. companies, privacy attorneys told Bloomberg BNA.
The Court of Justice for the European Union (CJEU) opinion on the draft passenger name record (PNR) agreement doesn’t directly apply to the Privacy Shield, which covers commercial data transfers. But it represents the first time the court has discussed conditions under which the EU may allow cross-border data transfers through treaties.
The July opinion may be a sign that the critical EU-U.S. cross-border data flow agreement used by Alphabet Inc.’s Google, Facebook Inc., Microsoft Corp., and thousands of other companies will have to be re-drafted, some attorneys said.
The Privacy Shield is used by nearly 2,400 U.S. companies that certify their compliance with EU-approved privacy principles to the U.S. Commerce Department to transfer personal data out of the EU more easily.Tens of thousands of EU companies rely on those certifications to send data to U.S. companies.
PNR data collected from airline passengers booking and checking in for flights is shared across borders with national security and law enforcement officials. The EU top court’s ruling advised the European Parliament to amend the draft pact with Canada so that it protected fundamental privacy rights better. The court said the draft pact didn’t provide sufficient protections for sensitive data, and gave insufficient notice to individuals about further data transfers beyond the initial recipient.
The PNR ruling follows the court’s invalidation of the U.S.-EU Safe Harbor data transfer agreement that the Privacy Shield replaced. The Privacy Shield is likely to face the same direct scrutiny, Robin Campbell, co-leader of the data privacy and cybersecurity group at Squire Patton Boggs LLP in Washington, told Bloomberg BNA.
Jorg Hladjk, European data protection of counsel at Jones Day LLP in Brussels, told Bloomberg BNA that although the rulings on the PNR pact and the Safe Harbor are “different animals” because of the national security and commercial differences in how the data are used, they both provide insight into how the court may analyze the Privacy Shield. The CJEU focused in both cases on overarching privacy principles of necessity, proportionality, and retention, he said.
Privacy regulations in the United States have nothing on those in the European Union (EU).
In fact, the newly minted General Data Protection Regulation (GDPR), which will take effect May 25, 2018, sets forth some of the most stringent privacy requirements in existence. The regulation unifies data protection within the EU and bolsters the rights of individuals.
Yet despite the focus being on consolidating the disparate data protection and privacy regulations of EU countries, the GDPR poses serious implications for US-based companies. The regulation imposes wide-reaching protection of the personal data of EU residents, which applies to the export of such data outside of the EU.
GDPR: The Genesis
Even before GDPR came into being, the European Parliament had enacted in 1995 the European Data Protection Directive, which created more uniform privacy guidelines among member states. The directive was implemented in October 1998, setting forth protections of individuals in terms of the use and processing of personal data, and on the free movement of the data.
However, the directive was not legally binding. Member states were charged with turning the directive into internal law within their own countries. As each country adopted its own version of the directive, laws became a patchwork of regulation that made it difficult to do business and meet all data protection compliance requirements per country.
In 2009, EU groups renewed the discussion data protection in a global economy, with countries once again considering how to protect data and privacy with the onset of information technology and cloud computing. At issue was the need for a consolidated, uniform framework addressing data and privacy, one that would close the loopholes that companies had exploited in order to circumvent the data privacy regulations.
One of the more notable changes that GDPR brings to data protection and privacy in the EU is Article 17: the right to erasure. Also known as the ‘right to be forgotten’, it places control of personal data on the individual. Individuals have the right to request that companies or entities holding their personal data delete all instances of said data. The law requires that companies complying with such requests do so “without undue delay” and have a process in place by which such requests can be fulfilled.
Importantly for US companies – GDPR defines personal data as ANY data that can be attributed to a living individual. This may include personal health information, IP addresses, racial and ethnic orientations, social and religious orientations, genetic and biometric data, photographs, even transaction histories.
While breach notification is required in all but two states, US businesses are ill-equipped for compliance with such a stringent regulation. The issues are myriad, and the fines for noncompliance are high – up to 4% of global parent annual turnover or 20 million euros, whichever is higher.
What are the challenges for businesses?:
- IT exposures: erasing every instance of an individual’s data can be difficult. Handwritten forms and records filed as ID numbers and not as names can make personal data harder to trace and remove.
- Resident status: GDPR protects the data of any person residing in the EU, even Americans living in an EU country. Regardless of where the data is being viewed or processed, GDPR applies. Companies selling products and services to EU-based customers must comply with GDPR.
- Legitimate use provisions: GDPR allows companies to use data only for the reasons in which it was collected. This means companies will be required to conduct ongoing reviews of records and make determinations about what to do with each data set. In many instances, many US companies may have never disclosed what the data would be used for. Therefore, notifying data subjects regarding how their data is being used will be a new process.
- Data transfer: Under previous regulation, businesses could simply transfer personal data to a country that doesn’t regulate it. Under GDPR, the regulation closes that loophole and extends protection to data that is transferred for whatever reason.
- Data use/viewing: GDPR applies to data that is being viewed or used in an EU country, even if the country of origin is outside the EU. Such use is considered data transfer under the GDPR, and would fall under the purview of the regulation.
- Data Protection Officer (DPO): Many companies will be required to hire or name a DPO to oversee their GDPR compliance program and respond to related requests and complaints.
- Risk assessment: In certain circumstances businesses will be required to ascertain the risks associated with processing personal data. If the risks are too high, it may prohibit them from processing the data.
“Companies should be building GDPR requirements into their incident response and business continuity plans.”
While the regulation is clearly written to further protect individual data privacy, companies are not without some rights under GDPR. For instance, some instances allow for exceptions. The GDPR allows for companies to maintain records and even refuse requests from individuals if processing such data is necessary to comply with certain legal obligations, if archiving such information is in the public interest, or if deleting the information would impede the right of freedom of expression and information.
Is Cyber Insurance Good Enough?
For those instances that are not exempt under GDPR, risk mitigation is a must. Currently, many cyber insurance policies offer some type of coverage for regulatory migration.
While most current cyber policies provide coverage for costs to comply with regulatory investigations as well as any associated fines and penalties, coverage may need to be clarified to confirm that the policy extends to investigations launched by any entity that has the authority to enforce GDPR compliance. Further, the definition of Personally Identifiable Information may need to be modified to affirm coverage for information concerning an individual that would be considered “personal data” or “sensitive personal data” within the meaning of GDPR.
The first step to remaining compliant is to understand what’s required under GDPR. The regulation requires any US-based company doing business in the EU to have EU representation. That means businesses should be in contact with the supervisory authority in each country where the company does business.
Companies should also be building GDPR requirements into their incident response and business continuity plans. Any companies that haven’t started preparing for the GDPR may need to seek outside help to achieve compliance in order to meet the deadline.
One of the key changes companies can make to improve their compliance efforts is to change how data is handled. Simplify how personal identifiable information is housed – best practice would be to contain data to as few places as possible, making it easier to comply with erasure requests and data security requirements, among others.
As GDPR is enacted in 2018, US companies doing business within the EU will be facing challenging compliance requirements. In order to be reliably compliant with GDPR requirements, companies will need to make a significant shift in culture and awareness. Knowing what information is protected and devising storage and handling solutions that address all stored data can help prevent regulatory violations. With a comprehensive approach to compliance, US companies can continue to conduct business within the EU successfully.
This article is sponsored by:
Show your customers that you care about their privacy! European Center for GDPR Certification is the “Consumer Trust Body” of the General Data Protection Regulation. Visit GDPRcertified.org to read about how to add “GDPR TRUST SEAL”™ to your website in order to gain more business and distance you from the not so serious businesses – It Pays Off!