#TDPARTNERS16 GEORGIA WORLD CONGRESS CENTER

The Privacy Shield

Jay Irwin, JDDirectorTeradata Center for Enterprise Security

Nelson Mangaali, MS CISSPSr. Security ArchitectTeradata Center for Enterprise Security

• Max Schrems• Austrian Citizen & Facebook User• Post-Snowden privacy concerns over his

personal data• Complaint rejected by Irish DPC• Requested a Judicial Review from Irish High

Court• Case Adjurned pending EU Court of Justice

Referral

Schrems v. Irish Data Protection Commissioner

2

• Aug. 6, 2015 – Safe Harbor Invalidated by EU Court of Justice (CJEU)• Insufficient legal remediation

channels• Inadequate restrictions on

government interference • Interferes with national authorities

ability to exercise data enforcement duties

Schrems v. Irish Data Protection Commissioner

3

• Safe Harbor Self-certification Replacement• Intended framework for transatlantic

data flows• Aims to regulate handling EU citizen

data transferred to &/or stored by US firms

• Self-certification begins 08/2016

“The Privacy Shield”

4

• Accountability Concerns Addressed• Codifies more robust violation

resolution process• Clarifies legal rights & obligations for

businesses relying on transatlantic data transfers

• Creates Privacy Shield Ombudsman

EU – U.S. Privacy Shield Provisions

5

• The Privacy Shield includes –• Provisions designed to ensure EU

citizens consent to data processing and sharing

• Ensures that third parties are validated before data can be shared with them

• Makes mandated avenues available for dispute resolution

• Adds strict breach notification requirements

EU – U.S. Privacy Shield Provisions

6

• Privacy International criticizes the weakness of control against unlawful surveillance

• Max Schrems & EU Parliament member Jan-Phillipp Albrecht criticize the agreement

• Allows data sharing for broad and generic purposes, undermining a crucial privacy protection

EU – U.S. Privacy Shield Critics

7

• The US Department of Commerce & State Department strongly support Privacy Shield

• Private Sector US tech firms support the agreement to root out regulatory uncertainty

• The law aims to restore trust in transatlantic data flows between EU & US

EU – U.S. Privacy Shield Proponents

8

• Directive 95/46/EC, aka DPD or The Data Protection Directive

• Created in 1995 to regulate personal data processing within the EU

• Implemented in 1998• DPD was a model for EU member

state local data protection legislation

Directive 95/46/EC

9

• Member States implemented their own local regulations per DPD

• Member State local legislation differed significantly

• The deltas between Member State laws frustrated multinational firms subject to regulation in multiple jurisdictions

Directive 95/46/EC

10

• GDPR Draft first published by the EU Commission in 2012• Intended to replace the Data

Protection Directive of 1995• DPD implementations differed

greatly among EU Member States• GDPR as a regulation intends to

eliminate interstate discrepancies between local EU member laws

General Data Protection Regulation

11

General Data Protection Regulation

12

December 2015 GDPR Agreement

Achieved

May 2016 GDPR Officially

Adopted

May 2018 GDPR

Compliance Deadline

• Explicit individual consent is needed for data processing & collection

• Privacy-by-design• Data protection must be designed into a large

variety of services• Opponents see this as overly broad

• Art. 37 requires Data Protection Officers be appointed

• For organizations operating in EU Member States• For public authorities in EU Member States

• EU Citizens have the right to get bad or incorrect data corrected or removed from databases

General Data Protection Regulation

13

GDPR suggests security actions that may “appropriate to risk”:

• Pseudonymization & encryption of personal data.• Ability to ensure ongoing confidentiality, integrity,

availability & resilience of processing systems & services.• Ability to timely restore availability & access to personal

data in the event of a physical or technical incident.• A process to regularly test, assess & evaluate

effectiveness of technical & organizational measures for ensuring data processing security.

• Controllers & processors adhering to an approved code of conduct or certification mechanism listed in Articles 40 & 42 may use them to demonstrate compliance.

Art. 32 – Security of Processing

14

• Art. 33 Supervisory Authority Notification Requirements for Personal Data Breaches

• Data Controllers must notify Supervisory Data Authority “without undue delay” (where feasible, within 72 hours)

• Notification periods over 72 hours must be accompanied with a explanation for the delay

• Notification not required if breach is unlikely to result in a risk to rights and freedoms of natural persons

• Data Processors must notify Data Controllers without undue delay

• Data Controllers must document any personal data breaches, noting relevant facts

• Likely Breach Effects• Remedial Action(s) taken

General Data Protection Regulation

15

• Art. 34: Data Subject Notification Requirements for Personal Data Breaches

• Data Controllers must notify Data Subjects when a breach is likely to result in a high risk to the rights and freedoms of natural person

• Data Subject Notification must include a clear and plain language explanation

• Name and Contact information for the DPO• Describe Likely Consequences• Describe measures or proposed measures to

be taken to address the breach• Data Controllers must document any personal data

breaches with relevant facts - including effects of the breach & any remedial action taken

General Data Protection Regulation

16

• When is Data Subject Notification not required under Article 34?

• Data Subject Notification not required under certain specific scenarios

• Data Controller has implemented protection measures on personal data that render the personal data unintelligible

• Data Controller has taken measures to ensure that no high risk to the rights and freedoms to data subjects exists

• Data Subject Notification would require disproportionate effort

• Public Notification required for this exemption

General Data Protection Regulation

17

• Penalties• GDPR violators may face severe fines

• Fines for severe violations can be the greater of 4% annual global turnover or €20 million

• Less severe violators are subject to fines up to 2% annual global turnover or €10 million

• Compensation to aggrieved parties• Data subjects can claim compensation for

damages suffered• Data subjects can sue data controllers or

processors

General Data Protection Regulation

18

• Achieving GDPR Compliance• Know where personal data is stored

& accessed in your environment• Plan for & execute regular risk

assessments• Interrogate all third parties receiving

personal data from your organization to ensure they have competent data protection practices

General Data Protection Regulation

19

Thank You

Questions/CommentsEmail:

Follow MeTwitter @

Rate This Session # with the PARTNERS Mobile App

Remember To Share Your Virtual Passes

jay.irwin@teradata.comnelson.mangaali@teradata.com

TheCyberHunters

0797

20