RadarFirst Blog

Layering Compliance: Where GDPR, Privacy Shield, and NISD Meet

Thoughts from last week’s Privacy. Security. Risk. event presented by IAPP Privacy Academy and CSA Congress.

This past week I had the privilege of joining colleagues in the privacy field at the Privacy. Security. Risk. (PSR) conference in San Jose. To anyone looking for an opportunity to learn from the best in our field, connect with fellow privacy professionals, and engage in the top privacy issues of today, I recommend attending this annual conference.

IAPP PSR 2016 Trends

Some common themes presented themselves at the conference, emerging from conversations with fellow conference-goers and in discussions spurred by the session topics. The most popular session topics by far were related to: 

General Data Protection Regulation (GDPR)

EU-US Privacy Shield Framework

Network and Information Security Directive (NISD)

All three have far-reaching implications for domestic U.S. businesses with customers abroad, U.S. headquartered multinationals, and E.U. companies that export data from the Eurozone. Below are some thoughts around three recent developments in to privacy law, informed by my time attending sessions at PSR.

Definitions

General Data Protection Regulation (GDPR): A regulation from the European Commission intended to strengthen and unify data protection for individuals within the EU, and addresses the export of personal data outside of the EU. The GDPR was approved April 2016 and will take effect May 2018.

EU-US Privacy Shield: A framework for transatlantic exchanges of personal data for commercial purposes between the EU and the United States. This framework is intended to make it easier for US companies to receive personal data from member states of the EU under EU privacy laws.

Network and Information Security Directive (NISD): A directive developed to NISD was adopted by the European Parliament in July 2016 and will cause Member States to pass data protection laws by May 2018.

GDPR: Old News or Increasingly Relevant?

In a session featuring well-informed speakers from Bloomberg Law, Baker & McKenzie, Perkins Coie and Fieldfisher entitled Tips for US Companies in the Age of the GDPR and Privacy Shield,members of the panel opined that the enactment of GDPR will not impose a uniform regime, but that local variations will persist based upon individual member state data protection laws. The exact manner in which the GDPR will preempt or supplement local data protection laws remains to be seen, particularly in light of the NISD.

Building Automated Security Incident

Assessments in Advance of the GDPR

The GDPR has been an important driver of widespread changes in privacy compliance practices in the the US as well. The GDPR will impose large penalties for noncompliance at a scale that is large enough to cause even the largest companies to take notice. Because GDPR applies to all personal data from the EU, there is board-level concern at many enterprises that do not even view themselves as “international.”

This interest drove high attendance at all GDPR-themed sessions, as well as sessions about Privacy Shield, which is one of few compliance paths for companies lacking the time or resources to go through the massive pre-approval from internal corporate rules known as Binding Corporate Rules.  

Interested in reading more privacy incident assessment industry insights like this?

The RADAR blog is a go-to resource for our our community to stay informed of the latest industry trends, insights, and innovations.  Stay in the Loop:  Subscribe to the RADAR Blog

The session also asked the question “what about Brexit”?  This question was highlighted by a humorous animation of a cat (thank you, Phil Lee, CIPM, CIPP/E, Partner, Fieldfisher) pawing at the door, changing his mind, coming back inside, walking back out, etc.

There is no crystal ball that can tell us the political and legislative moves that the UK or EU will make, but there was widespread belief that the UK will either find a way to implement the GDPR anyway, or enact substantially similar obligations the EU would consider adequate. Phil Lee is one of my favorite sources for information and counsel regarding developments in EU privacy law. His firm, Fieldfisher, essentially wrote the book for CIPP/E certification.

Perhaps the largest driver behind developments in EU law is the revelation of surveillance by US law enforcement agencies of EU-US data transfers by Edward Snowden. This in turn influenced Max Schrems of Austria to challenge the adequacy of the former EU-US Safe Harbor framework and now, standard contractual clauses. Don Aplin, Managing Editor for Privacy and Data Security News at Bloomberg Law Law, added his perspective as well, from the standpoint of a worldwide legal news and information organization.

Regarding international cooperation, one member of the panel, Todd Hinnen, Partner, Privacy and Security at Perkins Coie, pointed out that despite the EU’s claims that it should be able to examine the US’s specific domestic surveillance practices, the EU federal government actually does not have the right to examine the internal surveillance practices of its own Member States. 

Compliance strategies were discussed, as in many sessions, and the consensus from both EU privacy attorneys and administrators of the Privacy Shield program, is that privacy compliance needs to become part of a company’s ‘DNA’. Unlike many sets of laws, the principles of the law as relates to privacy are set forth in the enacting legislation. The GDPR, the current EU Data Privacy Directive, and Privacy Shield, all set forth very similar principles. These principles (ie. Choice, Notice, Accountability, etc.) are not specific guidance, but they provide enforcement agencies with a way of dealing with noncompliant parties who attempt to hide behind the letter of the law, who exploit ambiguity, or who are noncompliant in internal practice.

If privacy is part of your company’s DNA now, you will be better equipped to comply with the GDPR, Privacy Shield, and NISD.

Integrated privacy principles are a good way to guard against the aforementioned risks, and include such practices as “privacy by design” and “privacy by default.”

For instance, when developing software at RADAR, we ask every developer and employee to put themselves in the shoes of the individual people we serve and ask ourselves constantly, whether we are being appropriately cognizant of of their rights in the design of our products and in our practices and policies.

In another session entitled “Cybersecurity Law and the GDPR Together: A Perfect Regulatory Storm,attendees were cautioned to resist the appeal of procrastination. Consider the time line suggested by the panel: 

  • 2016 - 2017 should be spent in establishing your privacy and compliance teams, processes, and buttoning up risk. Define responsibilities, outline your strategy, secure budget and implement the technologies/services/training you’ve identified as needed.
  • 2018, or really the few months leading up to GDPR’s enactment, is not the time to begin assessing your incident response process. To be ahead of the curve, you should consider this time best spent on deployment and rigorous testing of your carefully thought out process you’ve put into place.

Privacy Shield: Certifications and Remaining Questions

The prevalence of certification with the EU-US Privacy Shield framework does not mean that all aspects have been revealed. Nuances within the framework and how it will be upheld remain a topic of interest.

For instance, in a session titled “All you Need to Know About the EU-US Privacy Shield Agreement,”  with FTC Commissioner Maureen Ohlhausen and WilmerHale Partner D. Reed Freeman, the importance of intent with the data and transparency in how the data will be used was discussed, indicating that the FTC has a higher standard of review for unexpected secondary uses of data. This guidance dovetails with the FTC's existing mandate to regulate unfair and deceptive trade practices, and the idea that the letter of the law or agreement should not defeat the principle for which the law or agreement was written. Ms. Ohlhausen also reiterated that privacy practices should become part of the ‘DNA’ of companies.

Given that the certification process with the Privacy Shield recently opened and early adopters are now certifying with the framework, this topic was big at the conference. In a session with members of the US Department of Commerce entitled So We Have Privacy Shield: Now What? it was shared that, as of last week, 200 companies have officially certified under Privacy Shield, 300 are under review now and 400 have begun the process of submitting information for consideration.

NISD: Another Layer to Consider When it Comes to Data Transfer in the EU

The Network and Information Security Directive was an emerging topic as attendees at the conference were unpacking the work ahead in preparation for the GDPR’s effective date, and I imagine questions around this topic will continue in the months and years to come.

First, for those concerned about the deadline attached with NISD in relation to GDPR, here’s a bit of good news: as a directive, not a regulation, NISD requires member states to introduce legislation by May 2018, but that legislation will not be expected to be in effect by that date.

This directive is designed to work in conjunction with data protection regulations such as GDPR, and with the proximity of the timing of this directive in relation to the GDPR effective date, many at the conference were beginning to question how these two elements may impact one another. Each member state will be required to pass new data protection laws, and each member state could have unique variations under the overall directive of GDPR - causing areas for potential complexity in multi-jurisdictional data breach incidents.

Privacy, Security, and Technology - Working Together Toward Compliance

Overall, this conference (and the opening keynote speaker Gerhard Eschelbeck, Privacy and Security Officer of Google) reinforced for me the idea that security and privacy concerns are becoming more common and integrated – for all industries, and across borders.

Looking around the conference sessions, this was especially evident when taking note of the camera covers, screen blockers and microphone covers in the room – we are a very secure, privacy-conscious group and I hope we all spread the word of caution and compliance in our respective organizations as PSR attendees return to work and beginning to implement the new knowledge gathered.

In that vein, I find myself excited about continuing to explore how technology – when thoughtfully put to use – might help alleviate security and privacy concerns, help individuals in these roles, and help companies meaningfully comply while continuing to innovate and operate efficiently.

Already looking forward to next year’s event.


Related Reading:

Topics: GDPR, Breach Notification Laws