As of February 1, 2020, the United Kingdom is no longer part of the European Union. However, under the terms of the final withdrawal agreement, EU law will remain in effect for the UK through the end of the calendar year. No change to your existing Privacy Shield statement will be required until this transition period ends. As the U.S. Department of Commerce guidance states, “the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.”
On October 10, 2019 the California Attorney General released the long-awaited draft regulations under the California Consumer Protection Act (CCPA). CCPA goes into effect on January 1, 2020. The draft regulations interpret and clarify the CCPA. Among these clarifications are detailed descriptions of the requirements of the privacy notices that should be provided to California consumers.
Dozens of senior U.S. and EU government officials gathered at the National Press Club in Washington last week for the Privacy Shield annual review. They were joined by officials from data protection authorities in Austria, Bulgaria, France, Germany and Hungary to discuss whether the three-year-old framework is functioning as intended.
Compliance activities and casework conducted by BBB NP's EU Privacy Shield Program from August 1, 2018 through July 31, 2019.
Today, more than ever, companies large and small are conducting business all over the world, so it begs the question: what happens when businesses transfer personal data across borders? Here to help us understand how US companies safeguard their EU customers’ data is Frances Henderson, Director of Privacy Initiatives and Bryant Fry, Deputy Director of BBB EU Privacy Shield. Join us to hear more about this essential topic in-depth.
You may have heard that the United Kingdom is expected to exit the European Union soon in a process that many are calling “Brexit.” (For background, this article offers a no-frills Brexit explainer.) The Brexit process continues to be politically contentious, and, though the U.K. is scheduled to leave the EU on March 29, 2019, it is not yet certain whether or not this will happen by that date, either partially or fully.
Re-certification is the process by which you annually re-affirm to DOC your Privacy Shield self-certification. Your annual Privacy Shield re-certification is essentially a process of re-approval, much the same as the initial process of becoming approved under Privacy Shield. The required steps are almost identical to those you went through to secure initial approval of your Privacy Shield self-certification, including verifying that DOC has copies of your most up-to-date disclosures and policies. After submission, your account receives a thorough review by a Privacy Shield team member.
Data Privacy Day is an international effort to empower individuals to take ownership of their online presence and inspire businesses to respect privacy. To celebrate, we’re sharing tips companies and small businesses can use to help ensure that a website or online service complies with COPPA.
The report is a result of the Annual Review that was conducted by the United States government, the European Commission, and the EU data protection authorities in Brussels on October 18 and 19, 2018. The primary objectives of the joint review were to monitor the current U.S. administration’s work on, and industry’s compliance with, the Privacy Shield, and to influence the privacy discussion in the United States. The report’s findings were also influenced by surveys that the Commission sent to U.S. trade associations and advocacy groups.
by Cobun Keegan
The U.S. Federal Trade Commission has always taken very seriously any company’s statement about certification, membership, or participation in recognized privacy and security programs. For example, the Commission has cracked down on numerous companies over the years for making incorrect statements about their participation in APEC-CBPR and the Safe Harbor Frameworks. Privacy Shield is no different. Whether you have yet to complete the full self-certification process, are awaiting renewal after a lapse, or have withdrawn from Shield, you must be careful not to make false statements about your participation in the Frameworks. This week, four more companies found this out to their detriment.
Most data protection professionals would agree that the GDPR sets the global “gold-standard” for data protection and has forced companies across the globe to significantly update their data practices and ramp up their compliance programs. Many would likely dispute whether the CaCPA deserves to be placed at the same level, Honestly, it may be too early to tell. As the first U.S. attempt at a comprehensive data protection law, the CaCPA has the potential to become as consequential as the GDPR. After all, California is the fifth largest economy in the world, the home of many technology titans, and traditionally a trend-setting state for data protection and privacy in the U.S.
by Cobun Keegan
Processing of personal data takes many forms. At times, the entire point of the service that a business provides requires the business to process its customers’ personal data. If someone orders a pair of shoes online, the business must receive and process the person’s physical address in order to complete the delivery. Thus, for the purpose of order fulfillment, the collection and processing (and perhaps even sharing with shipping providers) of the person’s physical address is necessary. Perhaps in a soft sense of “consent,” such a transaction involves the consent of the consumer.
Companies that updated their privacy policies to give U.S. consumers some protections under the European Union’s new regime may have to deal with data security regulators on both sides of the Atlantic.
by Cobun Keegan
As of May 25, 2018, the EU’s General Data Protection Regulation (GDPR) is in full force. Over the past few months, we have seen companies around the world ramping up their data privacy efforts to meet the requirements of this important regulation. In the United States these efforts are often coupled with curiosity about how GDPR relates to the EU-US Privacy Shield agreement. From companies that already participate in Privacy Shield to those that are looking to add participation as part of their compliance efforts, many have questions about how Privacy Shield relates to their GDPR compliance obligations.
Check out this informative interview with Isabelle Roccia, Commercial Specialist at the U.S. Mission to the European Union located in Belgium, who recently was a panelist on our webinar "Countdown to EU Compliance: Tips to Navigate the GDPR"
by Bryant Fry
The first full year of the new Privacy Shield Frameworks was a success for the BBB EU Privacy Shield (BBB EUPS) program, its participants, and EU consumers alike. Reflecting on the progress we have made, and looking forward to the future, we have collected some of the significant developments and accomplishments in this year-in-review blog post.
From the Hunton & Williams Blog - U.S. Department of Commerce Posts Update of Actions to Support the Privacy Shield Frameworks
On March 26, 2018, the U.S. Department of Commerce posted an update on the actions it has taken between January 2017 and March 2018 to support the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”). The update details measures taken in support of commercial and national security issues relating to the Privacy Shield.
Small business owners know they are at risk for cyberattacks, but they are somewhat at a loss as to what to do. That’s one of the findings of a new report from the Better Business Bureau, The State of Small Business Cybersecurity in North America. One of the more troubling findings is that half of small businesses reported they could remain profitable for only one month if they lost essential data.
“Profitability is the ultimate test of risk,” said Bill Fanelli, CISSP, chief security officer for the Council of Better Business Bureaus and one of the authors of the report. “It’s alarming to think that half of small businesses could be at that much risk just a short time after a cybersecurity incident.”
On March 26, 2018, the Centre for Information Policy Leadership at Hunton & Williams LLP and AvePoint released its second Global GDPR Readiness Report (the “Report”), detailing the results of a joint global survey launched in July 2017 concerning organizational preparedness for implementing the EU General Data Protection Regulation (“GDPR”). The Report tracks the GDPR implementation efforts of over 235 multinational organizations, and builds on the findings of the first Global GDPR Readiness Report by providing insights on key changes in readiness levels from 2016 to 2017.
by Bryant Fry
On September 18, 2017, the European Commission (“Commission”) and U.S. Department of Commerce (“Department”) kicked off their first annual joint review of the EU-U.S. Privacy Shield Framework (“Privacy Shield”) about one year after its launch in July 2016. To aid in the review, the Department invited representatives of two independent recourse mechanisms, including CBBB Vice President and BBB EU Privacy Shield Director Frances J. Henderson, to speak about their experiences and those of their participating companies during the first year of the Privacy Shield.
Determining an organization’s applicability under the General Data Protection Regulation is a complex topic, and many are left a bit confused while researching applicability under the monumental regulation. Oftentimes, there’s conflicting information as to whether it applies to a specific organization. The expansive coverage of the GDPR by itself can intimidating, but, by breaking down the fundamentals into smaller, more manageable sections, we can start making better decisions on its applicability and craft a compliance framework based on a solid foundation.
The new General Data Protection Regulation (GDPR), put forth by the European Commission in 2012 and finally generally agreed upon by the European Parliament and Council in December 2016, is set to replace the Data Protection Directive 95/46/ec. Although many companies have already adopted privacy processes and procedures consistent with the Directive, the GDPR contains a number of new protections for EU data subjects and threatens significant fines and penalties for non-compliant data controllers and processors once it comes into force in the spring of 2018. In this 10-part series, the IAPP Westin Research Center outlines specific provisions of the regulation.