Department of Commerce

As noted in our post yesterday, the text of the EU-U.S. Privacy Shield, the upcoming trans-Atlantic data-transfer framework between the EU and U.S. to replace the invalidated U.S.-EU Safe Harbor, has been released by the U.S. Department of Commerce.  Commerce’s release coincided with the release of a draft adequacy decision by the European Commission.

A number of the Privacy Shield principles, notably in enforcement, onward transfer, and regular review, are significantly more stringent than the Safe Harbor.  In light of these new obligations, among others, privacy professionals should carefully consider whether this data-transfer framework is right for their companies.

  1. Tougher and Binding Remedies and Enforcement

In addition to FTC enforcement under Section 5, the Principles encourage individuals to bring their complaints directly to the organization at issue, to which the signatory must respond within 45 days.  If the complaint is not resolved, the consumer may bring his or her complaint before an independent dispute resolution body.  The Principles allow signatories to utilize U.S.- or EU-based dispute resolution bodies, or a panel of EU member state data protection authorities (DPAs).Continue Reading Privacy Shield: Top Five Reasons It’s Tougher Than the Safe Harbor, Whether You Should Certify, and Next Steps

Today, the European Commission published the text of the new EU-U.S. Privacy Shield (see the Commission’s press release here), which consists of:

  • a draft adequacy decision;
  • the EU-U.S. Privacy Shield Framework Principles issued by the U.S. Department of Commerce; and
  • the official representations and commitments contained in separate letters from:
    • Secretary of Commerce Penny Pritzker (Annex I);
    • Secretary of State John Kerry (Annex III);
    • Federal Trade Commission Chairwoman Edith Ramirez (Annex IV),
    • Secretary of Transportation, Anthony Foxx (Annex V);
    • General Counsel Robert Litt, Office of the Director of National Intelligence (Annex VI); and
    • Deputy Assistant Attorney General Bruce Swartz, U.S. Department of Justice (Annex VII).

In addition, the European Commission issued a Communication titled “Transatlantic Data Flows: Restoring Trust through Strong Safeguards” which presents the developments and the Commission’s findings since its critical 2013 Communication on the Functioning of the Safe Harbor, a Q&A and a Fact sheet.
Continue Reading EU-U.S. Privacy Shield Package Released

On October 23, the Trans-Atlantic Business Dialogue held a briefing session on the EU-U.S. Safe Harbor Agreement.  Ted Dean, Deputy Assistant Secretary at the U.S. Department of Commerce, gave an update on the negotiations with the European Commission.  Following the Snowden revelations and a resolution of the European Parliament, the European Commission on November 17,

Executive Order 13,636 on Improving Critical Infrastructure Cybersecurity directs the National Institute of Standards and Technology (“NIST”) to develop a Cybersecurity Framework  of standards, methodologies, and processes for addressing cybersecurity risk.  It also charges the Department of Homeland Security with developing a Critical Infrastructure Cybersecurity Program to promote adoption of the Cybersecurity Framework by critical

As noted in our coverage of the inaugural Privacy Multistakeholder Meeting, NTIA promised to release meeting notes and the results of informal polls taken during the meeting.  This information is now available on NTIA’s website, and includes notes in document format and images of the flipcharts used during the meeting.

Additionally, NTIA has

Yesterday marked the inaugural Privacy Multistakeholder Meeting at the Department of Commerce, hosted by the National Telecommunication & Information Administration (“NTIA”).  The meeting brought together representatives of technology companies, advertisers, consumer groups, and  other stakeholders for a discussion of mobile application transparency and the process for future discussions and meetings.  While the meeting did not bring consensus on either process or goals, it did engender considerable discussion between a large number of participants, both in-person and through the online meeting tool.

Representatives from NTIA worked with an outside facilitator to solicit stakeholder views on 1) potential key elements of a mobile transparency policy and 2) methods that the group might employ to move the conversation forward in the future. The use of the facilitation process itself generated a considerable amount of debate and substantive discussions were often interrupted by questions about or objections to the process.

By the end of the day, the participants had generated a substantial list of items to consider during future meetings and had informally “voted” to express whether they felt the item needed to be addressed early in the process.  John Verdi, Director of Privacy Initiatives, stated that the list of ideas and the results of the informal poll would be released next week.  Verdi also announced that NTIA would schedule an additional meeting in August, though no specific date was announced.Continue Reading Recapping the NTIA Multistakeholder Meeting

The Office of Information and Regulatory Affairs (OIRA) recently released a model Privacy Impact Assessment (PIA) that federal agencies must use before they employ third-party websites and applications to communicate with the public.  The new rules issued by OIRA, an arm of the White House’s Office of Management and Budget (OMB), build on rules the agency issued in June 2010.Continue Reading OIRA Releases Privacy Impact Assessment for Agency Use of Third-Party Websites

In a speech this week at the U.S. Chamber of Commerce, White House Deputy Chief Technology Officer for Internet Policy Daniel Weitzner announced that the Administration will soon roll out a “privacy bill of rights,” which he described as a “broad, high-level statement of principles” that could be enforced by the FTC.  Weitzner emphasized