Aug 15 2016

Ten Reasons to Implement the EU-U.S. Privacy Shield

Privacy and Data Protection in Latin America

Hilary Wandall, General Counsel & Chief Data Governance Officer at TRUSTe summarizes the top 10 reasons to implement the new EU-U.S. Privacy Shield even if you’ve implemented or have been working on implementing Model Contractual Clauses (MCCs).

At TRUSTe, we have nearly 20 years of experience working with thousands of companies to assess their privacy practices, and with many others to verify their compliance with regulatory frameworks like APEC CBPR system and the former U.S.-EU Safe Harbor. This work has taught us that there are a number of legal, compliance and business benefits to implementing comprehensive privacy programs to manage international data transfers versus a transactional approach to transfers using MCCs. Below is a list of the top 10 reasons for organizations to self-certify their adherence to the EU-U.S. Privacy Shield:

  1. Speed Unlike transfers on the basis of MCCs, transfers on the basis of Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities, which can delay a project that relies on MCCs for data transfers by weeks to months.
  2. Less paperwork While organizations must stand ready to demonstrate compliance with both Privacy Shield and MCCs, transfers on the basis of Privacy Shield do not require updates to and new signatures on contractual clauses each time a business process or data flow changes.
  3. Better recourse options – Instead of limiting individuals to bringing legal claims for breach of the MCCs, Privacy Shield provides individuals with opportunities to raise concerns directly with the certified organization, with independent dispute resolution providers, like TRUSTe, as well as new options, such as the independent arbitration panel and ombudsperson.
  4. Executive Support – Like its predecessor, Privacy Shield drives corporate sponsorship of privacy programs by requiring a corporate officer of the certifying organization to:
    1. annually sign a statement verifying the company’s self-assessment of compliance, if compliance verification is done in house; and
    2. sign a self-certification submission annually, subject to criminal enforcement under the U.S. False Statements Act for compliance misrepresentations, including a persistent failure to comply.
  5. SustainabilitySince it requires annual compliance verification and self-certification, Privacy Shield drives ongoing organizational engagement to demonstrate compliance better than MCCs that may be sitting in organizational filing cabinets once signed.
  6. Risk of existing MCC invalidationSince the ECJ’s Schrems decision of 2015, the EU adequacy decisions regarding certain MCCs have been called into question. At the end of May 2016, the Irish Office of the Data Protection Commissioner applied to the Irish High Court for a referral to ECJ to determine the legal status of data transfers under the MCCs. Privacy Shield certification mitigates the risk of data transfers based on existing MCCs being invalidated overnight like the U.S.-EU Safe Harbor.
  7. APEC CBPR Readiness – the governance and privacy principles necessary to comply with Privacy Shield are similar to the requirements for APEC CBPR certification. Organizations that operate in APEC member economies can leverage their Privacy Shield compliance to demonstrate readiness for APEC CBPR certification.
  8. EU BCR Readiness – the principles necessary to comply with Privacy Shield are similar to the data protection safeguards necessary for organizations seeking EU BCR approval. Organizations interested in EU BCR approval can leverage their Privacy Shield compliance as a starting point for their binding corporate rules, which will also require establishment of additional accountability, program governance and enforceability mechanisms.
  9. EU GDPR Readiness the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance. Organizations that operate or do business in the EU can leverage their Privacy Shield compliance as a starting point for the additional obligations they will have under GDPR, such as additional accountability and program governance, broader individual rights, privacy by design and default, PIAs and breach notification.
  10. Adequacy Readinessin our policy and regulatory affairs work around the globe, we often hear “adequacy” referred to as the gold standard for privacy and data protection compliance. Since Privacy Shield is the first of the next generation adequacy frameworks determined to provide adequacy post-Schrems, we believe it provides organizations with the best readiness assessment currently available for future data transfer adequacy requirements, such as transparency regarding government access, accountability for onward transfers and broad mechanisms for individual recourse.

For more information about TRUSTe’s Privacy Shield solutions see here or call 1-888- 878-7830.

Aug 03 2016

Benefit of Early Privacy Shield Adoption

EU-US Privacy ShieldOn August 1, 2016 the U.S. Department of Commerce (DOC) started accepting self-certifications for compliance with the Privacy Shield Principles.  A number of companies have already started the process to self-certify with the DOC to take advantage of the grace period offered to early adopters of the Principles to get contracts with third parties updated.

The grace period works like this – if a company self-certifies to Privacy Shield within the first two months of the DOC accepting certifications (August 1 – September 30), those companies will be given an additional nine (9) months to get their contracts with third parties updated to meet Privacy Shield requirements.  So if a company certifies to Privacy Shield on September 1st, they have nine (9) months from that date to get their third party contracts updated.  During that time, the Notice and Choice Principles apply to transfers to third parties. The grace period only applies to the Accountability for Onward Transfer Principle.  The company needs to be in full compliance with the remaining Principles to self-certify. 

Companies self-certifying Privacy Shield compliance with the DOC after September 30th will need to be in full compliance with all the Principles including Accountability for Onward Transfer and must be able to provide a copy of the privacy provisions in their contracts to the DOC upon request.  This means, a company must have all their ducks in a row (including updating contracts) before they self-certify.

For more information on TRUSTe’s Privacy Shield Solutions visit EU-U.S. Privacy Shield Solutions or call on 1-888-878-7830.

Aug 01 2016

Leading Chief Privacy Officer Hilary Wandall Joins TRUSTe

Screenshot 2016-07-31 20.05.01

TRUSTe’s thrilled to announce that Hilary Wandall, Associate Vice President, Compliance and Chief Privacy Officer at the global pharmaceutical company, Merck & Co. Inc., has joined TRUSTe as General Counsel and Chief Data Governance Officer. In this role, Hilary will use her extensive global privacy knowledge and operational experience to help TRUSTe further expand their market leading privacy technology and service offerings. She will be a member of the TRUSTe Executive Team and also direct strategic legal, regulatory and privacy related initiatives to help TRUSTe scale its internal business operations.

In 22 years at Merck, Hilary served as Chief Privacy Officer for the past 12 years. During that time, she led the development and continuous improvement of a world-class privacy program supporting Merck’s ongoing global business development, including a worldwide corporate merger, while concurrently holding complementary roles as a corporate attorney and then as a compliance officer. She led Merck’s initiative to become the first health care company and second multinational to achieve APEC Cross Border Privacy Rules (CBPR) certification and the first company to achieve CBPR certification of its entire privacy program. Earlier this year, she completed a follow-on project for Merck to become the first company to demonstrate EU-APEC privacy interoperability in practice by obtaining EU Binding Corporate Rules (BCR) approval based on an existing APEC CBPR-certified program.

As Associate Vice President, Compliance and Chief Privacy Officer Hilary also developed and implemented a quantitative privacy risk management program integrated with a global automated privacy impact assessment and designed and led the global implementation of a novel comprehensive compliance program for the worldwide animal health business. Since 2014, Hilary has served on the Executive Committee of the Board of Directors of the International Association of Privacy Professionals, and in 2016 was elected Board Chairman.

Trevor Hughes, President and CEO of the International Association of Privacy Professionals (IAPP) recognized Hilary’s privacy experience, saying  “There are few people in the world who share such depth and breadth in the field of privacy.  Hilary Wandall has brought innovation and leadership to the profession, and will undoubtedly continue her record of success going forward.”

Jules Polonetsky, CEO, Future of Privacy Forum said “Hilary is one of the most respected figures in the privacy community, as a leader in corporate compliance as well as a trusted advisor for policymakers and regulators. TRUSTe has really pulled off a coup in bringing her into a leadership role at the organization.”

Commenting on her new appointment, Hilary Wandall said:

“TRUSTe has been an exceptional partner in developing innovative solutions for bridging technology and policy to manage privacy effectively on a global scale. I am delighted to join the TRUSTe team at this pivotal time to help develop innovative solutions to address the increasingly complex legal, regulatory and data risk management challenges that privacy and data protection stakeholders are facing around the world.”

Hilary holds a Juris Doctor and a Master of Business Administration from Temple University, a Master of Bioethics from the University of Pennsylvania and a Bachelor of Science in Biology from Moravian College.


Jul 29 2016

APEC Cross Border Privacy Rules Advancing in Asia

Global Data TransfersOver the last three weeks, privacy-focused events in China, South Korea and Singapore have highlighted the growing momentum of APEC’s Cross Border Privacy Rules (CBPR) system in the region.

  • On June 29, China’s Ministry of Commerce, Foreign Ministry, General Administration of Customs and the China International Electronic Commerce Centre (CIECC) hosted the 6th APEC E-Commerce Business Alliance (ECBA) Forum in Jinjiang, Fujian province, China. The U.S. representatives to the ECBA are TRUSTe’s Director of Policy, Josh Harris, Markus Heyder, Vice-President of the Centre for Information Policy Leadership and Manuel Maisog, partner at Hunton & Williams, Beijing.   In his keynote address, APEC Secretariat Executive Director Alan Bollard emphasized the regional economic benefits to the free flow of data and encouraged government officials in attendance to join the CBPR system. At the closing of the forum, the ECBA released the Jinjiang Proposal, as drafted by ECBA members, which encouraged all APEC economies to participate in the CBPR system.
  • On July 13, the Korea Internet and Security Agency (KISA) hosted the 5th International Conference on Information Security in Seoul, South Korea where TRUSTe Policy Director Josh Harris and Professor Choi Kyoung Jin of Gachon University discussed the potential implementation of the CBPR system in South Korea.
  • On July 18, the Centre for Information Policy Leadership along with the Asia Pacific Economic Cooperation hosted a joint workshop, “Enabling Legal Compliance and Cross-Border Data Transfers with the APEC Cross-Border Privacy Rules (CBPR)” in Singapore. CBPR-certified companies, including Apple, Cisco, HP and Merck along with TRUSTe joined Singapore’s Assistant Privacy Commissioner Zee Kin Yeong in discussing the advancement of the regional system.
  • Finally, on July 19, the International Association of Privacy Professionals hosted the IAPP Asia Privacy Forum 2016 in Singapore. Panel discussions included “Preparing for and Executing CBPRs”, moderated by Ken Chia, Principal, Baker & McKenzie. Panelists included Grace Guinto, Digital Trust Manager at PwC, Australia, Professor Hiroshi Miyashita, Chuo University and New Zealand Assistant Privacy Commissioner Blair Stewart.

The increased focus on CBPRs in Asia comes as Japan recently put forward JIPDEC as the country’s first ‘Accountability Agent’ under the CBPR system. Japan’s Ministry of Economy Trade and Industry has confirmed that CBPR-certification will serve as a basis for transfer of personal data out of Japan under the implementing guidelines for Japan’s recently-reformed privacy law. TRUSTe has been an APEC-endorsed Accountability Agent since 2013. More information on CBPRs can be found at


Jul 12 2016

TRUSTe Announces Comprehensive Set of Privacy Shield Solutions

Screenshot 2016-04-13 14.29.02

Following formal adoption today of the EU-U.S. Privacy Shield, TRUSTe has announced a full set of solutions for companies to address the assessment, verification and dispute resolution requirements in the new framework. TRUSTe will help companies to review compliance with the new Privacy Shield principles for transfers of customer and HR data out of the EU, prior to self-certification with the Department of Commerce. Companies choosing to use TRUSTe technology for handling customer disputes will be entitled to display a new “Powered by TRUSTe – Privacy Feedback Button”.

The EU-U.S. Privacy Shield is the new international data transfer framework published in February to replace Safe Harbor. The new framework requires that companies meet stronger obligations to protect the personal data of Europeans and introduces stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). TRUSTe will amend its certification standards to reflect the changes. The Department of Commerce is expected to start accepting submissions to the program from August 1.

TRUSTe Solutions for EU-U.S. Privacy Shield

TRUSTe is offering three separate packages to support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles ahead of self-certification with the U.S. Department of Commerce. The Assessment Package and Verification Package can include customer data, HR/employee data or both.

In addition, TRUSTe provides a Dispute Resolution Package, which helps companies to efficiently manage privacy inquiries from customers, and addresses the dispute handling requirements of the EU-U.S. Privacy Shield Framework.

Companies that use TRUSTe technology and tools to manage privacy related questions or concerns will be entitled to display the new “Powered by TRUSTe Privacy Feedback Button” on their digital Privacy Policy page and links to a mechanism for consumers to submit questions or feedback.

Screenshot 2016-07-12 07.53.16

The TRUSTe assessment and verification solutions for EU-U.S. Privacy Shield are managed by a team of privacy professionals using our proprietary assessment methodology and powered by TRUSTe Assessment Manager. This award-winning SaaS-based privacy technology platform provides interactive compliance reviews, centralized on-demand reporting and searchable audit trails.

For more information on TRUSTe’s EU-U.S. Privacy Shield solutions visit or call on 1-888-878-7830.



Jul 08 2016

Privacy Shield Close to Adoption following Endorsement from EU Member States

Screenshot 2016-04-13 14.29.02

Today the EU-U.S. Privacy Shield cleared one of the final hurdles on the path to regulatory approval as representatives from EU Member States voted to support the new EU data transfer framework. The “Article 31” Committee is made up of representatives from the EU Member States and their endorsement is binding. The vote today was overwhelmingly positive with just Austria, Croatia, Slovenia, and Bulgaria abstaining.

This is the vital last step before formal adoption of the new international data transfer framework published in February to replace Safe Harbor. The EU-U.S. Privacy Shield framework is the product of two years of intensive negotiations and represents the commitment of the EU and the U.S. Government to securing the vital transatlantic data flows which are such an integral part of the information economy.

In a press statement this morning Vice-President Ansip and Commissioner Jourová from the European Commission said:

Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.”

Path to EU Regulatory Approval

Before Privacy Shield could be up and running a draft adequacy decision from the European Commission had to be approved by a European “comitology” procedure, which involved (i) insight from the Article 29 Working Party (formed of EU regulators), (ii) a binding opinion from the EU Member State representatives, and (iii) formal adoption of the adequacy decision by the EU College of Commissioners.

In April the Article 29 Working Party asked for clarification in a number of areas to address their ongoing concerns. Now according to Commission officials the revised draft includes a number of additional clarifications and improvements on U.S. mass surveillance powers, the role of the “ombudsperson” who will adjudicate complaints from EU citizens about their data, and the onward transfer of EU citizens’ data to other companies. The final text places the obligation on the third party to tell the company on the Privacy Shield register when they cannot offer sufficient protection to EU citizens’ data.

Formal Adoption expected by July 12

After today’s positive vote the final stage in the EU Regulatory approval process is formal adoption by the EU Commissioners which is expected to take place on Monday July 11 with an official announcement and copy of the final text on Tuesday, July 12. The Department of Commerce is expected to start accepting submissions to the program in August.

How TRUSTe can help?

Once the EU-U.S. Privacy Shield is formally adopted TRUSTe will amend its certification standards to reflect the new framework and support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles and ready for self-certification with the U.S. Department of Commerce.

TRUSTe has a range of solutions to address both customer and HR / employee data transfer components of the EU-U.S. Privacy Shield. For more information on TRUSTe’s EU Data Transfer solutions visit or call on 1-888-878-7830.


Jun 29 2016

NEW! Summer/Fall Privacy Insight Webinar Series

Blog_gen_H2-2016-v1As the privacy landscape gets increasingly complicated, you need constant access to key insights to stay on top.

The Summer / Fall schedule for the Privacy Insight Series is a set of six live webinars featuring renowned speakers, and cutting edge research, tips, and tools. This program will continue to provide the perfect opportunity to gain insights from leading privacy practitioners on the key trends impacting data privacy management in 2016 and beyond.

Each event is free to attend and will feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

Check out the Summer / Fall schedule below:

July 21                                                         

Validating Vendor Assessments: Preparing for Privacy Shield

With many global companies working with thousands of vendors to process HR and customer data, this webinar will tackle important questions such as:

  • How can they take a prioritized approach to risk management?
  • What are current best practices?
  • How can they ensure compliance with Privacy Shield within the projected timelines?

Register today >>


August 18

Brazil & Beyond: Privacy Trends in Latin America

Latin America is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework. Join this webinar to get:

  • A comprehensive approach of the evolution and general principles inside the different LATAM privacy regulations for both customer and employee data
  • A focus on consent, duty of information, habeas data and the right to be forgotten as applied in the region

Register today >>


September 22

Changing Role of the CPO in todays Privacy Ecosystem

The Chief Privacy Officer is now center stage with responsibility for driving an important strategic agenda within the enterprise. Recent IAPP research claimed there would need to be 28,000 more Data Protection Officers in Europe to meet the new GDPR requirements. Join this webinar to get insight into changing role of the CPO by examining questions such as:

  • What will this new role look like?
  • How will these new requirements impact the qualities, experience and responsibilities of the CPO within the enterprise?
  • What do you need to do to make sure you’re ready to be a CPO in the new privacy landscape?


October 20

Building a Privacy Governance Program

The proliferation of networked devices is bringing tremendous opportunity to business and consumers alike. Many organizations are struggling with where to start with securing their enterprise — so some don’t, or worse yet, take expensive action that has little impact. Join this webinar to learn how to:

  • Put security and privacy into the context of your operations – despite their natural tensions
  • Integrate them into an effective data protection program focused on trust, transparency and accountability
  • Examine case studies from two companies from very diverse sectors


November 17

DPIAs, PIAs, Understanding new EU Guidance on ‘Risky Processing’

Whether you call them Data Protection Impact Assessments or just PIAs, they are an indispensable way to gauge the potential impact of projects, systems, programs, products or services on the data an organization holds. Having a good understanding of what DPIA/PIAs are, how to implement them and who needs to be involved can be the key to embedding privacy in the heart of your organization. And of course they are now a requirement for certain types of processing under the GDPR. Join this webinar to:

  • Review PIA best practices
  • Review latest compliance guidance from the EU regulators
  • Provide a range of tips and tools to help streamline and embed the process in your organization


December 8

Metrics for Success: Quantifying the Value of the Privacy Function

As we look towards 2017 and the future of the privacy profession being able to better quantify, risk, level of effort, value to the organization will be essential to privacy’s ongoing upward trajectory. Join this webinar to:

  • Review current best practices
  • Provide takeaways and new years’ resolutions for when you’re back at your desk


Jun 28 2016

Going for Olympic Gold Data Practices in Latin America

Screenshot 2016-06-28 09.54.55

Latin America is in the summer spotlight with the hosting of the International Olympic Games in Brazil and the 100th anniversary of the Copa América futbol tournament, making this a timely moment to take stock of where data privacy regimes stand in Latin America.

Powered by new education initiatives and increased investment in telecom network infrastructure, Internet usage in Latin America is burgeoning. Public-private partnerships, evolving finance laws, and an explosion in mobile broadband adoption has led to an environment in which, since 2008, Internet usage has more than doubled. Observers estimate that sixty percent of Latin Americans will have Internet access in 2016.

However, before an organization seeks to establish its presence in Latin America, it would do well to recognize that the vast region is not a monolith. On the contrary, the region is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework.

Screenshot 2016-06-26 11.28.21

The July TRUSTe Client Advisory Note was prepared by Darren Abernethy J.D., CIPP/US, CIPM, Privacy Solutions Manager at TRUSTe, and provides an overview of some of the key privacy themes and differences across the region for enterprises considering their involvement in these developing markets.

Key themes and requirements covered in the Advisory include:

  • Data Protection Authority (DPA) registration requirements
  • Adequacy and cross-border data transfers
  • Recent DPA enforcement actions
  • Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules
  • Data security & data breach notification requirements
  • Appointment of a Data Protection Officer (DPO)
  • The “Right To Be Forgotten” (RTBF)

The Advisory also includes a list of key takeaways for companies seeking to comply with Latin American privacy requirements.

If you would like a copy of this latest Client Advisory Note then look out for your copy via e-mail today or contact TRUSTe at 1-888-878-7830.


Older posts «

» Newer posts