Jan 23 2017

Doing Business with Argentina Just got Easier


Latin America Privacy Regimes: Nations at a Glance

Last summer TRUSTe hosted its Privacy Risk Summit, which included a session on doing business in Latin America, and also issued a client advisory on the data protection laws of Latin America, available here. The note included information on the privacy frameworks of several different countries, including Argentina.

As a review, Argentina employs a hybrid approach to its data protection framework, meaning that it combines constitutional protection with expansive data protection regulations. Its data protection law, which was passed in 2000, provides general protection for personal data stored in public or private databases and other processing platforms, just as Chapter VII of the Federal Constitution recognizes individuals’ habeas data rights to access and correct information stored about them. These protections and others contributed to Argentina being deemed by the EU to provide a level of protection “essentially equivalent” to the EU.

At the end of 2016, the Argentina Data Protection Agency (DPA) released a new regulation governing international personal data transfers: DIRECCIÓN NACIONAL DE PROTECCIÓN DE DATOS PERSONALES Disposición 60 – E/2016. This new regulation includes model forms for international data transfers to data controllers and/or data processors. While model forms fashioned after EU standard contractual clauses were provided, controllers may still use other forms if submitted to the DPA for approval.

The Regulation also lists the following “adequate” countries (those that have an adequate level of data protection) for cross-border data transfers:

Article 3 Translation:

“Member States of the EUROPEAN UNION and members of the European Economic Area (EEA), SWISS CONFEDERATION, GUERNSEY, JERSEY, ISLE OF MAN, FAROE ISLANDS, CANADA only for its private sector, PRINCIPAL OF ANDORRA, NEW ZEALAND, URUGUAY and STATE OF ISRAEL only with respect to data that is received by automated means. This list will be periodically reviewed by this National Directorate, publishing the list and its updates on their official website.” Whereas countries such as the United States and Mexico do not appear this list, they may petition for adequacy.

This new Regulation should make doing business with Argentina easier for global corporations. It aligns with EU regulations, making it familiar to businesses already meeting EU requirements. Moreover, if organizations use the models provided by the Regulation, they can more efficiently operate within the data privacy confines of Argentine law.

If you have any questions about conducting cross-border data transfers in Latin America, including Argentina, please contact us.

Jan 19 2017

Korea Next to Join Cross Border Privacy Rule (CBPR) System



The CBPR system continues to build momentum in the Asia Pacific region, with S. Korea becoming the latest APEC economy to submit their Intent to Participate. This follows on the heels of Taiwan’s announcement to follow suit later this year.

Korea offers significant market opportunity for American exporters. Korea’s participation in the APEC CBPR System will promote digital trade, benefit companies in the United States and around the region, and drive uptake of higher privacy standards for consumers in the Asia-Pacific, said Acting Assistant Secretary for Industry and Analysis, Ted Dean in response to this week’s announcement.

On Monday, an APEC-sponsored readiness survey, showed that more than 57% of APEC members planned to join or are considering joining the system, including The Philippines, Australia, Hong Kong, China, Russia, Singapore and Viet Nam.

In addition to the submission by S. Korea and the announcement from Taiwan, current members include the United States, Mexico, Canada and Japan. The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. Participating in the APEC system offers benefits to companies because it allows transfer of personal data across borders, while mitigating risk by raising privacy standards. TRUSTe was named the first Accountability Agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.


Jan 18 2017

ePrivacy (EU Cookie) Directive Update

Screen Shot 2017-01-17 at 10.13.58 AM

On January 10, 2017, the European Commission released a proposed Regulation on Privacy and Electronic Communications (the “ePrivacy Regulation”) to replace the ePrivacy Directive (the “EU Cookie Directive”) to better align with the newly adopted EU General Data Protection Regulation and its Digital Single Market Strategy.

Over the past 18 months, the European Commision reviewed the ePrivacy Directive by conducting evaluations, consultations, and an impact assessment. The results informed the proposed Regulation.

TRUSTe has followed enforcement of the ePrivacy Directive (“EU Cookie Directive”) in both rounds of compliance inspections. As noted in this advisory, one of the big changes in the proposed Regulation will be more severe non-compliance fines and penalties than seen in the past. TRUSTe will continue to provide updates as this proposed Regulation goes through the EU legislative process.

The January 2017 TRUSTe Client Advisory Note was prepared by Josh Harris, Director International Regulatory Affairs, TRUSTe; and, by Joanne Furtsch, CIPP/US, Director of Policy & Data Governance, TRUSTe. It provides an overview of the proposed ePrivacy Regulation including: key changes between the existing Directive and the proposed Regulation; practical implications of the proposed Regulation, and timing. The Advisory also includes a list of key takeaways to help your company decide its next steps.

If you would like a copy of this latest Client Advisory Note then look out for your copy via e-mail today or contact TRUSTe at 1-888-878-7830.



Jan 17 2017

#ChatSTC Twitter Chat: Being #PrivacyAware is Good for Business


Data Privacy Day aims to educate and empower individuals and businesses to respect privacy, safeguard data, and enable trust. TED-style talks and interviews will highlight the latest privacy issues for consumers and businesses. This year TRUSTe will be participating in a Twitter chat about how to boost business by respecting consumer data privacy. Join us on Wednesday, Jan. 25, 3 p.m. EST/noon PST.

Topic: Consumers are paying closer attention to the value of their personal information and how to manage their privacy. To build trust, businesses must address customers’ preferences, needs and concerns about privacy by being transparent about their collection, use and protection of consumer data and providing easy-to-use privacy and security tools. This #ChatSTC Twitter chat will help you understand how privacy is good for business and the steps your organization can take to respect privacy, safeguard data and enable trust.



Better Business Bureau Enterprise (@BBB_Enterprise)

ConnectSafely (@ConnectSafely)

CyberWise (@BeCyberwise)

Federal Trade Commission (@FTC)

Future of Privacy Forum (@futureofprivacy)

Get Cyber Safe (@GetCyberSafe)

Higher Education Information Security Council (@HEISCouncil)

iKeepSafe (@iKeepSafe)

Level 3 Now (@Level3Now)

PCI Security Standards Council (@PCISSC)

Privacy Rights Clearinghouse (@PrivacyToday)

Securing the Human (@SecureTheHuman)


Women in Security and Privacy (@wisporg)

Data Privacy Day (@DataPrivacyDay)

National Cyber Security Alliance (@StaySafeOnline)

Additional guests TBD

How to Attend: If you have a Twitter account, sign in. If not, create one here. Enter #ChatSTC in the search box to find the chat.

Jan 13 2017

Meet the Leading Players in the Privacy Ecosystem: Sabina Jausovec-Salinas, Rackspace US

Over a hundred organizations are responsible for shaping the future of data privacy. In this continued series we’ll profile some of the organizations that are helping to shape the massive privacy ecosystem through the eyes of the professionals that work there and learn more about their perspectives on privacy.



What is your organization’s role in the privacy ecosystem?

Rackspace helps businesses tap the power of hosting and cloud computing without the complexity and cost of managing it on their own. As a cloud computing and service company, Rackspace values the trust our customers place in our services.

Our role in the privacy ecosystem is to provide our customers with multi-cloud deployment options (public, private and hybrid cloud, and dedicated hosting) and to offer various security solutions and services to allow our customers to configure and deploy controls that can address their security and privacy compliance challenges.

Rackspace services are provided in a manner that gives our customers flexibility over how they configure, secure and deploy their hosted solution based on their unique requirements.

What key goals/issues is your organization focused on tackling?

Everything we have built at Rackspace has had service as its bedrock, so our primary goal is providing support and services that help our customers achieve their business goals. We serve customers in more than 120 countries and are committed to helping our customers protect the security and privacy of information stored or transferred when using our services.

In addition to providing multi-cloud deployment options, we also offer Rackspace Managed Security services for improved cyber security. Rackspace Managed Security services have been crafted to address the core challenges businesses face in keeping their cloud environments secure and compliant. These services enable our customers to proactively address threats to information security and implement monitoring and security controls to protect their data.

How have your organization’s goals/focus changed over the years to address evolving technologies or challenges?

Dangerous and sophisticated attacks are a daily challenge for security and privacy teams everywhere. This is the new normal. Rackspace is continuously improving its product and service portfolio to serve its customers’ workloads where they fit best and to address the new realities of evolving technologies and challenges that come with it, such as security threats and cyber-attacks.

Rackspace engineers deliver specialized expertise, easy-to-use tools, and Fanatical Support® for leading technologies including AWS, VMware, Microsoft, OpenStack and others, be it in Rackspace, customers’ or third-party data centers.

Rackspace provides solutions and services that help our customers in their own privacy compliance efforts. Rackspace Managed Security services include Cyber Security Operations Center services to help our customer effectively manage business risk by detecting and responding to security threats. This service adopts a proactive approach to detecting anomalous activity on customers’ networks and allowing our customers to respond quickly and effectively to malicious activity when it is detected.

How do you think the Privacy Ecosystem will/needs to evolve over the next 3-5 years to be fit for purpose?

In today’s digital economy, connectivity and the flow of information are becoming global. With the rapid development of information technology, modern ideas about privacy have changed. Digital technologies, like cloud computing and the Internet of Things, now have a direct impact on how we collect, access, use and protect information. Additionally, cross-border data flows are critical to the success of companies, as well as individual consumers who benefit from services that are delivered globally.

This globalization of business and social connectivity has caused the privacy landscape to grow in scope and complexity, and it’s brought about new challenges for regulators, companies and privacy professionals. Companies must understand and continuously adapt to new technologies and individual country-specific privacy laws. Companies, regulators and privacy professionals will therefore need to work closer together to establish interoperable privacy frameworks to enable businesses to grow on a global level, while ensuring privacy rights of individuals are protected.

Tell us about your role at Rackspace.

As an in-house advertising and privacy counsel, I launched the Rackspace privacy program and manage multiple facets of the program. This includes, developing and implementing privacy policies, procedures and practices, providing subject matter expertise to other members of the legal team, training employees on privacy related matters, supporting Rackspace’s customer and supplier contract negotiations to address privacy implications, managing Safe Harbor/Privacy Shield and APEC CBPRs assessments and certifications, and providing guidance to the business on other privacy and data protection related matters.

How did you start working in the privacy field and why do you enjoy it?

I started working in the privacy field when I first joined Rackspace in the UK in 2008. Privacy issues can be fascinating and multifaceted. For companies with a global presence, managing privacy compliance has become increasingly complex and challenging. And this is the reason why I enjoy working in the privacy field. The way we think about privacy today is not only important for us as individuals. It is also important for businesses that collect and use personal information. Privacy professionals in today’s world have a huge responsibility and an opportunity to influence the way personal data is handled and the way privacy rights are respected. We can help drive product and service development with privacy in mind.

What do you wish more [people, business, etc.] knew about privacy?

There is a notion that storing personal data in the cloud will diminish its privacy. This myth is mainly due to a lack of understanding of the cloud. How you utilize the cloud matters when it comes to privacy and security of your data. When it comes to the use of cloud services, one size does not fit all. The best solution is often a multi-cloud approach – different clouds for different applications, workloads, and data. Adequate assessment and planning can help businesses make smart cloud decisions and select a reputable cloud provider and the right cloud deployment model. This can enable better data privacy, security and control in the cloud.

Privacy Ecosystem Map small

To learn about other unique privacy insights from privacy leaders, check out the profiles listed at the end of this blog post: Privacy Ecosystem Series.

Jan 12 2017

Just Released: TRUSTe & EDAA Research Report

TRUSTe & EDAA Research Report: European industry self-regulatory programme delivers favourable impression and increased trust.

Recently conducted research shows an icon (edaa) aimed at providing greater transparency and control over online behavioural advertising (OBA), commonly referred to as interest-based advertising, is improving consumer attitudes towards OBA and growing in awareness.

edaa shorter image

View entire image.

The research shows the importance and effectiveness of the industry-led program that empowers consumers to exercise meaningful choice with respect to online behavioural advertising. This consumer-friendly alternative to ad-blockers is helping companies demonstrate their commitment to privacy and supporting the growth of the digital advertising market.

Highlights from the report include:

  • In 14 of the 15 European countries, at least 1 in 4 surveyed said they have clicked on it.
  • Awareness of the Icon with Admarker text increased from last year, on average 6 percentage points to 27%.
  • 44% say they are more favourable towards the concept of OBA when presented with information provided by clicking on the icon and having the opportunity to manage their privacy preferences.
  • More than 1 in 5 in every country surveyed said this makes them trust the brand being advertised more.

The European Advertising Consumer Research Report 2016 delivers a broad view of attitudes and awareness of the European Self-Regulatory Programme for Online Behavioural Advertising across 15 European countries surveyed. The study was conducted by Ipsos MORI, on behalf of TRUSTe and the EDAA from 04 – 20 November 2016 with more than 15,000 participants.


Jan 10 2017

January Event Spotlight: Data Inventory & Meeting GDPR Compliance; Data Privacy Day


Best Practices to Create a Data Inventory and Meet GDPR Compliance

January 24 @ 9:00 am – 10:00 am PST

Online Webinar

Where’s your data? Understanding the data flows and data policies and procedures across the Company is the foundation of any privacy and data governance program and essential for GDPR compliance. This new regulatory requirement is forcing many companies to finally tackle this exercise head-on. Not sure where to start?

Our webinar speakers will:

  • Share their experiences in creating data inventories for a range of enterprises
  • Provide tips and templates to help set you up for success
  • Review how the data inventory can be used by different teams including privacy, infosec, IT and risk and compliance.
  • Show the creation of simple data flow maps that can be easily maintained across the organization

Join this webinar to help you understand the tools, resources and methodology companies are using to establish a baseline of data assets and obligations and get on the fast track to GDPR compliance. Speakers include: Ray Everett, Principal Consultant (US), TRUSTe, Veronika Tonry, President, Privacy KnowHow, former Global Privacy Manager at Chevon and Applied Materials and Guy Sereff, Corporate Counsel, Level 3 Communications.

> Register here


#ChatSTC Twitter Chat: Being #PrivacyAware is Good for Business

January 25 @ 12:00 pm – 1:00 pm PST

Online Twitter Chat

Consumers are paying closer attention to the value of their personal information and how to manage their privacy. To build trust, businesses must address customers’ preferences, needs and concerns about privacy by being transparent about their collection, use and protection of consumer data and providing easy to use privacy and security tools. This #ChatSTC Twitter chat will help you understand how privacy is good for business and the steps your organization can take to respect privacy, safeguard data and enable trust.


Guests: Better Business Bureau Enterprise (@BBB_Enterprise), ConnectSafely (@ConnectSafely), CyberWise (@BeCyberwise), Federal Trade Commission (@FTC), Future of Privacy Forum (@futureofprivacy), Get Cyber Safe (@GetCyberSafe), Higher Education Information Security Council (@HEISCouncil), iKeepSafe (@iKeepSafe), Level 3 Now (@Level3Now), PCI Security Standards Council (@PCISSC), Privacy Rights Clearinghouse (@PrivacyToday), Securing the Human (@SecureTheHuman), TRUSTe (@TRUSTe), Women in Security and Privacy (@wisporg), Data Privacy Day (@DataPrivacyDay), National Cyber Security Alliance (@StaySafeOnline), additional guests TBD

> Use #ChatSTC to join


Data Privacy Day

January 28 (other events scheduled)

Respecting Privacy, Safeguarding Data and Enabling Trust is the theme for Data Privacy Day (DPD), an international effort held annually on January 28 to create awareness about the importance of privacy and protecting personal information. Use #PrivacyAware to join the fun.

Live from Twitter HQ: Data Privacy Day Event 2017 will take place on January 26th at Twitter HQ. Join the National Cyber Security Alliance to watch exciting TED-style talks, segments and interviews focusing on the latest privacy issues for consumers and business. The event will be available online for the world to watch on Livestream, Periscope and Facebook Live.

> Register to watch live here


Jan 05 2017

EU General Data Protection Regulation (GDPR) Series; Implement – Data Mapping Analysis


For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.  In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance.  During November, December, and January we will provide you with a series of tips to use along your path to compliance.

See Tip No. 4: Build Consensus for GDPR Compliance by executing an awareness campaign 

TIP NO. 5: Uncover Risk by Conducting a Comprehensive Data Mapping Analysis 

To ensure you have uncovered all of the risks and appropriately prioritized your plan, you must have a solid understanding of your organization’s complete data lifecycle.

The process to document this lifecycle is referred to as a data flow analysis or data mapping.

Data mapping will require that you talk to your teammates who know where data is at each of these stages across the enterprise and with third parties:

  • collection
  • storage
  • usage
  • transfer
  • processing
  • disposal

The IAPP / TRUSTe benchmarking study “Preparing for the GDPR: DPOs, PIAs, and Data Mapping” found that many organizations face similar barriers to completing a data inventory and mapping project for privacy purposes:

  • lack of internal resources / staff: 58%
  • it’s a low priority for the organization: 48%
  • too busy; focused on other projects: 32%
  • these projects are done by others: 30%
  • lack of budget for external consultants or suppliers: 30%
  • it cannot be maintained so no reason to start: 12%
  • don’t know: 10%

Don’t let these reasons stop your organization from uncovering risk. If you need help with conducting comprehensive data mapping, TRUSTe offers Data Inventory and Mapping solutions. Contact us for more information.

Older posts «