On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.
As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability. Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.
The Department of Commerce instructs organizations wishing to self-certify under the Privacy Shield to focus on completing the following five steps:
- Confirm your organization’s eligibility to participate in the Privacy Shield. Any U.S. organization regulated by the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may participate in the Privacy Shield.
- Identify your organization’s independent recourse mechanism. This mechanism should be in place to investigate unresolved complaints at no cost to the individual. Under the Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint.
- Ensure that your organization’s verification mechanism is in place. To meet this requirement, an organization may either conduct self-assessment or use a third-party assessment program.
- Designate a contact within your organization regarding Privacy Shield. This contact must be available to handle complaints, questions, and access requests. This contact can be either the corporate officer who is certifying the organization’s compliance with the Privacy Shield or another corporate official, such as a Chief Privacy Office/
The Department of Commerce’s full guidance on how to join Privacy Shield can be found here.