Overview of the EU – U.S. Privacy Shield Framework

Privacy Shield Framework

The EU – U.S. Privacy Shield Framework was designed in conjunction with the U.S. Department of Commerce and European Commission to provide European and US companies a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the U.S. when engaging in transatlantic commerce.

For U.S.-based organizations interested in joining the Privacy Shield Framework, they will be required to self-certify to the Department of Commerce, with August 1st marking the date when applications open for eligible organizations.

Self- Certification Process

An organization must confirm participation in Privacy Shield on an annual basis. Any organization under the jurisdiction of the U.S. Federal Trade Commission (FTC) or Department of Transportation (DOT) may participate. In order to self-certify, organizations must do the following:

  1. Develop a Privacy Shield Privacy Policy Statement: This policy statement must conform to the Privacy Shield Principles, which include 7 primary and 16 supplemental principles. This should also include a reference, specifically in Privacy Shield Policy, to the organization’s compliance with Privacy Shield.
  2. Provide accurate, publicly available location of its Privacy Policy at the time of certification: The organization must include the location of its Privacy Policy, including a hyperlink to the Privacy shield website or a physical address where it can be reviewed by the public.
  3. Identify the organization’s independent recourse mechanism available to investigate unresolved complaints: The recourse mechanism must be registered with, as necessary, and be in place prior to self-certification. A private sector dispute program can be used as the independent recourse mechanism. This must be available at no cost to the individual.
    1. Organizations can comply with the EU data protection authority (DPA) instead, but then the DPA must be adhered to with respect to all data:
    2. If the organization’s self-certification will cover human resource data (for example, personal information about employees, current and former) then the organization must comply with the EU DPA’s related to such data.
  4. Ensure organization’s verification process is in place: The organization can use a self-certification program or a third-party assessment program.
  5. Designate an individual within the organization who is responsible for addressing questions, complaints, access requests, and other issues that may arise: This individual can be a corporate officer or another official within the organization, and they must respond to all requests within 45 days of a complaint.

As a whole, Privacy Shield imposes more obligations in regard to data protection and privacy than what existed under the Safe Harbor framework. Due to the heightened standards, organizations that intend to certify should consider reviewing their existing policies and procedures, specifically those regarding notice, choice, access, onward transfers, and recourse, to ensure that they fit into the Framework.

Does your organization need assistance aligning your policies and procedures with the Privacy Shield Framework or assistance assessing your compliance with the Privacy Shield Framework? Contact the professional at A-LIGN for immediate assistance at [email protected] or 1-888-702-5446.