Designed by the U.S. Department of Commerce, the European Commission and the Swiss Administration, the Privacy Shield certification program provides for compliance with data protection laws for the transfer of data from the EU and/or Switzerland to the United States. Organizations can choose to join either or both of the U.S.-EU or U.S.-Switzerland Privacy Shield programs.
Benefits of Privacy Shield Certification
Privacy Shield certification saves time and resources in compliance with key privacy laws governing the transfer of data across the Atlantic. Although the Privacy Shield is not a GDPR compliance mechanism, organizations with Privacy Shield certification are, based on the European Commission’s and the Swiss government’s findings, deemed to provide the “adequate” privacy protection required for personal data transfers outside the EU and Switzerland.1 This finding of “adequacy” binds all EU Member States. Therefore, when an organization is Privacy Shield-certified, any EU Member State’s requirement for prior approval of data transfers is waived or is automatically granted.2 Additionally, data-receiving parties (such as vendors) with Privacy Shield certification are deemed to have adequate security. Significantly moreover, a data-transferring party will thereby avoid the need to put in place burdensome security and processing agreements with a Privacy Shield-certified data-receiving party.
Steps to Obtain Privacy Shield Certification
Organizations must agree to the twenty-three Privacy Shield Principles (the Principles, full list here) and self-certify (self-certification application here) by taking the following steps:3
(a) The organization must be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation or another statutory body that will effectively ensure compliance with the The organization will be required to submit a self-certification application to the Department of Commerce and have a U.S. mailing address.
(b) The organization must publicly declare its commitment to comply with the Principles.
(c) The organization must develop privacy policies in line with the Principles before it submits its self- certification to the Department of The policies must (i) be clear, concise and easy to understand; (ii) make specific references to the organization’s compliance with the Privacy Shield (except where an organization is self-certifying for the first time); (iii) identify the organization’s independent recourse mechanism to investigate complaints regarding the organization’s compliance with the Privacy Shield; and (iv) be publicly available.
(d) The organization must pay the required fee to the International Centre for Dispute Resolution- American Arbitration Association (ICDR-AAA) for the Privacy Shield (Annex I) binding arbitration mechanism.
(e) The organization must use a self-assessment or a third-party assessment program and set up a procedure for verifying compliance with the Privacy Shield framework.
(f) The organization must designate a contact for handling any questions, complaints and requests regarding the Privacy Shield.
(g) The organization should thoroughly review all information required to self-certify (accessible here).
(h) The organization must submit its self-certification to the Department of Commerce.
In addition to the ICDR-AAA fee, there is an annual fee based upon an organization’s annual revenue and on whether the organization joined one or both of the Privacy Shield frameworks (EU-U.S. or Swiss-U.S.).
Steps to Re-certify Under the Privacy Shield
Every year, organizations must affirm to the Department of Commerce their commitment to comply with the Principles as part of a re-certification process. This process can be completed via the same Privacy Shield framework website used for the initial self-certification (re-certification information is accessible here). So long as the organization retains EU data subjects’ information, the organization must continue to comply with the Principles.4 If the organization no longer wants to comply with the Principles, it must return or delete the information or provide adequate protection for the information by another authorized means.5
Consequences of the Failure to Comply With the Privacy Shield Requirements
While joining the Privacy Shield program is voluntary, organizations that choose to participate are subject to compliance enforcement actions from the FTC or the U.S. Department of Transportation.6 The FTC actively monitors and regulates U.S. companies that falsely represent Privacy Shield certification or allow their certifications to lapse. Just this past March, the FTC settled with Ortho-Clinical Diagnostics, Inc. — a medical diagnostics device maker; and T&M Protection Resources, LLC — a security and background check service; both held themselves out as certified, but had let their Privacy Shield certifications lapse. Each company was barred from making further Privacy Shield representations and from handling covered data until they updated their certification.7 The FTC has the authority to levy up to $40,000 per Privacy Shield violation against companies that violate administrative orders arising from the FTC’s Privacy Shield enforcement actions.8
If you believe that your organization may need assistance in determining whether it would benefit from a Privacy Shield certification, please contact Harry Rubin, Kevin Moss, Samantha Ettari, Katherine Jeffery or Karolina Ebel.
1 GDPR Art. 46.
2 See https://www.privacyshield.gov/article?id=Benefits-of-Participation.
3 See https://www.privacyshield.gov/article?id=OVERVIEW; https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1; and https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-2.
4 See https://www.privacyshield.gov/article?id=How-to-Re-certify-to-Privacy-Shield.
5 See https://www.privacyshield.gov/article?id=OVERVIEW.
6 See https://www.privacyshield.gov/article?id=How-to-Join-Privacy-Shield-part-1.
7 Federal Trade Commission, Press Release, Medical Diagnostics Device Maker Settles Allegations that it Misled Consumers about its Participation in the EU-U.S. Privacy Shield, Mar. 30, 2020, www.ftc.gov; Federal Trade Commission, Press Release, FTC Gives Final Approval to settlement with Background Services Provider over Allegations Related to Privacy Shield.
8 See https://www.privacyshield.gov/article?id=Enforcement-of-Privacy-Shield.