Privacy Shield Approved, Self-Certifications to Begin Privacy Shield Approved, Self-Certifications to Begin

Privacy Shield Approved, Self-Certifications to Begin

This week, the European Commission formally approved the EU-U.S. Privacy Shield data transfer agreement. Privacy Shield will replace the Safe Harbor agreement, which provided a self-certification framework for EU-U.S. data transfers for more than a decade before it was invalidated by Europe’s highest court in October 2015 in the landmark Schrems decision. While there remain alternative legal mechanisms for data transfers, such as Model Contract Clauses or Binding Corporate Rules, the approval of Privacy Shield provides companies and organizations with a new and robust legal basis to legitimize data transfers from the EU to the U.S.

Also this week, the U.S. Department of Commerce announced that it will begin accepting Privacy Shield self-certification applications on August 1. Companies and organizations seeking self-certification may take immediate steps to prepare for this process, as discussed in further detail below.

Key Aspects of the New Privacy Shield

The self-certification process will require companies and organizations to commit to adherence to the Privacy Shield principles. This commitment requires companies and organizations to implement robust protections for personal data transferred from the EU, including, among other things:

  • Notice and Access. Provide notice to individuals regarding the types of data collected, the purposes for which data is collected, and their right to access their own data and limit its disclosure or use;
  • Opt-out Mechanism. Provide a mechanism for individuals to opt out if an organization plans to disclose personal data to a third party or use personal data for a purpose other than that for which it was collected;
  • Accountability for TransfersFor onward data transfers to third parties, develop policies to ensure that transferred personal data may only be processed in a manner consistent with the data subject’s consent and the Privacy Shield principles;
  • Privacy Policy. Disclose in the company’s privacy policy the organization’s commitment to comply with the Privacy Shield Principles; and
  • Data Security. Implement data security measures to protect against the loss or misuse of personal data.
The new Privacy Shield Framework also provides expanded redress mechanisms for individuals with complaints under the Privacy Shield framework, including:

  • Company-Provided Dispute Resolution. Companies will be required to respond to individual complaints within 45 days and make available at no cost to the individual an independent dispute resolution process;
  • DPA Investigations. Individuals may also submit complaints to EU data protection authorities (DPAs), and under certain circumstances, companies may be required to submit to the jurisdiction of the relevant DPA; and
  •  FTC Enforcement. Individual complaints may also be submitted or referred to the FTC for investigation and resolution, and enhanced FTC enforcement activity is expected under Privacy Shield.
What Your Company Can Do Now?

With the final approval of Privacy Shield, companies can evaluate the requirements of the new framework to determine how, and whether, to self-certify. Companies that elect to seek self-certification should take a number of steps, as outlined in a guide published this week by the U.S. Department of Commerce:

  • Confirm Eligibility. Generally, organizations that are subject to the jurisdiction of the FTC or the Department of Transportation are eligible for self-certification. 
  • Privacy Policy Compliance. A company’s privacy policy must be updated to comply with Privacy Shield principles, including reflecting information about your company’s information handling practices and the choices available to individuals with respect to the use and disclosure of their information.
  •  Independent Dispute Resolution Mechanism. Self-certifying companies must provide an independent dispute resolution mechanism for unresolved complaints at no cost to the relevant individual. This mechanism must be in place prior to self-certification and must be referenced in the company’s privacy policy.
  • Verification and Designated Contact. Self-certifying organizations must have procedures in place for verifying compliance with the Privacy Shield principles and must designate an organizational contact for handling complaints and other issues that arise under Privacy Shield. 
Ice Miller’s Data Security and Privacy practice can assist your company or organization with each step in this process.

Stay up-to-date on the latest developments of transatlantic data transfers with us. Ice Miller's Data Security and Privacy practice advises clients on international data transfers and international data protection compliance. Nick Merker, a former systems, network, and security engineer, is a co-chair of Ice Miller’s Data Security and Privacy Practice and speaks frequently on international data transfers in the United States and abroad. Merker can be reached at nicholas.merker@icemiller.com or (312) 726-2504. Eric McKeown, a former software developer, is a member of Ice Miller's Data Security and Privacy Practice. McKeown can be reached at eric.mckeown@icemiller.com or (317) 236-2124.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized