Privacy Shield Overview

EU-U.S. Privacy Shield Program Overview

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. On July 12, the European Commission deemed the Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination).

The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join the Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining the Privacy Shield Framework should review its requirements in their entirety. To assist in that effort, Commerce’s Privacy Shield Team has compiled resources and addressed frequently asked questions below.

Resources
Key New Requirements for Participating Organizations

How to Join the Privacy Shield

Privacy Policy FAQs

    Frequently Asked Questions

    Q. Why should an organization that previously participated in the Safe Harbor program self-certify to the Privacy Shield?

    • The Privacy Shield provides a number of important benefits to U.S.-based organizations, as well as their partners in the EU. These include:
    • The Privacy Shield Framework was deemed adequate by the European Commission, meaning it is a recognized mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
    • Participating organizations are deemed to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive.
    • Compliance requirements of the Privacy Shield Framework are clearly laid out and can be implemented by small and medium-sized enterprises.
    • The U.S.-EU Safe Harbor Framework is no longer legally recognized as adequate under EU law for transferring personal data from the European Union to the United States. 

    Q. How will an organization’s participation in the U.S.-EU Safe Harbor Framework be affected by it joining the EU-U.S. Privacy Shield Framework? 

    • An organization that joins the EU-U.S. Privacy Shield Framework will be automatically withdrawn from the U.S.-EU Safe Harbor Framework.
    • Upon finalizing an organization's certification to the Privacy Shield, the Privacy Shield team will also adjust the organization's Safe Harbor record so that the "certified through" date displayed in the record reflects the date of certification to the Privacy Shield.
    • In anticipation of automatic withdrawal from Safe Harbor, an organization certifying to the Privacy Shield should remove the affirmative commitment to the U.S.-EU Safe Harbor Framework from its privacy policy.
    • Please note that an organization's participation in the U.S.-Swiss Safe Harbor Framework will not be affected by joining the EU-U.S. Privacy Shield Framework. Such organizations should maintain an affirmative commitment to the U.S.-Swiss Safe Harbor Framework in relevant privacy policies unless they choose to withdraw from the U.S.-Swiss Safe Harbor Framework and notify the Department of Commerce of their withdrawal.

    Q. What information will an organization be required to provide to the Department of Commerce in the online self-certification process?

    • The information that an organization must provide during the self-certification process is outlined here.
    • Organizations interested in self-certifying are encouraged to review and compile this information prior to initiating the online certification process.

    Q. What URL must be included in an organization’s privacy policy to meet the Framework requirement to link to the Privacy Shield website?

    Q: What are the certification and notice requirements for entities or subsidiaries of the organization also adhering to the Privacy Shield Principles?
    • Each organization will be asked during the self-certification process to identify all U.S. entities or subsidiaries of the organization also adhering to the Privacy Shield Principles and covered under the organization’s self-certification.
    • The organization can either 1) list the entities and subsidiaries by name or, 2) if an individual could readily understand the subsidiaries’ connection to the organization due to the use of a shared brand name as part of the entities’ names, the organization may indicate “all U.S. subsidiaries using brand name [X],” excluding particular entities if applicable.
    • Per the Notice Principle, organizations must also inform individuals about the entities or subsidiaries also adhering to the Principles.

    Q. How will acceptance of certifications be rolled-out?

    • The Department of Commerce recognizes that it is critical to enable certifications as soon as possible to address the uncertainty that organizations on both sides of the Atlantic have faced. Given that need, acceptance of certifications will be available immediately August 1 to any eligible company.
    • Certification processing times will vary depending on the completeness of the original self-certification and the number of self-certifications received in particular during the initial roll-out.  The Privacy Shield team will provide updates on expected processing times periodically to assist companies in their planning. 

    Q. What is the initial timeframe for bringing existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle?

    • The Privacy Principles apply immediately upon certification.  Recognizing that the Principles will impact commercial relationships with third parties, the Framework allows organizations that submit their self-certification to the Department of Commerce within the first two months (between August 1 and September 30, 2016) up to nine months from the date upon which they certify to bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle.
    • During that interim period, where organizations transfer data to a third party, they must (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.

    Q. How much will it cost to self-certify to the Privacy Shield?

    • ITA is implementing a cost recovery program fee to support the operation of the EU-U.S. Privacy Shield Framework, which will require that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield. 
    • The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach.
    • The fee will be tiered based on the organization’s annual revenue. 

    Fee Schedule:
    EU-U.S. Privacy Shield Framework Cost Recovery Program

    Organization’s Annual RevenueAnnual Fee: 
    $0 to $5 million$250
    Over $5 million to $25 million$650
    Over $25 million to $500 million$1,000
    Over $500 million to $5 billion$2,500
    Over $5 billion$3,250

    Furthermore, the Framework requires that the Department of Commerce facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, which will cover arbitral costs as described in Annex I to the Principles.Organizations will have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees.

    • As indicated in the Framework, within 6 months from the adoption of the adequacy decision, the Department of Commerce and the European Commission will agree to adopt an existing, well-established set of U.S. arbitral procedures.
    • The contribution that Privacy Shield organizations are required to pay to cover arbitral costs will be based in part on the size of the organization and will be set within this period.
    • All participants in the Privacy Shield will be notified of the fee, which each participant will be required to pay to remain in the Privacy Shield program.
    • While the fee has not yet been established, we expect it to be no more than the fee that organizations pay to ITA to participate in the Privacy Shield program.

    Loading...