The Privacy Shield provides a means to transfer EU personal data in accordance with certain EU data privacy principles.
As of August 1, 2016, US companies may self-certify as a means of complying with EU data protection laws when transferring EU personal data from the EU to the US. (For back ground information on the EU-US Privacy Shield, see March 2016 Blog Article.)
Companies should consider self-certifying to the Privacy Shield if they desire to minimize their exposure to liability on many fronts, e.g., regulatory compliance with the EU Data Protection Directive, federal and state laws, and minimizing risks to data breach/regulatory compliance litigation. Additionally, by operating in accordance with these data privacy principles, companies will be building goodwill with their consumers and business partners.
Prior to self-certifying, companies need to engage in a self-assessment/audit to determine whether their current business practices meet the minimum standards set forth in the Privacy Shield framework. There will likely be some work involved for must companies to self certify to the Privacy Shield, but it is certainly manageable when proper resources are allocated to address the self certification requirements.
Although not a complete and extensive list of all of the pre-certification logistical requirements, the following are required to self-certify to the Privacy Shield.
First, companies will need to assess their external and internal privacy policies, and their EU personal data collection, processing, storage and transfer procedures. Each policy and procedure will need to be compliant with the 7 Privacy Shield Principles, and as applicable, the 16 Supplemental Privacy Shield Principles. A summary of these principles can be found at the US Department of Commerce.
Second, once this assessment/audit is complete, companies will likely need to update all of their privacy policies and procedures and contracts with their business partners. If companies self certify to the Privacy Shield by September 30, 2016, they will be provided with a 9-month grace period to update their contracts with their business partners.
Third, the Privacy Shield requires companies to implement specific complaint and dispute policies and procedures, which include replying promptly to all complaints, identifying a point of contact person/officer for complaints and provide an independent recourse resolution mechanism to EU consumers.
Fourth, companies are required to notify the public that they are self certifying to the Privacy Shield. This reference includes publishing the Privacy Shield logo and required self certifying language to their websites, and appointing a person who is responsible for self-compliance.
Self-Certifying to the Privacy Shield
Once companies complete their pre-certification assessment/audit, then they will be ready to certify to the Privacy Shield.
Self-certification to the Privacy Shield requires companies to submit a written application/certification to the US Department of Commerce. There is also a required fee to self-certify to the Privacy Shield. See Federal Register July 22, 2016 Cost Recovery Fee Schedule for the EU-U.S. Privacy Shield Framework Notice.
Additionally, companies must self-certify each year with the US Department of Commerce, which means self-certifying to the Privacy Shield is a constant, ongoing process.
For guidance through the legal and regulatory compliance land mines of self-certifying, do not hesitate to contact Mark Ishman, a member of Gordon Rees’ Privacy & Data Security Practice Group.