Privacy Shield is officially adopted by the European Commission in its adequacy decision of July 7, 2016. Privacy Shield offers a framework to which American companies may self-certify, to allow the transfer of personal data from the European Union to the United States without additional requirements. Privacy Shield replaces the Safe Harbour Framework, which was invalidated by the Court of Justice of the European Union on October 6, 2015.
The Department of Commerce will start accepting self-certifications under Privacy Shield as of August 1, 2016. In this regard, the Department of Commerce has published a guide to prepare for the self-certification. Essentially, the guide boils down to the following 5 steps:
Step 1: Jurisdiction
Verify if your organization is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT).
· Contact the Privacy Shield Team at the Department of Commerce if you are not sure if your organization falls under the jurisdiction of the FTC or DOT.
Step 2: Recourse Mechanism
Choose your organizations independent recourse mechanism.
· Registration is required prior to the application for self-certification;
· You may choose between:
o an independent recourse mechanism in the private sector, such as BBB, TRUSTe, AAA, JAMS, DMA; or
o the cooperation and compliance with the EU data protection authorities, for which an annual fee is required. This option is mandatory if human resources data will be processed under Privacy Shield.
Step 3: Contact Person
Designate a contact person within your organization for privacy-related questions. The contact person is a first stop for a complaint of an individual, before contacting the independent recourse mechanism, and the contact person is required to respond to complaints of individuals within 45 days of receiving the complaint.
Step 4: Privacy Policy
Update (or draft) your privacy policy in accordance with the Privacy Shield Principles. Your privacy policy must (inter alia) include:
· A statement that you adhere to the Privacy Shield Principles, including a hyperlink to the Privacy Shield website: www.privacyshield.gov [update!];
· A statement of your independent recourse mechanism, including a hyperlink to the (complaint issue form on the) website of that mechanism if the privacy policy is available online, and relevant contact details (see step 2);
· The contact details of your contact person (see step 3); and
· A clear, concise and easy to understand description of your organization’s personal data handling practices and the choices your organization offers individuals with respect to the use and disclosure of their personal data.
Step 5: Verification mechanism
Update or implement a verification mechanism for verifying your organization’s compliance with the Privacy Shield Principles. The verification may be performed by self-assessment or a third-party assessment.
The full guide as published by the Department of Commerce is available here.
