May 28, 2023

Volume XIII, Number 148


May 26, 2023

Subscribe to Latest Legal News and Analysis

May 25, 2023

Subscribe to Latest Legal News and Analysis

U.S. Companies and EU-U.S. Privacy Shield Certification Process

Eligible U.S.-based companies of all sizes with access to personal information of European Union (EU) citizens can now certify under the EU-U.S. Privacy Shield. Certification is voluntary and provides some significant efficiencies and protections. However, even companies that opt not to certify will remain subject to the EU’s data protection regulations and should consider adopting the Privacy Shield’s principles and guidelines as best practices.

What is the Privacy Shield?

As we reported earlier this year, the Privacy Shield Data-Transfer Pact is a framework governing data transfers between the EU and U.S., and replaces the U.S.-EU Safe Harbor. It embodies seven core principles: notice; data integrity and purpose limitation; choice; security; access; recourse, enforcement and liability; and accountability of onward transfers. While the Privacy Shield has similarities to the Safe Harbor, it differs in key ways, including:

  • Stronger remedies and enforcement provisions

  • A more well-defined certification process through the U.S. Department of Commerce

  • Restrictions on U.S. government access to EU citizens’ data

  • Changes to notice and choice obligations

The Privacy Shield also contains specific onward transfer restrictions related to EU citizens’ data, which is relevant to many companies that do not directly conduct business with EU citizens but that partner with companies that do.

Deciding whether or not to certify under the Privacy Shield is a significant choice for any company and requires discussing the benefits and disadvantages.

What is involved in certifying?

After determining your eligibility and deciding whether your company should opt to certify, the process of certification under the Privacy Shield requires several steps of varying complexity:

  • Update your company’s privacy policy statement. Bringing your statement to be Privacy Shield compliant is more complicated than it sounds, as it requires a review of current internal practices to ensure that the representations made in the privacy policy match actual practices.

  • Identify your company’s independent recourse mechanism. Each company certifying under the Privacy Shield must provide a cost-fee mechanism for investigating and resolving individuals’ complaints, which must be in place prior to certification.

  • Put in place a protocol for verifying compliance with the Privacy Shield, and designate a contact for any inquiries regarding your company’s privacy policy statement and the Privacy Shield.

  • Submit your certification to the U.S. Department of Commerce.

©2023 MICHAEL BEST & FRIEDRICH LLPNational Law Review, Volume VI, Number 223

About this Author

Derek Stettner, Michael Best Law Firm, Intellectual Property Attorney

Derek brings more than 20 years of experience to his work in patent prosecution, portfolio management, intellectual property due diligence, and technology transfer and licensing matters. His strong track record of successful outcomes, coupled with his technical training as an electrical engineer, give Derek a unique perspective on the challenges facing in-house legal departments and technological innovators in a broad range of industries.

Clients turn to Derek for tactical guidance in the following areas: