U.S. Companies and EU-U.S. Privacy Shield Certification Process
Eligible U.S.-based companies of all sizes with access to personal information of European Union (EU) citizens can now certify under the EU-U.S. Privacy Shield. Certification is voluntary and provides some significant efficiencies and protections. However, even companies that opt not to certify will remain subject to the EU’s data protection regulations and should consider adopting the Privacy Shield’s principles and guidelines as best practices.
What is the Privacy Shield?
As we reported earlier this year, the Privacy Shield Data-Transfer Pact is a framework governing data transfers between the EU and U.S., and replaces the U.S.-EU Safe Harbor. It embodies seven core principles: notice; data integrity and purpose limitation; choice; security; access; recourse, enforcement and liability; and accountability of onward transfers. While the Privacy Shield has similarities to the Safe Harbor, it differs in key ways, including:
Stronger remedies and enforcement provisions
A more well-defined certification process through the U.S. Department of Commerce
Restrictions on U.S. government access to EU citizens’ data
Changes to notice and choice obligations
The Privacy Shield also contains specific onward transfer restrictions related to EU citizens’ data, which is relevant to many companies that do not directly conduct business with EU citizens but that partner with companies that do.
Deciding whether or not to certify under the Privacy Shield is a significant choice for any company and requires discussing the benefits and disadvantages.
What is involved in certifying?
After determining your eligibility and deciding whether your company should opt to certify, the process of certification under the Privacy Shield requires several steps of varying complexity:
Identify your company’s independent recourse mechanism. Each company certifying under the Privacy Shield must provide a cost-fee mechanism for investigating and resolving individuals’ complaints, which must be in place prior to certification.
Submit your certification to the U.S. Department of Commerce.