February 19, 2020

February 19, 2020

Subscribe to Latest Legal News and Analysis

February 18, 2020

Subscribe to Latest Legal News and Analysis

February 17, 2020

Subscribe to Latest Legal News and Analysis

US Secretary of Commerce Announces Privacy Shield Framework Certification Process

On August 1, the US Secretary of Commerce announced the launch of the self-certification process for organizations to participate in the EU-US Privacy Shield Framework (Privacy Shield), a new voluntary framework for the transfer of EU personal data to the United States and the successor to the invalidated EU Safe Harbor program.

By self-certifying with the Privacy Shield, US organizations will be able to receive personal data from EU-based organizations without specific consent or special agreements in place with the EU data exporters. We discussed in a recent post.

The Privacy Shield is administered by the International Trade Commission within the US Department of Commerce through an online self-certification process. The decision to join the Privacy Shield program is voluntary, but once an organization publicly commits to comply with Privacy Shield principles through self-certification, that commitment is enforceable under US law. As discussed in our recent post, other options exist to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements, though the use of model clauses is currently under legal challenge in the EU.

In order to self-certify under the Privacy Shield, an organization must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) and must meet the following requirements as part of its submission, which are described in greater detail on the Privacy Shield program website:

  • Develop a Privacy Shield-Compliant Privacy Policy Statement. Self-certifying organizations must adopt a Privacy Shield-compliant privacy policy before joining the program, which must conform to the requirements described in the framework, including adherence to the Privacy Shield Principles.

  • Identify the Organization’s Independent Recourse Mechanism. Self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the complaining individual or, in the alternative, organizations may choose to cooperate and comply with the EU data protection authorities (DPAs) with respect to all types of data.

  • Ensure that the Organization’s Verification Mechanism Is in Place. Self-certifying organizations must have procedures in place for verifying compliance with the Privacy Shield. To meet this requirement, organizations may use either a self-assessment or third-party assessment program.

  • Designate a Contact within the Organization Regarding the Privacy Shield. Self-certifying organizations must provide a contact for the handling of questions, complaints, and other issues arising under the Privacy Shield. Organizations must respond within 45 days of receiving a complaint.

As we noted in a recent post, the Privacy Shield may also have Brexit implications, including that the United Kingdom may decide to adopt a similar model for data transfers from the United Kingdom to the United States. Our Brexit Resource Centre will continue to provide guidance on the legal and business implications of the United Kingdom’s decision to leave the European Union.

Copyright © 2020 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Barbara Melby, Morgan Lewis, data privacy and cybersecurity lawyer

Barbara Melby has been active in the outsourcing and technology transaction legal market for the last 25 years. As leader of the firm’s technology, outsourcing & commercial transactions practice, she represents clients in such complex transactions as outsourcing, strategic alliances, technology and data-related agreements, and other services transactions. She also advises businesses on privacy and security issues that arise in transactions involving sensitive data and technologies.

Glen Rectenwald, Morgan Lewis, Technology Attorney

Glen W. Rectenwald focuses his practice on technology, outsourcing, and commercial transactions. He regularly assists a broad range of clients with development, licensing, and distribution agreements; strategic alliances and joint ventures; manufacturing and supply agreements; complex outsourcing and strategic commercial transactions; and general commercial matters. Glen’s experience also includes mergers and acquisitions, private equity, venture capital, and general corporate matters.