Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

The EU-U.S. “Privacy Shield” Opens for Business

By M. James Daley, CIPP/US & Natalya Northrip, CIPP/US, CIPP/E on September 7, 2016
Email this postTweet this postLike this postShare this post on LinkedIn
shutterstock_405290743

On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.

As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability.  Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.

The Department of Commerce instructs organizations wishing to self-certify under the Privacy Shield to focus on completing the following five steps:

  1. Confirm your organization’s eligibility to participate in the Privacy Shield. Any U.S. organization regulated by the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may participate in the Privacy Shield.
  2. Develop a Privacy Shield-Compliant Privacy Policy Statement. This policy must conform to the Privacy Shield Principles.
  3. Identify your organization’s independent recourse mechanism. This mechanism should be in place to investigate unresolved complaints at no cost to the individual. Under the Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint.
  4. Ensure that your organization’s verification mechanism is in place. To meet this requirement, an organization may either conduct self-assessment or use a third-party assessment program.
  5. Designate a contact within your organization regarding Privacy Shield. This contact must be available to handle complaints, questions, and access requests. This contact can be either the corporate officer who is certifying the organization’s compliance with the Privacy Shield or another corporate official, such as a Chief Privacy Office/

The Department of Commerce’s full guidance on how to join Privacy Shield can be found here.

  • Posted in:
    E-Discovery, Privacy & Data Security
  • Blog:
    Carpe Datum Law
  • Organization:
    Seyfarth Shaw LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • Boston ERISA & Insurance Litigation Blog
  • Stridon News and Insights
  • Taft Class Action & Consumer Insights
  • Labor and Employment Law Insights
  • Age of Disruption
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo