Skip to content

Menu

LexBlog, Inc. logo
NetworkSub-MenuBrowse by SubjectBrowse by PublisherJoin the NetworkGet StartedSubscribeSupport
Contact Us
Search
Close

The EU-U.S. “Privacy Shield” Opens for Business

By Natalya Northrip, CIPP/US, CIPP/E & M. James Daley, CIPP/US on September 7, 2016
Email this postTweet this postLike this postShare this post on LinkedIn

On August 1, 2016, the United States Department of Commerce launched the EU-U.S. Privacy Shield self-certification process on its Privacy Shield Website. More than 115 U.S. companies have already self-certified. The Privacy Shield was designed to provide U.S. and European companies with a mechanism to comply with EU data protection requirements for cross-border transfers of personal data in the wake of the invalidation of the previously-used U.S.-EU Safe Harbor Framework.

As with the prior Safe Harbor Framework, U.S. companies that self-certify under the Privacy Shield are identified on Department of Commerce’s website as “active” participants in the program. To avail itself to the benefits of the Privacy Shield, a company must self-certify annually that it agrees to adhere to additional new Privacy Shield requirements, which expand the protection previously provided by Safe Harbor with respect to long-standing EU data protection principles of notice, choice, accountability for onward transfers, security, data integrity and purpose limitation, access, recourse, enforcement and liability.  Organizations that self-certify under the new Privacy Shield will need to revise their policies and practices to ensure compliance with the new framework.

The Department of Commerce instructs organizations wishing to self-certify under the Privacy Shield to focus on completing the following five steps:

  1. Confirm your organization’s eligibility to participate in the Privacy Shield. Any U.S. organization regulated by the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may participate in the Privacy Shield.
  2. Develop a Privacy Shield-Compliant Privacy Policy Statement. This policy must conform to the Privacy Shield Principles.
  3. Identify your organization’s independent recourse mechanism. This mechanism should be in place to investigate unresolved complaints at no cost to the individual. Under the Privacy Shield, organizations must respond to individuals within 45 days of receiving a complaint.
  4. Ensure that your organization’s verification mechanism is in place. To meet this requirement, an organization may either conduct self-assessment or use a third-party assessment program.
  5. Designate a contact within your organization regarding Privacy Shield. This contact must be available to handle complaints, questions, and access requests. This contact can be either the corporate officer who is certifying the organization’s compliance with the Privacy Shield or another corporate official, such as a Chief Privacy Office/

The Department of Commerce’s full guidance on how to join Privacy Shield can be found here.

  • Posted in:
    Privacy and Cybersecurity
  • Blog:
    Carpe Datum Law
  • Organization:
    Seyfarth Shaw LLP
  • Article: View Original Source

Call us at 1-800-913-0988 or email sales@lexblog.com.

Facebook LinkedIn Twitter RSS
  • About LexBlog
  • The Field We Built
  • Our Beliefs
  • Our Team
  • Contact LexBlog
  • Disclaimer
  • Editorial Policy
  • Terms of Service
  • Get Started
  • Publishing Solutions
  • Compass
  • Submit a Request
  • Support Center
  • System Status
Copyright © 2026, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo