How do we become certified under the EU-U.S. Privacy Shield?

The EU-U.S. Privacy Shield framework may be an interesting tool to permit international transfers of personal data without any other permissions or contracts.
UPDATE: The Privacy Shield framework remains in place and we can still apply to be certified, but on 16 July 2020, the EU Court of Justice decided that it could no longer be used to authorise transfers of personal data from the EU/EEA/UK to the USA, and other mechanisms need to be used.

How do we become certified under the EU-U.S. Privacy Shield?

1. What is Privacy Shield and why is it interesting?

The process of applying for Privacy Shield certification is not very complex – but it requires a commitment to comply with data protection principles, and that commitment is enforceable by U.S. authorities. Certification needs to be renewed annually. Certification can be for HR data (present or past EU employees) and/or for any other data imported from the EU/EEA/UK/Switzerland. There are two frameworks, one for transfers from EU/EEA only (including UK), and one for from Switzerland.

The basic rule under the GDPR (as under the old data protection directive) is that international transfers of personal data from the EU/EEA to places not approved by the European Commission as having “adequate” privacy laws are prohibited. The Privacy Shield framework was approved by the European Commission as creating an adequate environment to allow transfers of personal data to certified U.S. organisations. And so the framework automatically permits international transfers without any other permissions or contracts. The program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce who publishes a public Privacy Shield List of certified organisations. Privacy Shield was created when the previous Safe Harbour system was found to be illegal by the European Court in 2016.

2. What are the requirements for certification?

In order to become certified under the Privacy Shield we need to follow the process set out below and, more importantly, ensure that our organisation complies with the Privacy Shield Principles. There are 23 Privacy Shield Principles as set out here, many of which mirror principles under EU data protection laws. For the moment we just list them at the end of this article. The Principles and Supplemental Principles are equally binding and enforceable.

3. How do we become certified?

1) Check we are eligible to certify

Privacy Shield is open to most U.S. organisations (exclusions include banks, telecommunications carriers, non-profits and other organisations not under the jurisdiction of the Federal Trade Commission or the Department of Transport).

2) Update our privacy policy

We need to have a privacy policy that complies with the Privacy Shield Principles. The policy must state that we adhere to those Principles, and indicate the Independent Recourse Mechanism we are using (see next point)). Of course, by definition, we are processing data of data subjects located in the EU, so it’s highly likely that our privacy policy will also need to comply with the transparency requirements of the GDPR.

3) Sign up to an Independent Recourse Mechanism

Under the Privacy Shield, we must enable individuals’ unresolved complaints regarding compliance with the Principles to be an independent mechanism (at no cost to the individuals). This can be a private sector organisation (examples include the Council of Better Business Bureaus, TRUSTe, the American Arbitration Association, JAMS, and the DMA) or we can choose to comply directly with decisions of the EU Supervisory Authorities. (Where our certification is for HR data, then working with the Supervisory Authorities is the only option.)

4) Sign up to binding arbitration

Privacy Shield also gives individuals a right to binding arbitration by the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), so we need in addition to pay a fee to the arbitration fund administered by ICDR-AAA.

5) Provide verification of compliance

This can be provided by internal self-assessment, or via an external review by a third party.

6) Appoint a Privacy Shield compliance contact

This may be our Data Protection Officer if we have one, or another compliance manager.

7) Register online

See below the list of information required.

8) Pay registration fee

There is an annual fee for certification of between US$250 and US$3,250 for one framework or US$375 and US$4,875 for both frameworks, based on our annual revenues.

4. Information required for online registration

Registration is online so we should work through the above steps and have all the required information to hand before we are ready to register:

a) Organization Information (name address)
b) Organization Contact: for the handling of complaints, access requests etc.
c) Organization Corporate Officer: who is certifying compliance with the Privacy Shield Framework.
d) Description of activities with respect to all personal data received from the EU and/or Switzerland in reliance on the Privacy Shield.
• Indicate whether HR data and/or other personal data
• Purposes of processing
• Types of personal data
• Types of third parties to which data is disclosed
• Any other US entities in our group that will also be covered under the certification.
e) Independent recourse mechanism(s) available to investigate unresolved complaints
f) Description of privacy policy (effective date, web address) (or where the certification covers HR data, attach the privacy policy that is available to employees
g) Which statutory body has jurisdiction to investigate privacy claims? (for most applicants, the Federal Trade Commission)
h) List any privacy program in which our organization is a member.
i) What is our organization’s verification method (self-assessment, external)
j) Indicate our organization’s annual revenue
k) Indicate the industry sector(s) applicable to our organization
l) Indicate the number of employees in our organization

5. Final notes

Certification with the Privacy Shield frameworks may be a very useful compliance tool for organisations with regular data imports from the EU/EEA/UK/Switzerland, and certainly sends a powerful signal of our organisation’s commitment to respecting privacy principles. Appearing on the Privacy Shield List is also a useful public indication for our business partners. However, Eden Legal has come across some EU business partners that reject Privacy Shield as a mechanism for international data transfers and insist on signing the EU standard contractual model clauses (or on there being another justification for international data transfers) in all cases. And there are ongoing EU Court of Justice cases challenging the legality of Privacy Shield (although the standard contractual clauses are also being challenged, particularly in relation to transfers of personal data to the US). Becoming certified will mean that contracts for onward transfer of data imported from the EU/EEA/UK/Switzerland (e.g. to sub-processors in the U.S.) may need to be amended to offer the same level of protection as under the Privacy Shield. Finally, where we are transferring personal data to the U.S. from the UK, Privacy Shield will continue to be valid after Brexit, but only if we specify clearly that transfers from the UK are intended to be covered.

Annex: The Privacy Shield Principles

1. Notice
2. Choice
3. Accountability for Onward Transfer
4. Security
5. Data Integrity and Purpose Limitation
6. Access
7. Recourse, Enforcement and Liability

Supplemental Principles
1. Sensitive Data
2. Journalistic Exceptions
3. Secondary Liability
4. Performing Due Diligence and Conducting Audits
5. The Role of the Data Protection Authorities
6. Self-Certification
7. Verification
8. Access
9. Human Resources Data
10. Obligatory Contracts for Onward Transfers
11. Dispute Resolution and Enforcement
12. Choice – Timing of Opt Out
13. Travel Information
14. Pharmaceutical and Medical Products
15. Public Record and Publicly Available Information
16. Access Requests by Public Authorities