The full text of the EU-U.S. Privacy Shield (“Privacy Shield”) framework is now available.   Privacy Shield was “designed by the U.S. Department of Commerce and European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.” (See Fact Sheet)

Below is a non-exhaustive list of “quick facts” about Privacy Shield:

  • It remains a voluntary self-certification program, similar to the now defunct Safe Harbor program.
  • Applications for certification are not currently being accepted.  The Department of Commerce will begin accepting applications for certification pending the European Commission’s adequacy determination.  This approval process is underway.  No word yet on the cost of self-certification.
  • The Privacy Shield Principles are anchored on the following concepts: notice; choice; accountability for onward transfer; security, data integrity and purpose limitation; access; recourse, enforcement and liability.  In addition, there is a section entitled “Supplemental Principles” which covers topics such as sensitive data and human resources data.
  • Individuals may bring a complaint directly to a Privacy Shield participant and the participant must respond to the individual within 45 days.
  • Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.
  • Expect greater involvement of the Department of Commerce as well as Federal Trade Commission with respect to oversight, supervision and enforcement.
  • Privacy Shield participants must include certain information on their websites related to the program (e.g., access and correction rights, whether personal information is disclosed to public authorities, and information about the independent recourse mechanism).

For more information, read the AGG Alert by my colleagues Kevin Coy and Gene Burd.