On August 1, the US Secretary of Commerce announced the launch of the self-certification process for organizations to participate in the EU-US Privacy Shield Framework (Privacy Shield), a new voluntary framework for the transfer of EU personal data to the United States and the successor to the invalidated EU Safe Harbor program.
By self-certifying with the Privacy Shield, US organizations will be able to receive personal data from EU-based organizations without specific consent or special agreements in place with the EU data exporters. Morgan Lewis partners Pulina Whitaker, Gregory Parks, Reece Hirsch, and Mark Krotoski examined the implications of this new option for transatlantic data transfers in their recent LawFlash.
The Privacy Shield is administered by the International Trade Commission within the US Department of Commerce through an online self-certification process. The decision to join the Privacy Shield program is voluntary, but once an organization publicly commits to comply with Privacy Shield principles through self-certification, that commitment is enforceable under US law. As discussed in our recent LawFlash, other options exist to transfer personal data to the United States, including express consent and the use of Binding Corporate Rules or EU-approved model clause agreements, though the use of model clauses is currently under legal challenge in the EU.
In order to self-certify under the Privacy Shield, an organization must be subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) and must meet the following requirements as part of its submission, which are described in greater detail on the Privacy Shield program website:
- Develop a Privacy Shield-Compliant Privacy Policy Statement. Self-certifying organizations must adopt a Privacy Shield-compliant privacy policy before joining the program, which must conform to the requirements described in the framework, including adherence to the Privacy Shield Principles.
- Identify the Organization's Independent Recourse Mechanism. Self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the complaining individual or, in the alternative, organizations may choose to cooperate and comply with the EU data protection authorities (DPAs) with respect to all types of data.
- Ensure that the Organization's Verification Mechanism Is in Place. Self-certifying organizations must have procedures in place for verifying compliance with the Privacy Shield. To meet this requirement, organizations may use either a self-assessment or third-party assessment program.
- Designate a Contact within the Organization Regarding the Privacy Shield. Self-certifying organizations must provide a contact for the handling of questions, complaints, and other issues arising under the Privacy Shield. Organizations must respond within 45 days of receiving a complaint.
As we noted in a recent post, the Privacy Shield may also have Brexit implications, including that the United Kingdom may decide to adopt a similar model for data transfers from the United Kingdom to the United States. Our Brexit Resource Centre will continue to provide guidance on the legal and business implications of the United Kingdom’s decision to leave the European Union. To view alerts and gain immediate access to our most recent guidance on Brexit, please visit the Morgan Lewis Brexit Resource Centre.
If you have specific questions regarding the Privacy Shield self-certification process, feel free to consult Morgan Lewis partner Ronald Del Sesto or Dr. Axel Spies in our Washington, DC office. Our team in Washington has experience counseling clients on cybersecurity, international data protection, and navigating the US Department of Commerce.