Privacy Shield Overview
Privacy Shield Program Overview
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law (see the adequacy determination). On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States. See the statements from the Swiss Federal Council and Swiss Federal Data Protection and Information Commissioner.
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join one or both of the Privacy Shield Frameworks in order to benefit from the adequacy determinations. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via this website) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety. To assist in that effort, Commerce’s Privacy Shield Team has compiled resources and addressed frequently asked questions below.
General Frequently Asked Questions
Q. Why should an organization that previously participated in the Safe Harbor program self-certify to the Privacy Shield?
- The Privacy Shield provides a number of important benefits to U.S.-based organizations, as well as their partners in Europe. These include:
- The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were deemed adequate by the European Commission and Swiss Government respectively, meaning they are recognized mechanisms to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
- Participating organizations are deemed to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection.
- Compliance requirements of the Privacy Shield Framework are clearly laid out and can be implemented by small and medium-sized enterprises.
- The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are no longer legally recognized as adequate under EU and Swiss law for transferring personal data from the European Union and Switzerland to the United States.
Q. How will an organization’s participation in Safe Harbor be affected by it joining the Privacy Shield?
- An organization that joins the EU-U.S. or Swiss-U.S. Privacy Shield Framework will be automatically withdrawn from the relevant Safe Harbor Framework.
- Upon finalizing an organization's certification to the Privacy Shield, the Privacy Shield team will also adjust the organization's Safe Harbor record so that the "certified through" date displayed in the record reflects the date of certification to the Privacy Shield.
Q. What information will an organization be required to provide to the Department of Commerce in the online self-certification process?
- The information that an organization must provide during the self-certification process is outlined here.
- Organizations interested in self-certifying are encouraged to review and compile this information prior to initiating the online certification process.
- Each organization will be asked during the self-certification process to identify all U.S. entities or U.S. subsidiaries of the organization also adhering to the Privacy Shield Principles and covered under the organization’s self-certification.
- The organization can either 1) list the entities and subsidiaries by name or, 2) if an individual could readily understand the subsidiaries’ connection to the organization due to the use of a shared brand name as part of the entities’ names, the organization may indicate “all U.S. subsidiaries using brand name [X],” excluding particular entities if applicable.
- Per the Notice Principle, organizations must also inform individuals about the U.S. entities or U.S. subsidiaries also adhering to the Principles.
Q. What is the initial timeframe for bringing existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle under the EU-U.S. Privacy Shield?
- The Privacy Principles apply immediately upon certification. Recognizing that the Principles will impact commercial relationships with third parties, the Framework allows organizations that submit their self-certification to the Department of Commerce within the first two months (between August 1 and September 30, 2016) up to nine months from the date upon which they certify to bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle.
- During that interim period, where organizations transfer data to a third party, they must (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.
Q. Can organizations adjust their recertification date?
- In order to allow organizations to set their own annual schedules, organizations that participate in one or both Frameworks may adjust their annual recertification date by re-certifying early to one or both Frameworks.
- For example, organizations that already have joined the EU Framework and wish to join the Swiss Framework as well will have three options for timing the synchronized recertification. Such organizations may (a) self-certify to the Swiss Framework before the EU renewal comes due and re-certify early to the EU Framework at the same time; (b) wait until their certification to the EU Framework is up for renewal and self-certify to the Swiss Framework at the same time as they renew their certification to the EU Framework; or (c) self-certify to the Swiss Framework separately (without waiting for their recertification to the EU Framework to come due), and then re-certify to both Frameworks when their recertification to the EU Framework comes due.
Q. How much will it cost to self-certify to the Privacy Shield?
- ITA is implementing a cost recovery program fee to support the operation of the Privacy Shield, which will require that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield.
- The cost recovery program will support the administration and supervision of the Privacy Shield program and support the provision of Privacy Shield-related services, including education and outreach.
- The fee will be tiered based on the organization’s annual revenue.
Annual Fee Schedule for the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks*:
|Organization’s Annual Revenue:||
Single Framework/Both Frameworks:
|$0 to $5 million||
|Over $5 million to $25 million||
|Over $25 million to $500 million||
|Over $500 million to $5 billion||
|Over $5 billion||
Annual Fee when Retain Data after Withdrawal (annual reaffirmation required): $200
Organizations will have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees. Furthermore, the Frameworks require that the Department of Commerce facilitate the establishment of a fund, into which Privacy Shield organizations will be required to pay an annual contribution, which will cover arbitral costs as described in Annex I to the Principles.
* The Federal Register Notice specifying the fee structure is the governing document.