a.    Privacy Shield benefits are assured from the date on which the Department has placed the organization’s self-certification submission on the Privacy Shield List after having determined that the submission is complete.

b.    To self-certify for the Privacy Shield, an organization must provide to the Department a self-certification submission, signed by a corporate officer on behalf of the organization that is joining the Privacy Shield, that contains at least the following information:
  • i.    name of organization, mailing address, e-mail address, telephone, and fax numbers;
  • ii.    description of the activities of the organization with respect to personal information received from the EU; and
  • iii.    description of the organization’s privacy policy for such personal information, including: 
  • 1.    if the organization has a public website, the relevant web address where the privacy policy is available, or if the organization does not have a public website, where the privacy policy is available for viewing by the public; 
  • 2.    its effective date of implementation; 
  • 3.    a contact office for the handling of complaints, access requests, and any other issues arising under the Privacy Shield;
  • 4.    the specific statutory body that has jurisdiction to hear any claims against the organization regarding possible unfair or deceptive practices and violations of laws or regulations governing privacy (and that is listed in the Principles or a future annex to the Principles); 
  • 5.    name of any privacy program in which the organization is a member; 
  • 6.    method of verification (e.g., in-house, third party) (see Supplemental Principle on Verification; and 
  • 7.    the independent recourse mechanism that is available to investigate unresolved complaints.
     
c.    Where the organization wishes its Privacy Shield benefits to cover human resources information transferred from the EU for use in the context of the employment relationship, it may do so where a statutory body listed in the Principles or a future annex to the Principles has jurisdiction to hear claims against the organization arising out of the processing of human resources information.  In addition, the organization must indicate this in its self-certification submission and declare its commitment to cooperate with the EU authority or authorities concerned in conformity with the Supplemental Principles on Human Resources Data and the Role of the Data Protection Authorities as applicable and that it will comply with the advice given by such authorities.  The organization must also provide the Department with a copy of its human resources privacy policy and provide information where the privacy policy is available for viewing by its affected employees.

d.    The Department will maintain the Privacy Shield List of organizations that file completed self-certification submissions, thereby assuring the availability of Privacy Shield benefits, and will update such list on the basis of annual self-recertification submissions and notifications received pursuant to the Supplemental Principle on Dispute Resolution and Enforcement.  Such self-certification submissions must be provided not less than annually; otherwise the organization will be removed from the Privacy Shield List and Privacy Shield benefits will no longer be assured.  Both the Privacy Shield List and the self-certification submissions by the organizations will be made publicly available.  All organizations that are placed on the Privacy Shield List by the Department must also state in their relevant published privacy policy statements that they adhere to the Privacy Shield Principles.  If available online, an organization’s privacy policy must include a hyperlink to the Department’s Privacy Shield website and a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints.  

e.    The Privacy Principles apply immediately upon certification.  Recognizing that the Principles will impact commercial relationships with third parties, organizations that certify to the Privacy Shield Framework in the first two months following the Framework’s effective date shall bring existing commercial relationships with third parties into conformity with the Accountability for Onward Transfer Principle as soon as possible, and in any event no later than nine months from the date upon which they certify to the Privacy Shield.  During that interim period, where organizations transfer data to a third party, they shall (i) apply the Notice and Choice Principles, and (ii) where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.

f.    An organization must subject to the Privacy Shield Principles all personal data received from the EU in reliance upon the Privacy Shield.  The undertaking to adhere to the Privacy Shield Principles is not time-limited in respect of personal data received during the period in which the organization enjoys the benefits of the Privacy Shield.  Its undertaking means that it will continue to apply the Principles to such data for as long as the organization stores, uses or discloses them, even if it subsequently leaves the Privacy Shield for any reason.  An organization that withdraws from the Privacy Shield but wants to retain such data must affirm to the Department on an annual basis its commitment to continue to apply the Principles or provide “adequate” protection for the information by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission); otherwise, the organization must return or delete the information.  An organization that withdraws from the Privacy Shield must remove from any relevant privacy policy any references to the Privacy Shield that imply that the organization continues to actively participate in the Privacy Shield and is entitled to its benefits.   

g.    An organization that will cease to exist as a separate legal entity as a result of a merger or a takeover must notify the Department of this in advance.  The notification should also indicate whether the acquiring entity or the entity resulting from the merger will (i) continue to be bound by the Privacy Shield Principles by the operation of law governing the takeover or merger or (ii) elect to self-certify its adherence to the Privacy Shield Principles or put in place other safeguards, such as a written agreement that will ensure adherence to the Privacy Shield Principles.  Where neither (i) nor (ii) applies, any personal data that has been acquired under the Privacy Shield must be promptly deleted.

h.    When an organization leaves the Privacy Shield for any reason, it must remove all statements implying that the organization continues to participate in the Privacy Shield or is entitled to the benefits of the Privacy Shield.  The EU-U.S. Privacy Shield certification mark, if used, must also be removed.  Any misrepresentation to the general public concerning an organization’s adherence to the Privacy Shield Principles may be actionable by the FTC or other relevant government body.  Misrepresentations to the Department may be actionable under the False Statements Act (18 U.S.C. § 1001).