The Privacy Shield program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. Interested organizations should review the following information to gain an understanding of ITA’s role in (1) the maintenance of the Privacy Shield List, (2) the self-certification process, (3) ex-officio compliance reviews, and (4) the resolution of complaints referred by EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner.

Specifically, ITA’s Privacy Shield Team:

1. Maintains the Privacy Shield List
 
  • Maintains and makes available to the public the authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Privacy Shield Principles (see Privacy Shield List).
  • Keeps the Privacy Shield List up to date by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the Department’s procedures, or are found to persistently fail to comply. 
  • Maintains and makes available to the public the authoritative record of U.S. organizations that have been removed from the Privacy Shield List and identifies the reason each organization was removed.
  • Includes a prominently placed explanation clarifying that all organizations removed from the Privacy Shield List are no longer assured of the benefits of the Privacy Shield, but must nevertheless continue to apply the Privacy Shield Principles to the personal information that they received while they participated in the Privacy Shield for as long as they retain such information.
  • Provides a link to the list of Privacy Shield-related FTC cases maintained on the FTC website.
     
2. Verifies Self-Certification Requirements
 
Prior to finalizing an organization’s self-certification (or annual re-certification) and placing the organization on the Privacy Shield List, verifies that the organization has:
 
  • provided all information required in the self-certification form;
  • included in its privacy policy a statement that it adheres to the Privacy Shield Principles and, if the privacy policy is available online, a hyperlink to the Department’s Privacy Shield website;
  • identified in its privacy policy the independent recourse mechanism that is available to investigate and resolve complaints;
  • included in its privacy policy, if the policy is available online, a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints;
  • if the organization has indicated that it intends to receive human resources information transferred from the EU or Switzerland collected in the context of the employment relationship, declared its commitment to cooperate with EU DPAs or the Swiss Federal Data Protection and Information Commissioner respectively to resolve complaints concerning its activities with regard to such data and comply with the advice given by such authorities, provided a copy of its human resources privacy policy to the Department, and indicated where the human resources privacy policy is available for viewing by its affected employees; and
  • registered with the identified independent recourse mechanism indicated in its self-certification submission, where such registration is required.

3. Conducts Periodic ex officio Compliance Reviews
 
  • On an ongoing basis, monitors effective compliance, including through sending detailed questionnaires to participating organizations, to identify issues that may warrant further follow-up action.  In particular, the Privacy Shield Team will conduct compliance reviews when: (a) the Department has received specific non-frivolous complaints about an organization’s compliance with the Privacy Shield Principles, (b) an organization does not respond satisfactorily to inquiries by the Department for information relating to the Privacy Shield, or (c) there is credible evidence that an organization does not comply with its commitments under the Privacy Shield. The Department will, when appropriate, consult with the competent data protection authorities about such compliance reviews. Questionnaires will be sent by the Privacy Shield Team to organizations when they fail to recertify or elect to withdraw, and on an annual basis after withdrawal if they indicated that they will retain data. The Privacy Shield team will also use a compliance review questionnaire.

4. Facilitates Resolution of Complaints Referred by EU DPAs or the Swiss Federal Data Protection and Information Commissioner
  • Receives referrals from EU DPAs or the Swiss Commissioner in instances where a DPA or the Commissioner believes that an organization is not complying with the Privacy Shield Principles, including following a complaint from an EU or Swiss individual.
  • Undertakes best efforts to facilitate resolution of the complaint with the Privacy Shield organization.  Within 90 days after receipt of the complaint, the Department will provide an update to the DPA or Commissioner.
  • Assists DPAs or the Commissioner when seeking information related to a specific organization’s self-certification or previous participation in the program.