Administration of Privacy ShieldAdministration of Privacy Shield
The Privacy Shield program is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce. Interested organizations should review the following information to gain an understanding of ITA’s role in (1) the maintenance of the Privacy Shield List, (2) the self-certification process, (3) ex-officio compliance reviews, and (4) the resolution of complaints referred by EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner.
Specifically, ITA’s Privacy Shield Team:
1. Maintains the Privacy Shield List
- Maintains and makes available to the public the authoritative list of U.S. organizations that have self-certified to the Department and declared their commitment to adhere to the Privacy Shield Principles (see Privacy Shield List).
- Keeps the Privacy Shield List up to date by removing organizations when they voluntarily withdraw, fail to complete the annual re-certification in accordance with the Department’s procedures, or are found to persistently fail to comply.
- Maintains and makes available to the public the authoritative record of U.S. organizations that have been removed from the Privacy Shield List and identifies the reason each organization was removed.
- Includes a prominently placed explanation clarifying that all organizations removed from the Privacy Shield List are no longer assured of the benefits of the Privacy Shield, but must nevertheless continue to apply the Privacy Shield Principles to the personal information that they received while they participated in the Privacy Shield for as long as they retain such information.
- Provides a link to the list of Privacy Shield-related FTC cases maintained on the FTC website.
2. Verifies Self-Certification Requirements
Prior to finalizing an organization’s self-certification (or annual re-certification) and placing the organization on the Privacy Shield List, verifies that the organization has:
- provided all information required in the self-certification form;
- registered with the identified independent recourse mechanism indicated in its self-certification submission, where such registration is required.
3. Conducts Periodic ex officio Compliance Reviews
- On an ongoing basis, monitors effective compliance, including through sending detailed questionnaires to participating organizations, to identify issues that may warrant further follow-up action. In particular, the Privacy Shield Team will conduct compliance reviews when: (a) the Department has received specific non-frivolous complaints about an organization’s compliance with the Privacy Shield Principles, (b) an organization does not respond satisfactorily to inquiries by the Department for information relating to the Privacy Shield, or (c) there is credible evidence that an organization does not comply with its commitments under the Privacy Shield. The Department will, when appropriate, consult with the competent data protection authorities about such compliance reviews.
4. Facilitates Resolution of Complaints Referred by EU DPAs or the Swiss Federal Data Protection and Information Commissioner
- Receives referrals from EU DPAs or the Swiss Commissioner in instances where a DPA or the Commissioner believes that an organization is not complying with the Privacy Shield Principles, including following a complaint from an EU or Swiss individual.
- Undertakes best efforts to facilitate resolution of the complaint with the Privacy Shield organization. Within 90 days after receipt of the complaint, the Department will provide an update to the DPA or Commissioner.
- Assists DPAs or the Commissioner when seeking information related to a specific organization’s self-certification or previous participation in the program.