Q. Will the Privacy Shield continue to serve as a data transfer mechanism under the EU General Data Protection Regulation (GDPR)?

  • Yes. Article 45 of the GDPR provides for the continuity of adequacy determinations made under the EU’s 1995 Data Protection Directive, one of which was the adequacy decision on the EU-U.S. Privacy Shield.
  • The Privacy Shield was also designed with an eye to the GDPR, addressing both substantive and procedural elements.
  • For instance, the Privacy Shield includes an annual review, which was designed to address the GDPR’s requirement for a mechanism for a periodic review, at least once every four years, of relevant developments.
  • It is important to note that Privacy Shield is not a GDPR compliance mechanism, but rather is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to third countries, discussed in Chapter V of the GDPR.

Q. Does the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) affect the Privacy Shield Framework?

  • The CLOUD Act involves data transfers for law enforcement purposes. It does not conflict with the Privacy Shield Framework, which provides a legal basis under EU law for transfers of personal data from the EU to participating US organizations. The Privacy Shield Framework is unrelated to, and unaffected by, the CLOUD Act.

Q. Why should an organization that previously participated in the Safe Harbor program self-certify to the Privacy Shield and how should references to Safe Harbor be adjusted when self-certifying?

  • The Privacy Shield provides a number of important benefits to U.S.-based organizations, as well as their partners in Europe. These include:
  • The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were deemed adequate by the European Commission and Swiss Government respectively, meaning they are recognized mechanisms to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
  • Participating organizations are deemed to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection.
  • Compliance requirements of the Privacy Shield Framework are clearly laid out and can be implemented by small and medium-sized enterprises.
  • The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are no longer legally recognized as adequate under EU and Swiss law for transferring personal data from the European Union and Switzerland to the United States.
  • Prior to submitting its self-certification, an organization joining the Privacy Shield must remove the affirmative commitment to Safe Harbor from its privacy policy.

Q. What information will an organization be required to provide to the Department of Commerce in the online self-certification process?

  • The information that an organization must provide during the self-certification process is outlined here.
  • Organizations interested in self-certifying are encouraged to review and compile this information prior to initiating the online certification process.

Q. What URL must be included in an organization’s privacy policy to meet the Framework requirement to link to the Privacy Shield website?

Q: What are the certification and notice requirements for entities or subsidiaries of the organization also adhering to the Privacy Shield Principles?

  • Each organization will be asked during the self-certification process to identify all U.S. entities or U.S. subsidiaries of the organization also adhering to the Privacy Shield Principles and covered under the organization’s self-certification.
  • The organization can either 1) list the entities and subsidiaries by name or, 2) if an individual could readily understand the subsidiaries’ connection to the organization due to the use of a shared brand name as part of the entities’ names, the organization may indicate “all U.S. subsidiaries using brand name [X],” excluding particular entities if applicable.
  • Per the Notice Principle, organizations must also inform individuals about the U.S. entities or U.S. subsidiaries also adhering to the Principles.

Q. Can organizations adjust their recertification date?

  • In order to allow organizations to set their own annual schedules, organizations that participate in one or both Frameworks may adjust their annual recertification date by re-certifying early to one or both Frameworks.
  • For example, organizations that already have joined the EU Framework and wish to join the Swiss Framework as well will have three options for timing the synchronized recertification. Such organizations may (a) self-certify to the Swiss Framework before the EU renewal comes due and re-certify early to the EU Framework at the same time; (b) wait until their certification to the EU Framework is up for renewal and self-certify to the Swiss Framework at the same time as they renew their certification to the EU Framework; or (c) self-certify to the Swiss Framework separately (without waiting for their recertification to the EU Framework to come due), and then re-certify to both Frameworks when their recertification to the EU Framework comes due.

Q. How much will it cost to self-certify to the Privacy Shield?

  • ITA has implemented a cost recovery program fee to support the operation of the Privacy Shield, which requires that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield.
  • The cost recovery program supports the administration and supervision of the Privacy Shield program and supports the provision of Privacy Shield-related services, including education and outreach.
  • The fee is tiered based on the organization’s annual revenue.

Annual Fee Schedule for the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks*:

Organization’s Annual Revenue:               Single Framework / Both Frameworks:

$0 to $5 million                                              $250 / $375

Over $5 million to $25 million                        $650 / $975

Over $25 million to $500 million                    $1,000 / $1,500

Over $500 million to $5 billion                       $2,500 / $3,750

Over $5 billion                                               $3,250 / $4,875

 

Annual Fee when Retain Data after Withdrawal (annual reaffirmation required): $200

Organizations have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees.  Furthermore, the Privacy Shield provides the option for an EU individual to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Principles as to that individual and whether any such violation remains fully or partially unremedied. The Department of Commerce facilitated the establishment of a fund into which Privacy Shield organizations are required to make contributions to cover the arbitral costs as described in Annex I to the Principles.  The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected to administer these arbitrations and manage this fund. Information on required contributions is available at http://go.adr.org/privacyshieldfund.html.

* The Federal Register Notice specifying the fee structure is the governing document.