How to Join Privacy Shield (part 1)How to Join Privacy Shield (part 1)
Guide to Self-Certification
The decision by a U.S.-based organization to join the Privacy Shield program is entirely voluntary. However, once an eligible organization publicly commits to comply with the Privacy Shield Principles through self-certification, that commitment is enforceable under U.S. law by the relevant enforcement authority, either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DOT).
To be assured of Privacy Shield benefits, an organization must self-certify annually to the Department of Commerce (via this website) that it agrees to adhere to the Privacy Shield Principles, a detailed set of requirements based on privacy principles such as notice, choice, access, and accountability for onward transfer. A brief guide to the self-certification process, including steps that the organization must take prior to self-certification, is provided below.
Please note that given the substantive requirements of the EU-U.S. and Swiss-U.S. Privacy Shield are the same, links within descriptive text throughout this website are to the relevant Principle(s) in the EU-U.S. Privacy Shield Framework. Where references are made to the EU or EU DPAs, organizations should understand that the Swiss Framework instead references Switzerland and the Swiss Data Protection and Information Commissioner. The full text of the Swiss-U.S. Privacy Shield Framework is available here.
This guide should be read in conjunction with the complete set of Privacy Shield Principles, which includes 16 Supplemental Principles. Following these steps will help to ensure that your organization is meeting the requirements for self-certification, as set forth in Supplemental Principle 6 (Self-Certification).
1. Confirm Your Organization's Eligibility to Participate in the Privacy Shield: Only U.S. legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) are eligible to participate in Privacy Shield. To self-certify for Privacy Shield, an eligible U.S. organization must provide to the Department of Commerce a self-certification submission containing the organization’s mailing address, which should be a valid U.S. mailing address. The FTC and DOT have both committed (See FTC letter or DOT letter for reference) that they will enforce the Privacy Shield Framework.
- Generally, the FTC's jurisdiction covers acts or practices in or affecting commerce by any "person, partnership, or corporation." The FTC does not have jurisdiction over most depository institutions (banks, federal credit unions, and savings & loan institutions), telecommunications and interstate transportation common carrier activities, air carriers, labor associations, most non-profit organizations, and most packer and stockyard activities. In addition, the FTC's jurisdiction with regard to insurance activities is limited to certain circumstances. Note that to be transferred in reliance on the Privacy Shield, personal data must be processed in connection with an activity that is subject to the jurisdiction of at least one appropriate statutory body listed in the Framework. The DOT has exclusive jurisdiction over U.S. and foreign air carriers. The DOT and the FTC share jurisdiction over ticket agents that market air transportation. If you are uncertain as to whether your organization falls under the jurisdiction of either the FTC or DOT, then please be sure to contact the Privacy Shield Team at the Department of Commerce for more information.