Q1: At the time of initial self-certification, when should an organization’s privacy policy be updated to refer to the Privacy Shield certification?

  • An organization must provide the Department with a draft privacy policy at the time that it submits its initial self-certification. The draft privacy policy, which the organization would upload with its self-certification submission, must be consistent with the Privacy Shield Framework(s).
  • Once the Department has determined that the organization’s submission is otherwise complete, the Privacy Shield team will notify the organization that it should publish its Privacy Shield-consistent privacy policy including a statement that it adheres to the Privacy Shield Principles. The organization should promptly notify the Privacy Shield team as soon as the relevant privacy policy is published, at which time the Department will place the organization’s self-certification on the Privacy Shield List. Privacy Shield benefits are assured from the date the Department places the organization on the Privacy Shield List. 
  • Organizations must respond promptly to inquiries from the Department related to their self-certification. Failure to respond or to complete the self-certification within the timeframes designated by the Department will lead to the application being considered abandoned. If this occurs, the organization must immediately remove all references to the Privacy Shield from its privacy policies unless and until it submits a new application.

Q2: My organization participated in Safe Harbor.  Do I need to update my organization’s privacy policy before I self-certify to Privacy Shield?

  • Yes. The Privacy Shield is a new Framework with distinct requirements, including those pertaining to the notice that organizations must provide to individuals.
  • In addition to updating your organization’s privacy policy to align with Privacy Shield requirements, prior to self-certifying, your organization must remove any references to the Safe Harbor Framework.

Q3: What information must my organization include in its privacy policy to comply with Privacy Shield?

  • Your organization’s privacy policy must align with the Privacy Shield Principles, while also reflecting your organization’s own business operations.
  • The Notice Principle requires that “[a]n organization inform individuals about:

i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,

ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,

iii. its commitment to subject to the Principles all personal data received from the EU and/or Switzerland in reliance on the Privacy Shield,

iv. the purposes for which it collects and uses personal information about them,

v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU and/or Switzerland that can respond to such inquiries or complaints,

vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,

vii. the right of individuals to access their personal data,

viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,

ix. [under the EU-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,

ix. [under the Swiss-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the Commissioner, (2) an alternative dispute resolution provider based in Switzerland, or (3) an alternative dispute resolution provider based in the United States,

x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU or Switzerland],

xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,

xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and

xiii. its liability in cases of onward transfers to third parties.”

Q4: Can my organization meet the requirements of the Notice Principle by providing the required information only as part of my organization’s Privacy Shield certification?

  • No.  All Privacy Shield participants must inform individuals about each element listed in the Notice Principle through the relevant privacy policy or policies, irrespective of whether the particular element will apply in every situation.
  • The Privacy Shield requires that “notice be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.”

Q5: Does the Department of Commerce have sample language that can be used in my organization’s privacy policy to refer to its participation in the Privacy Shield?

  • Yes. The following language is acceptable for this purpose:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield  Framework(s), as applicable) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and/or Switzerland, as applicable) to the United States.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

See Privacy Policy FAQs 6-10