1. At the time of initial self-certification, when should an organization’s privacy policy be updated to refer to the Privacy Shield certification?

  • In order for the Department to verify the self-certification requirements, organizations’ privacy policies must be in compliance with the Privacy Shield Principles at the time they submit their self-certification.
  • During this verification period, the organization’s privacy policy will need to refer to its Privacy Shield certification even though the organization will not yet have been placed by the Department on the Privacy Shield List. 
  • During this period, organizations must respond promptly to inquiries from the Department related to their self-certification.
  • Failure to respond within the timeframes designated by the Department, or other failure to complete the certification, will lead to a Department notice that the application has been abandoned, in which case the organization must immediately remove all references to the Privacy Shield from its privacy policies unless and until it submits a new application. 


2. My organization participated in Safe Harbor.  Do I need to update my organization’s privacy policy before I self-certify to Privacy Shield?

  • Yes. The Privacy Shield is a new Framework with distinct requirements, including those pertaining to the notice that organizations must provide to individuals.
  • In addition to updating your organization’s privacy policy to align with Privacy Shield requirements, prior to self-certifying, your organization must remove any references to the Safe Harbor Framework.
  • An organization that joins the EU-U.S. and/or Swiss-U.S. Privacy Shield Framework(s) will be withdrawn from the relevant Safe Harbor Framework by default.  Upon finalizing an organization's certification to the Privacy Shield, the Privacy Shield team will also adjust the organization's relevant Safe Harbor record so that the "certified through" date displayed in the record reflects the date of certification to the Privacy Shield.  In anticipation of automatic withdrawal from Safe Harbor, an organization certifying to the Privacy Shield should remove references to the Safe Harbor Framework(s) from its privacy policy.


3. What information must my organization include in its privacy policy to comply with Privacy Shield?

  • Your organization’s privacy policy must align with the Privacy Shield Principles, while also reflecting your organization’s own business operations.
  • The Notice Principle requires that “[a]n organization inform individuals about:

i. its participation in the Privacy Shield and provide a link to, or the web address for, the Privacy Shield List,
ii. the types of personal data collected and, where applicable, the entities or subsidiaries of the organization also adhering to the Principles,
iii. its commitment to subject to the Principles all personal data received from the EU and/or Switzerland in reliance on the Privacy Shield,
iv. the purposes for which it collects and uses personal information about them,
v. how to contact the organization with any inquiries or complaints, including any relevant establishment in the EU and/or Switzerland that can respond to such inquiries or complaints,
vi. the type or identity of third parties to which it discloses personal information, and the purposes for which it does so,
vii. the right of individuals to access their personal data,
viii. the choices and means the organization offers individuals for limiting the use and disclosure of their personal data,
ix. [under the EU-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the panel established by DPAs, (2) an alternative dispute resolution provider based in the EU, or (3) an alternative dispute resolution provider based in the United States,
ix. [under the Swiss-U.S. Privacy Shield] the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to the individual, and whether it is: (1) the Commissioner, (2) an alternative dispute resolution provider based in Switzerland, or (3) an alternative dispute resolution provider based in the United States,
x. being subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body [currently, there is no other U.S. authorized statutory body recognized by the EU or Switzerland],
xi. the possibility, under certain conditions, for the individual to invoke binding arbitration,
xii. the requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, and
xiii. its liability in cases of onward transfers to third parties.”


4. Can my organization meet the requirements of the Notice Principle by providing the required information only as part of my organization’s Privacy Shield certification?

  • No.  All Privacy Shield participants must inform individuals about each element listed in the Notice Principle through the relevant privacy policy or policies, irrespective of whether the particular element will apply in every situation.
  • The Privacy Shield requires that “notice be provided in clear and conspicuous language when individuals are first asked to provide personal information to the organization or as soon thereafter as is practicable, but in any event before the organization uses such information for a purpose other than that for which it was originally collected or processed by the transferring organization or discloses it for the first time to a third party.”


5. Does the Department of Commerce have sample language that can be used in my organization’s privacy policy to refer to its participation in the Privacy Shield?

  • Yes. The following language is acceptable for this purpose:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield  Framework(s), as applicable) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and/or Switzerland, as applicable) to the United States.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

Read FAQs 6-10