Q11: The Privacy Shield requires my organization to inform individuals about the possibility, under certain conditions, for the individual to invoke binding arbitration. Does this requirement apply to my organization and how do I address it in my organization’s privacy policy?
  • All Privacy Shield participants must inform individuals about each element listed in the Notice Principle. Section C of Annex I to the Privacy Shield Principles (included below for reference) explains in detail when an individual can invoke binding arbitration. Rather than include this level of detail in a privacy policy, organizations may provide notice that an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms and then link to Annex I for additional information: https://www.privacyshield.gov/article?id=ANNEX-I-introduction

Annex I: Section C
An individual who decides to invoke this arbitration option must take the following steps prior to initiating an arbitration claim: (1) raise the claimed violation directly with the organization and afford the organization an opportunity to resolve the issue within the timeframe set forth in Section III.11(d)(i) of the Principles; (2) make use of the independent recourse mechanism under the Principles, which is at no cost to the individual; and (3) raise the issue through their Data Protection Authority to the Department of Commerce and afford the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce, at no cost to the individual. This arbitration option may not be invoked if the individual’s same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties.

In addition, this option may not be invoked if [an EU Data Protection Authority or the Commissioner] (1) has authority under Sections III.5 or III.9 of the Principles; or (2) has the authority to resolve the claimed violation directly with the organization. [A DPA’s/the Commissioner's] authority to resolve the same claim against [an EU or a Swiss] data controller does not alone preclude invocation of this arbitration option against a different legal entity not bound by the [DPA/Commissioner's] authority.


Q12:  The Privacy Shield requires my organization to inform individuals about its liability in cases of onward transfers to third parties. How do I address this issue in my organization’s privacy policy, including if my organization does not plan to transfer personal data to third parties? 
  • All Privacy Shield participants must inform individuals about each element listed in the Notice Principle.
  • The Privacy Shield requires that, “In the context of an onward transfer, a Privacy Shield organization has responsibility for the processing of personal information it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. The Privacy Shield organization shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.”
  • If your organization does not plan to transfer personal information to third parties, you should note that in your organization’s privacy policy. Additionally, you can indicate that the provision regarding liability for the actions of agent processors does not apply because your organization will not transfer personal information to third parties.


Q13: What are the certification and notice requirements for entities or subsidiaries of the organization also adhering to the Privacy Shield Principles?
  • Each organization will be asked during the self-certification process to identify all U.S. entities or subsidiaries of the organization also adhering to the Privacy Shield Principles and covered under the organization’s self-certification.
  • The organization can either 1) list the entities and subsidiaries by name or, 2) if an individual could readily understand the subsidiaries’ connection to the organization due to the use of a shared brand name as part of the entities’ names, the organization may indicate “all U.S. subsidiaries using brand name [X],” excluding particular entities if applicable.
  • Per the Notice Principle, organizations must also inform individuals about the entities or subsidiaries also adhering to the Principles.