1 August 2016 – In the U.S., the Privacy Shield program will be administered by the Department of Commerce, which was also responsible for the Safe Harbor. Organizations will have to self-certify to the Privacy Shield principles. This will require filling in an online registration with the department, which invited registrations from today, 1 August 2016.
Privacy Shield applicants must provide full contact details, including the name of their Organization Corporate Officer (i.e. information about the individual certifying the organization’s compliance with the Privacy Shield Framework).
Organisations need to provide a description of their activities with respect to all personal data received from the European Union (EU) in reliance on the Privacy Shield. That includes:
- Other covered entities (i.e. a list all U.S. entities or subsidiaries of the organization that are also adhering to the Privacy Shield Principles and are covered under the organization’s self-certification)
- Types of personal data covered by the organization’s Privacy Shield commitments (i.e. “personal data other than human resources data” and/or “human resources data”).
- Purpose(s) for which the organization processes personal data in reliance on the Privacy Shield, including the types of personal data processed by the organization (e.g. organization, customer, client, visitor, and clinical trial data) and, if applicable, the type of third parties to which it discloses such personal information.
Organizations must nominate on their website a private sector independent recourse mechanism available to investigate unresolved complaints, or choose to cooperate with EU DPAs. The national EU DPAs will handle complaints for individuals, and then work together with the US Department of Commerce and the US Federal Trade Commission. In addition, the organisations must mention the location and effective date(s) of their organization’s relevant privacy policy statement(s). Slightly different rules apply to companies that only handle HR data.
In addition, organisations must disclose their annual revenue for the purpose of determining the fee the organization must pay to self-certify to the Privacy Shield Framework This information will not be publicly disclosed on the Privacy Shield website.
Any subcontractor , including those in Asia, will need to provide the same level of protection as required from Shield participants. This will be a challenge in countries with no, or elementary data protection laws, or extensive national surveillance programmes. However, these organisations in question do not need to self-certify.
The US Department of Commerce advises: “Privacy Shield participants must enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.”
With existing commercial relationships, organisations are given nine months to ensure conformity with the Accountability for Onward Transfer Principle. But to rely on this concession, organisations need to self-certify with the Department of Commerce within two months of the Shield taking effect.
During this interim period, where organizations transfer data to a third party, they must:
- apply the Notice and Choice Principles, and
- where personal data is transferred to a third party acting as an agent, ascertain that the agent is obligated to provide at least the same level of protection as is required by the Principles.
Although certifications have been available from 1 August, the Department of Commerce says that certification processing times will vary depending on the completeness of the original self-certification and the number of self-certifications received in particular during the initial roll-out. The Privacy Shield team will provide updates on expected processing times periodically to assist companies in their planning, it says.
Additional information:
