- First Things First: Can You Participate in the Shield? While the Commerce Department administers and oversees participants’ compliance with the Privacy Shield, the Federal Trade Commission (FTC) and the U.S. Department of Transportation (DOT) enforce the Privacy Shield’s requirements. Therefore only organizations that are subject to either the FTC’s or DOT’s authority can participate.
- Review, Revise, and Implement. Once your company determines its ability to participate in the Privacy Shield, it will need to take steps to comply with the Privacy Shield Principles. Though many parts of the Privacy Shield are similar to the Safe Harbor Framework, companies that previously participated in Safe Harbor should not treat the new arrangement as essentially Safe Harbor 2.0.
Instead, if your company participated in Safe Harbor, we strongly encourage you to thoroughly review the Privacy Shield Principles and the obligations under the new framework, and revise all internal policies and procedures to ensure that they adhere to the Privacy Shield.
- Select an Independent Dispute Resolution Mechanism. Participating companies must choose an independent dispute resolution program to handle complaints and investigate and resolve disputes free-of-charge to the individual, as required under the Privacy Shield’s Recourse, Enforcement, and Liability Principle. Your company must participate in a dispute resolution program when its self-certification is filed.
Participating companies may either use private-sector vendors that offer Privacy Shield dispute resolution services, or voluntarily commit themselves to cooperate with EU Data Protection Authorities (DPAs) to resolving individuals’ complaints. Companies should note that cooperation with DPAs is mandatory where a company processes human resource data transferred from the EU in the employment relationship context.
- Implement “Reasonable and Appropriate” Data Security Measures. Privacy Shield participants must take measures to protect personal data from loss, misuse, and unauthorized access, disclosure, alteration and destruction. Third party data security vendors can help assess your company’s data security posture and implement measures to address any security gaps.
- Implement Contracts for Onward Transfers to Third Parties. Privacy Shield participants are accountable for onward transfers of personal data to third parties, and face different requirements if the third party acts as a controller or service provider/agent. All transfers to third parties must contractually restrict data processing to the purposes consistent with the individual’s consent, and require the third party to give the same level of protection under the Privacy Shield’s Principles. Participants that self-certify within two months of the Privacy Shield’s effective date will have nine months after certification to bring contracts with existing third party relationships into compliance.
- Implement Verification Procedures. Privacy Shield participants are required to have follow-up procedures in place to verify that their statements about their privacy practices are true, and have been implemented as represented and according to the Privacy Shield’s Principles. Your company can verify either via a self-assessment or use a third-party self-assessment program.
- File Self-Certification Form. If your company already meets all of the above, it likely can submit its self-certification to the Commerce Department on August 1. Note that your company will have to annually re-certify its Privacy Shield compliance with the Commerce Department. The Commerce Department will also assess a certification processing fee every year based on your company’s annual revenue: businesses with annual revenues up to $5 million will be assessed a fee of $250, while companies that earn more per year will be charged higher fees at varying amounts (the maximum possible fee is $3,250 for companies that earn more than $5 billion annually).
- Prepare to Respond. One of the Privacy Shield’s major provisions is that participants must respond to inquiries and complaints raised by individuals, U.S. authorities, and EU DPAs. Participants must respond to non-compliance complaints made by EU residents within 45 days. As part of any response, you will need to address the complaint’s merits and, if applicable, how you will address the underlying issue. Responses to inquiries by U.S. authorities must be made “promptly,” while responses to complaints referred by DPAs must be made “expeditiously.”