August 10, 2016 Client Alert

U.S. Companies and the EU-U.S. Privacy Shield Certification Process

Eligible U.S.-based companies of all sizes with access to personal information of European Union (EU) citizens can now certify under the EU-U.S. Privacy Shield. Certification is voluntary and provides some significant efficiencies and protections. However, even companies that opt not to certify will remain subject to the EU’s data protection regulations and should consider adopting the Privacy Shield’s principles and guidelines as best practices.

What is the Privacy Shield?

As we reported earlier this year, the Privacy Shield Data-Transfer Pact is a framework governing data transfers between the EU and U.S., and replaces the U.S.-EU Safe Harbor. It embodies seven core principles: notice; data integrity and purpose limitation; choice; security; access; recourse, enforcement and liability; and accountability of onward transfers. While the Privacy Shield has similarities to the Safe Harbor, it differs in key ways, including:

  • Stronger remedies and enforcement provisions
  • A more well-defined certification process through the U.S. Department of Commerce
  • Restrictions on U.S. government access to EU citizens’ data
  • Changes to notice and choice obligations

The Privacy Shield also contains specific onward transfer restrictions related to EU citizens’ data, which is relevant to many companies that do not directly conduct business with EU citizens but that partner with companies that do.

Deciding whether or not to certify under the Privacy Shield is a significant choice for any company and requires discussing the benefits and disadvantages.

What is involved in certifying?

After determining your eligibility and deciding whether your company should opt to certify, the process of certification under the Privacy Shield requires several steps of varying complexity:

  • Update your company’s privacy policy statement. Bringing your statement to be Privacy Shield compliant is more complicated than it sounds, as it requires a review of current internal practices to ensure that the representations made in the privacy policy match actual practices.
  • Identify your company’s independent recourse mechanism. Each company certifying under the Privacy Shield must provide a cost-fee mechanism for investigating and resolving individuals’ complaints, which must be in place prior to certification.
  • Put in place a protocol for verifying compliance with the Privacy Shield, and designate a contact for any inquiries regarding your company’s privacy policy statement and the Privacy Shield.
  • Submit you certification to the U.S. Department of Commerce.

While some of the steps outlined border on administrative, many have significant legal and regulatory implications. Michael Best is prepared to guide you through each step of the certification process. 

back to top