Answers to Privacy Shield FAQs across five main categories have finally been published by the Privacy Shield Program. But what exactly is the Privacy Shield and how can this guidance help?

The Privacy Shield is a mechanism that enables compliance with data protection requirements when personal data is transferred from the European Union to the USA in support of transatlantic commerce.

The general guidance deals with topics such as:

  • the continued status of the Privacy Shield as a data transfer mechanism under the GDPR

  • the Privacy Shield’s relationship to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act)

  • the requirement to include the main website URL in an organization’s privacy policy, and;

  • additional information regarding Privacy Shield certification.

In addition, the guidance includes FAQs specific to the Swiss-U.S. Privacy Shield, privacy policies, the Accountability for Onward Transfer Principle, and processors.

Answers to Privacy Shield FAQs provides guidance

Answers to Privacy Shield FAQs across five main categories have finally been published. But what exactly is the Privacy Shield?

The Privacy Shield is a mechanism that enables compliance with data protection requirements when personal data is transferred from the European Union to the USA in support of transatlantic commerce.

The general guidance deals with topics such as:

  • the continued status of the Privacy Shield as a data transfer mechanism under the GDPR

  • the Privacy Shield’s relationship to the Clarifying Lawful Overseas Use of Data Act (CLOUD Act)

  • the requirement to include the main website URL in an organization’s privacy policy, and;

  • additional information regarding Privacy Shield certification.

In addition, the guidance includes FAQs specific to the Swiss-U.S. Privacy Shield, privacy policies, the Accountability for Onward Transfer Principle, and processors.

Privacy Shield FAQs – General

Privacy Shield FAQs #1:
Will the Privacy Shield continue to serve as a data transfer mechanism under the EU General Data Protection Regulation (GDPR)?
  • Yes. Article 45 of the GDPR provides for the continuity of adequacy determinations made under the EU’s 1995 Data Protection Directive, one of which was the adequacy decision on the EU-U.S. Privacy Shield.

  • The Privacy Shield was also designed with an eye to the GDPR, addressing both substantive and procedural elements.

  • For instance, the Privacy Shield includes an annual review, which was designed to address the GDPR’s requirement for a mechanism for a periodic review, at least once every four years, of relevant developments.

  • It is important to note that Privacy Shield is not a GDPR compliance mechanism, but rather is a mechanism that enables participating companies to meet the EU requirements for transferring personal data to third countries, discussed in Chapter V of the GDPR.

Privacy Shield FAQs #2: 
Does the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) affect the Privacy Shield Framework?
  • The CLOUD Act involves data transfers for law enforcement purposes. It does not conflict with the Privacy Shield Framework, which provides a legal basis under EU law for transfers of personal data from the EU to participating US organizations. The Privacy Shield Framework is unrelated to, and unaffected by, the CLOUD Act.

Privacy Shield FAQs #3:
Why should an organization that previously participated in the Safe Harbor program self-certify to the Privacy Shield and how should references to Safe Harbor be adjusted when self-certifying?
  • The Privacy Shield provides a number of important benefits to U.S.-based organizations, as well as their partners in Europe. These include:

  • The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were deemed adequate by the European Commission and Swiss Government respectively, meaning they are recognized mechanisms to comply with EU and Swiss data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

  • Participating organizations are deemed to provide “adequate” privacy protection, a requirement for the transfer of personal data outside of the European Union under the EU Data Protection Directive and outside of Switzerland under the Swiss Federal Act on Data Protection.

  • Compliance requirements of the Privacy Shield Framework are clearly laid out and can be implemented by small and medium-sized enterprises.

  • The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are no longer legally recognized as adequate under EU and Swiss law for transferring personal data from the European Union and Switzerland to the United States.

  • Prior to submitting its self-certification, an organization joining the Privacy Shield must remove the affirmative commitment to Safe Harbor from its privacy policy.

Privacy Shield FAQs #4:
What information will an organization be required to provide to the Department of Commerce in the online self-certification process?
  • The information that an organization must provide during the self-certification process is outlined here.

  • Organizations interested in self-certifying are encouraged to review and compile this information prior to initiating the online certification process.

Privacy Shield FAQs #5:
What URL must be included in an organization’s privacy policy to meet the Framework requirement to link to the Privacy Shield website?
Privacy Shield FAQs #6:
What are the certification and notice requirements for entities or subsidiaries of the organization also adhering to the Privacy Shield Principles?
  • Each organization will be asked during the self-certification process to identify all U.S. entities or U.S. subsidiaries of the organization also adhering to the Privacy Shield Principles and covered under the organization’s self-certification.

  • The organization can either 1) list the entities and subsidiaries by name or, 2) if an individual could readily understand the subsidiaries’ connection to the organization due to the use of a shared brand name as part of the entities’ names, the organization may indicate “all U.S. subsidiaries using brand name [X],” excluding particular entities if applicable.

  • Per the Notice Principle, organizations must also inform individuals about the U.S. entities or U.S. subsidiaries also adhering to the Principles.

Privacy Shield FAQs #7:
Can organizations adjust their recertification date?
  • In order to allow organizations to set their own annual schedules, organizations that participate in one or both Frameworks may adjust their annual recertification date by re-certifying early to one or both Frameworks.

  • For example, organizations that already have joined the EU Framework and wish to join the Swiss Framework as well will have three options for timing the synchronized recertification. Such organizations may (a) self-certify to the Swiss Framework before the EU renewal comes due and re-certify early to the EU Framework at the same time; (b) wait until their certification to the EU Framework is up for renewal and self-certify to the Swiss Framework at the same time as they renew their certification to the EU Framework; or (c) self-certify to the Swiss Framework separately (without waiting for their recertification to the EU Framework to come due), and then re-certify to both Frameworks when their recertification to the EU Framework comes due.

Privacy Shield FAQs #8:
H
ow much will it cost to self-certify to the Privacy Shield?
  • ITA has implemented a cost recovery program fee to support the operation of the Privacy Shield, which requires that U.S. organizations pay an annual fee to ITA in order to participate in the Privacy Shield.

  • The cost recovery program supports the administration and supervision of the Privacy Shield program and supports the provision of Privacy Shield-related services, including education and outreach.

  • The fee is tiered based on the organization’s annual revenue.

Annual Fee Schedule for the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks*:

Organization’s Annual Revenue Single Framework Both Frameworks
$0 to $5 million $250 $375
Over $5 million to $25 million $650 $975
Over $25 million to $500 million $1,000 $1,500
Over $500 million to $5 billion $2,500 $3,750
Over $5 billion $3,250 $4,875

Annual Fee when Retain Data after Withdrawal (annual reaffirmation required): $200

Organizations have additional direct costs associated with participating in the Privacy Shield. For example, Privacy Shield organizations must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual. Providers of such services set their own fees.  Furthermore, the Privacy Shield provides the option for an EU individual to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Principles as to that individual and whether any such violation remains fully or partially unremedied. The Department of Commerce facilitated the establishment of a fund into which Privacy Shield organizations are required to make contributions to cover the arbitral costs as described in Annex I to the Principles.  The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected to administer these arbitrations and manage this fund. Information on required contributions.

* The Federal Register Notice specifying the fee structure is the governing document.

Answers to Privacy Shield FAQs are also available on the following topics:

  • Swiss-U.S. Privacy Shield FAQs

  • Privacy Policy FAQs

  • Accountability for Onward Transfer Principle FAQs

  • Processor FAQs

Source : Privacy Shield Framework for more Privacy Shield FAQs

 

Read more articles on the Privacy Shield

Leave a Reply