Under the negotiated framework, organizations can self-certify to comply with the Privacy Shield Framework when transferring EU personal data from the EU to the US.
- Prior to self-certifying, companies will need to perform a self-assessment audit to determine if their current business practices meet the minimum standards set forth in the Privacy Shield Framework.
- Self-certification requires companies to apply annually to the US Department of Commerce and pay a fee. See How to Join Privacy Shield – Guide to Self-Certification and Fact Sheet: Overview of the EU-U.S. Privacy Shield Framework.
- In summary, in order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation; (b) publicly declare its commitment to comply with the Principles through self-certification to the DOC; (c) publicly disclose its privacy policies in line with the Principles; and (d) fully implement them.
Privacy Shield Principles
- Clear and Conspicuous Notice
- Individual Opt Out Choice
- Accountability for Onward Transfer / Vendor Agreements
- Provide Adequate Security Protection
- Maintain Data Integrity and Purpose Limitation
- Individual Access