The EU-US Privacy Shield Framework – Guide to Self-Certification

Under the negotiated framework, organizations can self-certify to comply with the Privacy Shield Framework when transferring EU personal data from the EU to the US.

  1. Prior to self-certifying, companies will need to perform a self-assessment audit to determine if their current business practices meet the minimum standards set forth in the Privacy Shield Framework.
  2. Self-certification requires companies to apply annually to the US Department of Commerce and pay a fee. See How to Join Privacy Shield – Guide to Self-Certification and Fact Sheet: Overview of the EU-U.S. Privacy Shield Framework.
  3. In summary, in order to enter the Privacy Shield, an organization must (a) be subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) or the Department of Transportation; (b) publicly declare its commitment to comply with the Principles through self-certification to the DOC; (c) publicly disclose its privacy policies in line with the Principles; and (d) fully implement them.

Privacy Shield Principles

  1. Clear and Conspicuous Notice
  2. Individual Opt Out Choice
  3. Accountability for Onward Transfer / Vendor Agreements
  4. Provide Adequate Security Protection
  5. Maintain Data Integrity and Purpose Limitation
  6. Individual Access