Self-Certifying Under the EU-U.S. Privacy Shield

November 30, 2016

The European Union formally adopted the EU-U.S. Privacy Shield in July 2016, and by late September about 275 companies had active Privacy Shield certifications. The question for other companies is whether they should self-certify too. The answer is not clear, considering the problems some companies had after the invalidation of the EU/U.S. Safe Harbor (the Privacy Shield’s predecessor) and the threats by some in the EU to challenge the Privacy Shield’s validity.

The Privacy Shield is a voluntary self-certification program with the U.S. Department of Commerce. Certain entities (such as financial institutions) that are not subject to the enforcement powers of the FTC, DOT or “another statutory body that will effectively ensure compliance with the Principles” are not covered. Companies that want to self-certify must agree to comply with the Privacy Shield principles and then bring their policies in line with them.

There are numerous considerations in deciding whether certifying under the Privacy Shield is the right step for an organization. Some important factors are the volume, frequency and importance of the data at issue for the company, and whether the data falls within any special categories. When the UK exits from the EU and is no longer a party to the Privacy Shield, the Shield will not facilitate transferring data from the UK to the United States.

Companies that certify under the Privacy Shield will be subject to increased enforcement and oversight mechanisms, and harsh penalties for non-compliance.

Read full article at:

Daily Updates

Sign up for our free daily newsletter for the latest news and business legal developments.

Scroll to Top