What is Privacy Shield Certification?
The Privacy Shield program is a data protection framework for US organizations who seek to become compliant with current European and/or Swiss privacy regulations regarding the transfer of EU residents' personal data to the US.
In particular, Privacy Shield aligns itself with the EU's new GDPR (General Data Protection Regulation) regulation, and takes over the role previously provided by the US-EU Safe Harbor agreement, which was invalidated in 2015.
As of 2017, there are two separate self-certification frameworks for EU-US and Swiss-US transfers, both of which are practically identical in scope. All organizations whose activities fall under the jurisdiction of the FTC or Department of Transportation are eligible for Privacy Shield registration. Organizations that wish to certify themselves may do so at the Privacy Shield website maintained by the International Trade Administration of the US Department of Commerce.
Privacy Shield Certification Obligations
The EU-US and Swiss-US Privacy Shield frameworks outline the obligations that a US organization must adhere to in order to satisfy the "adequacy" principle, which is a minimum viable set of protections needed to legally transfer personal data outside of the European Union. Important obligations include the following:
- Notice: Individuals must be informed as to what data is collected and how it is to be processed when handled by third-parties.
- Choice: Individuals must have the option to opt out of the collection and onward transfer of their data to third-parties.
- Access: Individuals must be able to access all data stored about them, and correct any inaccurate information.
- Purpose Limitation: Personal information must be limited to only that which is relevant to the purposes of processing.
- Dispute Resolution: Individuals must be able to lodge complaints over potential violations and engage in dispute resolution at no cost.
- Liability for Onward Transfers: Any data sent to third-parties must be subject to the same level of adequate protection (in effect, the organization must ensure that third-parties and subsidiaries are also Privacy Shield compliant).