TargetCW Privacy
Global Privacy & Data Protection Office


Worker, Vendor and Client Resource

The 411 about Privacy Shield

If you are operating a business that has any dealing with people who reside within the European Union, you will know by now about the effect that the new General Data Protection Regulations (GDPR) rules have had on data. One way in which businesses have found to easily comply with the GDPR is through compliance with and certification from the Privacy Shield Framework.

What is Privacy Shield?

Privacy Shield is a joint framework that was developed by the US Department of Commerce in conjunction with the European Commission in order to provide companies with a policy guide that can be followed to ensure compliance with all EU data protection regulations whenever any personal data is transferred from the European Union to the United States for the purpose of any transatlantic commerce.

The framework created a set of guidelines for protecting EU residents’ personal data. The framework transparently shows  how companies who participate in the privacy shield share personal data and has oversight from the US side with a cooperation from the EU data protection authority. The framework allows EU individuals to have access to multiple methods for addressing concerns relating to any of the participants’ compliance with the data protection regulations. This also includes a free dispute resolution service.

Privacy shield also ensures that there is a continued protection which is consistent with all regulations relating to transferring personal data to third parties. It also offers a clear way for EU residents to look into their rights and exercise them. This framework was determined to be acceptable by the European Commission for enabling data transfers in line with EU law.

How Do US Companies Join Privacy Shield?

In order to sign up for the privacy shield framework, the US based company is required to complete a self-certification and send it to the Department of Commerce which states that they publicly commit to complying with all of the framework’s requirements. Once a company willingly joins the privacy shield, as there is no legal requirement to do so, the company will be committed to complying with all of the framework’s requirements and this compliance can be enforced by law in the US.

How Businesses Show Privacy Shield Compliance

When a business signs up for privacy shield they are required to declare their commitment to complying with the principles of the privacy shield within the business privacy policy. This privacy policy must be clearly located on the business website and must also include a link to the Department of Commerce’s Privacy Shield website. There is also a need to have a link to the complaint submission form

    When a participant’s privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form of the independent recourse mechanisms that is available to investigate individual complaints. Participant businesses in the privacy shield must also inform individuals of rights to their access of their own personal data and the company’s requirement to disclose personal data in line with enforcement authorities such as a lawfully made request by a public authority. The privacy policy must also stipulate what liabilities the company has if there is any breach in the onward data transfer to any third party.

Samer KhouliComment