The Privacy Shield provides organizations the requirements and obligations for United States companies to transfer data to and from European Union states. US companies self-certify following the guidelines from the US Department of Commerce and commit to following privacy and protection principles. The Privacy Shield was approved by the EU Commission on July 12, 2016 and is reviewed annually by the EU to ensure that Privacy Shield principles and enforcement are adequate.
On July 16, 2020 the Court of Justice of the European Union invalidated the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.
The US Department of Commerce provides details, guidance, and administrative support for self-certification. In self-certifying, organizations are attesting to providing rights and protections to individuals. This includes:
1. Notice of participation in Privacy Shield and personal information the organization collects.
2. Choice options for individuals on how their information is used.
3. Accountability for onward transfer: the member will ensure that the 3rd party honors notice, choice, limits of processing, and provides adequate protection.
4. Security: organizations will have reasonable security in place to protect personal data.
5. Access: in that the organization must provide subjects rights of what is held, deletion, and correction. Recourse, enforcement, and liability: organizations must have processes in place to handle complaints, monitor compliance, and remediate incidents.
Organizations must adhere to several requirements to comply with Privacy Shield requirements. The requirements include data protection, consent, and subject rights:
1. Ensure data integrity and limit utilization.
2. Be accountable for data transferred to third parties.
3. Limit transfers to parties that will ensure data protection and appropriate data processing.
4. Respond in 90 days to complaints filed with an EU DPA or 45 days if filed directly to the company.