The Commerce Department will begin accepting certification requests on August 1, and posted a guide for self-certification for interested companies. Organizations seeking to self-certify will need to develop a Privacy Shield-compliant privacy policy that is publicly available (with some exception for human-resources data policies), regularly verified, and identifies an independent recourse mechanism available to data subjects at no cost. Self-certifying organizations will also need to identify a lead contact for handling data privacy questions, complaints, and access requests under the Privacy Shield. The final text of the Framework is available here, and the Commerce Department has provided a Fact Sheet that summarizes the key new requirements for participants. Significantly, the revised text and accompanying materials, released today, include new assurances regarding the collection of signals intelligence by the U.S. intelligence community, new examples of acceptable secondary data processing, a new requirement that the Department of Commerce update the Commission on relevant developments in U.S. law, clarification of anonymization, and an added notification requirements for third party data processors.
Ratification of the Privacy Shield had previously stalled for the same reason that scuttled Safe Harbor and was only resolved after U.S. government officials provided written assurances regarding limitations, safeguards and oversight of EU citizens’ data surveillance, including a promise that mass collection of data would not be employed. While a major step forward, approval by the European Commission does not prevent challenges to the framework before the European Court of Justice, similar to the Schrems decision that prompted negotiations on the Privacy Shield. More than 4,000 companies were left to find alternative means for data transfers following Schrems, including Binding Corporate Rules, data subject consent, and model contract clauses. Commerce Secretary Pritzker sought to provide assurances of the Privacy Shield’s enforceability, noting today that “[w]ith new privacy protections in place, we are confident the Framework will withstand further scrutiny.”
It remains to be seen how the Privacy Shield will be implemented and revised to fit the EU-wide General Data Protection Regulation, which becomes enforceable in 2018.