Commerce Dept. Launches Privacy Shield Website, Begins Accepting Self-Certifications

    Aug 10, 2016

    The U.S. Commerce Department on July 26 launched a website that provides individuals and companies with additional information regarding the U.S.-EU Privacy Shield Framework, as well as a mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.  

    Earlier in July, the European Commission issued an “adequacy decision” deeming the Privacy Shield Framework as being sufficient to protect the fundamental rights of anyone in the EU whose personal data is transferred to the United States, as well as bringing legal clarity for businesses relying on transatlantic data transfers.

    “We have worked together with the European data protection authorities, the European Parliament, the Member States and our U.S. counterparts to put in place an arrangement with the highest standards to protect Europeans' personal data,” stated VÄ›ra Jourová, the EU commissioner for justice, consumers and gender equality.

    In the United States, the Privacy Shield program is being administered by the International Trade Administration within the U.S. Department of Commerce. U.S.-based organizations are able to benefit from the Privacy Shield Framework, effective August 1, 2016, by completing an online self-certification process on the Commerce Department’s website and publicly committing to comply with the framework’s requirements.

    According to the website, joining the Privacy Shield Framework is voluntary. However, once a public commitment is made to comply with the framework’s requirements, the commitment will become enforceable under U.S. law. Fees for participating in the framework range from $250 a year for businesses with annual revenue of $5 million or less to $3,250 for companies with annual revenue above $5 billion. Organizations will also be required to provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual.

    Companies that self-certify before the end of September 2016 will have up to nine months to bring existing commercial relationships with third parties into conformity with the framework’s principles. For example, where organizations transfer data to a third party, they must provide notice in clear and conspicuous language to individuals whose personal information is being transferred, and they must offer such individuals the opportunity to opt out of having their personal information disclosed to a third party. Where personal data is transferred to a third party acting as an agent, the agent is obligated to provide at least the same level of protection as is required by the framework’s principles.

    “This Agreement includes new privacy protections for companies to implement, new commitments from my Department to oversee compliance, new collaboration with European institutions to ensure the Framework functions as intended, and new redress options for people across the EU,” U.S. Commerce Secretary Penny Pritzker stated at a Privacy Shield Framework press conference on July 12. “It also increases cooperation between the Federal Trade Commission and the EU Data Protection Authorities to ensure independent, vigorous enforcement.”


    The Washington Policy Brief is an online advisory that contains brief summaries of recent legislative and regulatory issues that may affect the records and information management profession. Further information about the issue is accessed by clicking on the link provided at the end of each summary.


    Want to sign up to receive an e-mail version of the Washington Policy Brief? It's free! Just tell us a little about yourself and you'll receive a monthly dose of the latest in legislation, regulation, and more.



    © 2017, ARMA International