The new "Privacy Shield" Data Transfer Framework is here

After the “Safe Harbor” data transfer framework was invalidated last year, the new "Privacy Shield" data transfer framework will allow participating U.S. companies to legally collect and process the personal data of EU citizens. So far over 4000 U.S. companies have signed up to participate. 

Things to know:

  • The new Privacy Shield offers a straightforward mechanism for organizations to legally transfer EU personal data to the U.S.
  • There are specific requirements to join the Privacy Shield program, so compliance may require a change to existing practices and privacy policies.
  • Certifying within two months of the effective date offers the benefit of a grace period for third-party relationship requirements.

What is the Privacy Shield? 

The Privacy Shield is a data transfer framework that governs the transfer, handling, sharing and use of EU citizens' personal data within the United States. All U.S. entities that process personal data from EU citizens must comply with either the Privacy Shield or another EU-approved data transfer framework. Companies that fail to comply will face enforcement actions and liability from government regulators and individuals.

With immediate effect, U.S. organizations that wish to participate must:

  • Implement a data protection policy and practices that comply with the Privacy Shield's requirements;
  • Clearly display a compliant privacy policy on their website;
  • Self-certify on an annual basis that they meet all of the Privacy Shield's obligations;
  • Provide EU citizens the ability to choose whether the organization can share personal data with third parties;
  • Ensure third parties that receive EU personal data from the organization comply with the Privacy Shield's obligations; and
  • Respond to privacy-related complaints from EU citizens within 45 days of receipt