privacy_shield.png

US Privacy Shield Step-by-Step Instructions

Introduction

 

The US Privacy Shield is the most effective way for US companies to legally support the collection, use, and processing of personal information from EU residents. Other methods such as the use of Model Clause Contracts, relying on consent, and the use of contract performance as the legal basis for processing all have significant drawbacks.

 

Simon Wynn Consulting can assist your company with self-certification to comply with the US Privacy Shield Program. We can draft complaint HR and non-HR data Privacy Policies, and complete the filing on your behalf.

 

The following are step-by-step instructions when self-certifying with the US Privacy Shield program.

 

Note: When a company agrees to participate in the US Privacy Shield program, it makes statements to the US Department of Commerce that it will follow and comply with the privacy shield principles, and also comply with the following requirement on the US Privacy Shield website: https://www.privacyshield.gov/Key-New-Requirements

 

Once a company agrees to the provisions of the US Privacy Shield it is subject to enforcement under the FTC and US Law,  and therefore the commitments must be taken seriously.

 

Step-by-Step Guide

 

1) Decide on your specific participation and scope

  • Typically select both “EU-US” and “Swiss-US”

  • Select “Non-HR data”

  • If you have EU employees, also select “HR data”​

 

2) Draft a short description of your processing activities. Here is an example:

 

SampleCo is a leading provider of managed technology services. The company provides a full technology lifecycle support model including design, deployment, and 24×7 ongoing IT management support. SampleCo operates world-class network operations centers (Managed NOCs) that are combined with helpdesk solutions. These solutions can be easily integrated with the client’s business needs, making SampleCo a natural extension of a client’s operations. SampleCo processes customer personal data for the purposes of providing IT and helpdesk support services, executing business agreements, and for other related purposes including general correspondence and email marketing. SampleCo also processes personal data for employment and payroll purposes.

 

There are also multiple examples to refer on the Privacy Shield website: https://www.privacyshield.gov/list 

 

Remember, whatever you write here ends up in the ‘Purpose Of Data Collection’ section of the public-facing privacy shield list, so make sure you are happy with it.

 

3) Select an independent recourse mechanism. We always recommend JAMS (https://www.jamsadr.com/eu-us-privacy-shield). There is no fee required to sign-up, but you should review their arbitration fees since if they have to arbitrate a complaint from a data subject, you will need to pay JAMS.

 

Sign-up with JAMS at least 24 hours before submitting the full Privacy Shield filing ( JAMS transfers the new registrations electronically to the DoC every 24 hours) here: https://docs.google.com/document/d/1Y-Cby6vY8axd4kTNVWmV-CFEfQnqZaKGG1pKfO_yaeA/edit#

 

4) If you are also including ‘HR data’ in your application because you have employees in the EU, register with and pay the United States Council for International Business (USCIB) - the fee is $50. Instructions in how to do this can be found at: https://www.privacyshield.gov/Additional-Certification-Documentation - save any receipts and confirmation emails as PDFs.

 

5) Register and pay for the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA)., Instructions in how to do this can be found at: https://www.privacyshield.gov/Additional-Certification-Documentation, and fee schedule is here: https://go.adr.org/privacyshieldfund.html - save any receipts and confirmation emails as PDFs. Although the ICDR-AAA website says that payment confirmations are automatically sent to the Department of Commerce ITA, this doesn’t appear to be consistently happening. , You will need to send this receipt, and if applicable the USCIB receipt from step 4 directly to the Department of Commerce via email when they request it. Also, see step 9 below.

6) Make sure you have your updated US Privacy Shield ready Privacy Policy as a PDF, and if you are also including “HR data” in your application, also convert your employee Privacy Policy to a PDF. Important: Do not post your updated Privacy Policy online yet - the Department of Commerce will complain, and this would be an FTC ACT violation. Even though the Privacy Shield website has a field for a Privacy Policy URL, that is for renewals online, not new applications.

 

7) Review the materials on the Privacy Shield site to make sure you understand the purpose for the USA Privacy Shield, then sign up for an account at: https://www.privacyshield.gov/welcome

8) Complete the application online. It is important that when you provide an active email contact, where you can receive the Department of Commerce emails and complaints, so privacy@xyz.com is a good choice. You will also need to pay the fees to the US Privacy Shield - these fees are based on your company revenue.

9) Wait for a response from the Department of Commerce. They will typically ask you for copies of the USCIB and ICDR-AAA via emails since there is no way to upload these when completing the online application.

10) Once you have been approved, update your online Privacy Policy to the version you submitted and inform the Department of Commerce by replying to their email. They will then add you to the official online Privacy Shield list at: https://www.privacyshield.gov/list