• Elizabeth A. McMorrow

What is U.S. Privacy Shield Certified?

As a result of the European Union (EU) General Data Protection Regulation’s (GDPR’s) extraterritorial reach, a U.S. business that controls or processes personal data of EU citizens may be subject to the GDPR. Over 5000 companies have opted to self-certify to the U.S. Privacy Shield Framework to become deemed GDPR compliant.

What Is the GDPR?

The GDPR came into effect on May 25, 2018 and is an EU regulation that requires businesses to protect EU citizens’ privacy and personal data. It also grants several rights to individuals with respect to their personal data:

  • Access

  • Update

  • Opt out

  • Erasure

  • Portability

For more details, see my May 23, 2019 blog post: GDPR: 1 Year of Non-Compliance.

What Is the Privacy Shield Framework?

The Privacy Shield Framework is a mechanism for a U.S. company to comply with the GDPR when transferring personal data from the European Economic Area (EEA) to the U.S. There are two Privacy Shields: EU-U.S. and Switzerland-U.S. American companies join the Privacy Shield by self-certifying to the U.S. Department of Commerce (DoC) and publicly committing to comply with Privacy Shield requirements.

Although joining the Privacy Shield Framework is voluntary, once a U.S. company commits to participate in the Privacy Shield that commitment is enforceable under U.S. law. The DoC coordinates with EU Data Protection Authorities (DPAs) to ensure compliance.

As with the GDPR itself, the Privacy Shield provides privacy and security protections for EEA and other individuals. It also provides enhanced complaint resolution for EEA citizens.

The 7 Privacy Shield Principles

The seven Privacy Shield Principles form the core of the Privacy Shield Regime:

Notice: Publication of a privacy notice that includes the company’s collection and use of data, who it shares data with, data access rights, company contact information, independent resolution body contact information, and more.

  1. Notice: Publication of a privacy notice that includes the company’s collection and use of data, who it shares data with, data access rights, company contact information, independent resolution body contact information, and more.

  2. Choice: Opportunity for an individual to opt out of their personal information and opt in for their sensitive information being disclosed / used in certain ways.

  3. Accountability for Onward Transfer: Requirement that the U.S. company enter into contracts with third parties that ensure that third party service provider adheres to the Privacy Shield Principles

  4. Security: Measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction.

  5. Data Integrity and Purpose Limitation: Limitations on using data for its intended purpose and length of retention and an obligation to ensure the data is reliable, accurate, complete and current.

  6. Access: Process by which an individual can access her information and correct, amend or delete inaccurate data or processed in violation of the Privacy Shield Principles.

  7. Recourse, Enforcement and Liability: Mechanisms for compliance with the Privacy Shield Principles including recourse for individuals who are affected by noncompliance, and consequences for the organization’s noncompliance.

For full details on the seven Privacy Shield Principles and the equally binding 16 Supplemental Principles:

EU-U.S. v Switzerland-U.S. Privacy Shield Framework

There are minor differences related to the specific Supervisory Authority, dispute resolution fees, grace period, and categorization of “sensitive data.”

Next Steps

It is possible that your existing policies adequately cover issues raised by the GDPR. However, it is necessary to undertake a review of internal and external processes to determine if GDPR-specific policies should be implemented. The mapping of data should include internal sharing and storage along with the mapping of data flows to third-party service providers.

The following are some of the issues to address:

  • Map data flows.

  • Review controls / conduct risk assessment.

  • Obtain informed consent from clients: opt in not opt out.

  • Review and amend existing vendor agreements re: breach liability.

  • Train management team and staff.

  • Create a data protection plan or review and update existing data protection plan.

For assistance, please contact me via my contact page or at

#Privacy #GDPR

Recent Posts

See All

Another Delay for Cayman FATCA/CRS Portal Launch

Recently the Cayman Islands launched its new website with the promise that the new portal would be launched in Q3 2020. However, the Cayman AEOI Portal Team at the Department for International Tax Coo

New Bahamas FATCA/CRS Extension

The Bahamas Competent Authority has announced an additional extension to FATCA/CRS reporting. Instead of closing the portal on September 30, 2020, the portal will now close on Friday, October 2, 2020

Bahamas Offline on September 19

The Bahamas FATCA/CRS portal will be offline for maintenance on Saturday September 19, 2020 from 4 AM to 1 PM EDT. The portal is scheduled to reopen at 1 PM EDT on September 19. The portal will close

Disclaimer: The information on this website is for general informational purposes only. Nothing on this site should be taken as legal advice. The viewing of this website does not constitute an attorney-client relationship. 

Copyright  © Elizabeth A. McMorrow Law LLC.  All rights reserved.


Connect on LinkedIn