The New EU-USA Privacy Shield Framework

August 04, 2016

On October 6, 2015 the European Court of Justice (ECJ) made a landmark decision to nullify the Safe Harbor agreement, which had permitted companies based in the United States to transfer the data of European citizens’ and store it within United States borders. The only real requirement was that the America companies comply with privacy protections that met European Union (EU) standards.

Companies such as Facebook and Google took the brunt of the blame, thanks largely to allegations made by former National Security Agency (NSA) contractor Edward Snowden that these companies were allowing the NSA to perform active surveillance on the data of their users. However, the repeal of the Safe Harbor agreement impacted thousands of companies that had operations and customers in the EU.

In February 2016, U.S. Secretary of Commerce Penny Pritzker, released a statement about the new joint EU-USA data protection policy titled Privacy Shield. Mrs. Pritzker was eager to express her enthusiasm about the new framework, and its ability to protect the data of both EU and US citizens.

In her statement she said, “The EU-U.S. Privacy Shield is a tremendous victory for privacy, individuals, and businesses on both sides of the Atlantic. We have spent more than two years constructing a modernized and comprehensive framework that addresses the concerns of the European Court of Justice and protects privacy.

The new EU-U.S. Privacy Shield provides certainty that will help grow the digital economy by ensuring that thousands of European and American businesses and millions of individuals can continue to access services online.”

You can read her statement in its entirety here.

The new Privacy Shield Framework will become effective on August 1, 2016. Companies wishing to comply with the standard will need to provide a self-assessment of compliance to the department of commerce.

In a statement on the new Privacy Shield agreement, the Department of Commerce explained, “To join the Privacy Shield Framework, a U.S.-based company will be required to self-certify to the Department of Commerce and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework will be voluntary, once an eligible company makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All companies interested in joining the Privacy Shield Framework should review its requirements in their entirety.”

Its’ rather long, but if you’d like, you can read the full text of the EU-USA Privacy Shield framework here.

To help you understand how to become compliant with Privacy Shield, here is a comprehensive list of the requirements defined by the framework

Informing individuals about data processing:

  • A Privacy Shield participant must include in its privacy policy a declaration of the organization’s commitment to comply with the Privacy Shield Principles, so that the commitment becomes enforceable under U.S. law.
  • When a participant’s privacy policy is available online, it must include a link to the Department of Commerce’s Privacy Shield website and a link to the website or complaint submission form of the independent recourse mechanisms that is available to investigate individual complaints.
  • A participant must inform individuals of their rights to access their personal data, the requirement to disclose personal information in response to lawful request by public authorities, which enforcement authority has jurisdiction over the organization’s compliance with the Framework, and the organization’s liability in cases of onward transfer of data to third parties.

Providing free and accessible dispute resolution:

  • Individuals may bring a complaint directly to a Privacy Shield participant, and the participant must respond to the individual within 45 days.
  • Privacy Shield participants must provide, at no cost to the individual, an independent recourse mechanism by which each individual’s complaints and disputes can be investigated and expeditiously resolved.
  • If an individual submits a complaint to a data protection authority (DPA) in the EU, the Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the complaint and to respond to the DPA within 90 days.
  • Privacy Shield participants must also commit to binding arbitration at the request of the individual to address any complaint that has not been resolved by other recourse and enforcement mechanisms.

U.S. Department of Commerce Cooperating with the Department of Commerce:

  • Privacy Shield participants must respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield Framework. Maintaining data integrity and purpose limitation
  • Privacy Shield participants must limit personal information to the information relevant for the purposes of processing.
  • Privacy Shield participants must comply with the new data retention principle.

Ensuring accountability for data transferred to third parties:

  • To transfer personal information to a third party acting as a controller, a Privacy Shield participant must:
  • Comply with the Notice and Choice Principles; and
  • Enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by the individual and that the recipient will provide the same level of protection as the Principles and will notify the organization if it makes a determination that it can no longer meet this obligation. The contract shall provide that when such a determination is made the third party controller ceases processing or takes other reasonable and appropriate steps to remediate.

Ensuring accountability for data transferred to third parties:

  • To transfer personal data to a third party acting as an agent, a Privacy Shield participant must: o Transfer such data only for limited and specified purposes;
  • Ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; U.S. Department of Commerce
  • Take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles;
  • require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles;
  • Upon notice, take reasonable and appropriate steps to stop and remediate unauthorized processing; and
  • Provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department upon request.

Transparency related to enforcement actions:

  • Privacy Shield participants must make public any relevant Privacy Shield related sections of any compliance or assessment report submitted to the FTC if the organization becomes subject to an FTC or court order based on non-compliance.

Ensuring commitments are kept as long as data is held:

  • If an organization leaves the Privacy Shield Framework, it must annually certify its commitment to apply the Principles to information received under the Privacy Shield Framework if it chooses to keep such data or provide “adequate” protection for the information by another authorized means

To view a copy of the updated Privacy Shield fact page click here.

Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit:

privacy privacy shield standards Article safe harbour

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.