Emerging Markets Law

Clock Running for EU Privacy Shield Self-Certification with Grace Period

The EU/US Privacy Shield, which governs transfers of personal information from the EU to the US, is now effective and available to US companies for self-certification. Any US company that wants to self-certify its compliance with Privacy Shield protections may do so now; and any company that does so before September 30 will have nine months to get its downstream data processing contracts in order. 

Compliance and self-certification involve publishing a new privacy statement and a statement to the Department of Commerce, both of which must set forth information about a company's compliance with several fundamental principles:

  • Notice and Choice about how an EU individual's personal information is shared with third parties,
  • Access to that information for correction or deletion,
  • Security undertakings regarding that information,
  • Data Integrity and Limited Purpose use regarding such information,
  • Recourse to independent dispute mechanisms by aggrieved EU data subjects, and
  • Accountability for "onward transfer" of EU data to third parties.

The process of self-certification is fairly straightforward and may be a good idea for companies formerly covered by the Safe Harbor. Any company that collects, processes or uses data from the EU may want to consider Privacy Shield self-certification.

For companies that do wish to certify, there is a grace period of nine months to become compliant with the "onward transfer" principle if certification is made before the end of this month. That would allow a certifying company time to put in place a compliant contract procedure for vendors who may process data (procurement, purchasing, customer relations, for example) via downstream contracts. 

There is no deadline for self-certification, which can be elected at any time; but the grace period is one-time-only as the Privacy Shield is taking effect. 

Stay Connected

Subscribe to blog updates via email

Contributors