Clock Running for EU Privacy Shield Self-Certification with Grace Period
The EU/US Privacy Shield, which governs transfers of personal information from the EU to the US, is now effective and available to US companies for self-certification. Any US company that wants to self-certify its compliance with Privacy Shield protections may do so now; and any company that does so before September 30 will have nine months to get its downstream data processing contracts in order.
Compliance and self-certification involve publishing a new privacy statement and a statement to the Department of Commerce, both of which must set forth information about a company's compliance with several fundamental principles:
- Notice and Choice about how an EU individual's personal information is shared with third parties,
- Access to that information for correction or deletion,
- Security undertakings regarding that information,
- Data Integrity and Limited Purpose use regarding such information,
- Recourse to independent dispute mechanisms by aggrieved EU data subjects, and
- Accountability for "onward transfer" of EU data to third parties.
The process of self-certification is fairly straightforward and may be a good idea for companies formerly covered by the Safe Harbor. Any company that collects, processes or uses data from the EU may want to consider Privacy Shield self-certification.
For companies that do wish to certify, there is a grace period of nine months to become compliant with the "onward transfer" principle if certification is made before the end of this month. That would allow a certifying company time to put in place a compliant contract procedure for vendors who may process data (procurement, purchasing, customer relations, for example) via downstream contracts.
There is no deadline for self-certification, which can be elected at any time; but the grace period is one-time-only as the Privacy Shield is taking effect.
- Product Liability
- Data Privacy
- Data Security
- Government Investigations
- Limited Government
- FAST Act
- JOBS Act
- Intellectual Property
- Public Policy
- Social Media
- Employment Issues
- Non-Profit Organizations
- Due Process
- Political Philosophy
- Risk Avoidance
- Risk Management
- Regulation A+
- Renewable Energy Around the Web
- In-House Counsel
- Mergers and Acquisitions
- Real Estate