Privacy Shield Certification

Although the Privacy Shield Framework doesn't apply to EU-U.S. data transfers now, some organizations continue to refer to it. Understanding its historical context and current relevance is essential for businesses transferring data internationally.

What Is Privacy Shield Certification?

Privacy Shield Certification was a program that the U.S. Department of Commerce developed in collaboration with the European Commission and the Swiss Administration. It was designed to replace the now-defunct Safe Harbor framework.

By following the Privacy Shield principles, U.S.-based companies could self-certify their commitment to certain data protection principles like transparency and security. It provided a way to comply with European privacy laws, primarily the General Data Protection Regulation (GDPR).

There were two versions of the framework:

1. The EU—U.S. Privacy Shield for data from the European Union.

2. The Swiss—U.S. Privacy Shield for data from Switzerland.

How Did Privacy Shield Certification Work?

To obtain certification, organizations needed to confirm their eligibility and commit to the framework's principles. The process was straightforward.

Only organizations that are subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) could participate. This included a wide range of industries, such as:

• SaaS platforms and cloud providers

• E-commerce marketplaces

• Marketing technology firms

• Financial services companies

• Telehealth and wellness platforms

• Third-party service providers (TPSPs) handling user data on behalf of others

While joining was voluntary, it became a practical necessity for companies engaged in transatlantic data exchanges.

Organizations would self-certify by submitting required information and documentation to the U.S. Department of Commerce. Once approved, their certification status was listed publicly, signaling compliance to partners and regulators.

Organizations that achieved Privacy Shield Certification benefited by:

• Building Trust: Demonstrating commitment to data protection enhanced customer confidence.

• Simplifying Compliance: Simplified cross-border compliance eliminated the need to negotiate Standard Contractual Clauses (SCCs) individually.

• Reducing Legal Risks: Mitigating potential penalties reduced exposure associated with non-compliant data transfers.

What Were the Requirements for Certification?

Confirm Eligibility 

As mentioned earlier, any organization that operated in the U.S. subject to the jurisdiction of the FTC or DOT was required to confirm their eligibility for a certificate.

Example of How a Business Might Have Qualified:

A U.S.-based video conferencing company like Zoom, which processes European users' names, emails, and call recordings, would need a legal mechanism to transfer that data. Before 2020, certifying under the Privacy Shield helped meet that need.

Similarly, if it offered its services in Switzerland, it could be certified under the Swiss-U.S. Privacy Shield.

Craft a Policy Statement 

Certification wasn't enough on its own.

Companies listed their certification status on the official Privacy Shield website, but they also had to publicly commit to the framework's principles, usually in their privacy policies.

Their websites often contained a line that said: "[Company Name] complies with the EU-U.S. Privacy Shield Framework."

The privacy policy was also required to let users know:

• The personal information the business was collecting

• How they would be using it

• What access third parties had to it and the scope of their access

• The business's responsibility and liability for any information that was transferred to a third party

• The ways users could access their data after the business collected it

• How they could control the way a business used and disseminated it

• Methods for opting out of sharing it with third parties or the company using it beyond what they had disclosed

• The company would always obtain affirmative consent from a user disclosing any of their sensitive information

If a company claimed certification but didn't comply, it could face enforcement action from the FTC.

In fact, the FTC brought multiple enforcement cases against companies that:

• Falsely claimed they were Privacy Shield--certified

• Let their certification lapse without updating their privacy disclosures 

• Did not follow through with the framework's dispute resolution commitments

Provide an Independent Recourse Mechanism

If someone complained about how a company was handling their data, the company was required to offer a way for that person to have their complaint investigated and resolved by an independent third party without them having to pay anything.

How the Complaint Process Worked:

• If a company couldn't resolve a complaint about personal data, the complaint was sent to a group of European Data Protection Authorities (DPAs) for review.

• The DPA panel looked at the case and gave the company clear instructions, referred to as "binding advice," on their next steps to fix the problem.

• The DPA panel aimed to give their decision within 60 days.

• Once the company received the instructions, it had 25 days to make the required changes.

• If the company didn't follow the instructions, it could face penalties, including being removed from the Privacy Shield list.

Validate if Procedures Are in Place

Organizations had to regularly verify that they were following the framework's privacy rules, either through self-assessments or by hiring an independent third party to review compliance.

Provide a Point of Contact

Each organization was required to provide a contact person to handle questions, complaints, and access requests, such as the certifying corporate officer or Chief Privacy Officer.

Special Rules and Exceptions

There were some exceptions to the standard Privacy Shield data protection rules, granting organizations flexibility in specific situations.

Sensitive Data Exceptions

Organizations did not always need explicit consent to use sensitive personal data (like health or religious information). In certain situations, they could use this data without asking first. For example:

• To protect someone's life or safety

• To handle legal claims

• To provide medical care

• To meet employment law requirements

• If the information was already publicly available

Journalistic Exceptions

Journalists and media outlets didn't have to follow Privacy Shield rules when using personal data for news reporting or public communication. In these cases, U.S. press freedom laws took priority.

Secondary Liability

Internet service providers and telecom companies weren't held responsible for moving data from one place to another. As long as they didn't control or decide how the data was used, they weren't liable under Privacy Shield.

Performing Due Diligence and Conducting Audits

Certain professionals, like auditors, legal teams, or investment bankers, could process personal data without informing the individuals involved. This applied during activities like financial audits, internal investigations, mergers, or acquisitions, but only when it was truly necessary and for a limited time.

Is Privacy Shield Still Valid? 

No. The Court of Justice of the European Union (CJEU) ruled that the Privacy Shield Framework was no longer valid on July 16, 2020.

The CJEU based the decision on concerns that U.S. surveillance laws did not provide enough protection for personal data coming from the EU.

What Replaced Privacy Shield? 

The EU-U.S. Data Privacy Framework (DPF) replaced the Privacy Shield.

Officially adopted on July 10, 2023, the DPF was developed by the U.S. Department of Commerce and the European Commission.

The DPF introduced stricter safeguards on data access by U.S. authorities and established an independent Data Protection Review Court (DPRC) for EU individuals to seek redress.

The DPRC operates separately from the government and has the power to investigate, demand information from intelligence agencies, and order actions like deleting data if rules are broken. The court also appoints an advocate to represent the complainant's interests and ensure that both sides are heard fairly.

U.S. companies can self-certify under the DPF to legally receive EU personal data, restoring a compliant transatlantic data transfer mechanism.

Why Privacy Shield Still Gets Mentioned 

While the framework is no longer valid for EU-U.S. data transfers, it may still be relevant for:

• Legacy Contracts: Agreements established before the invalidation may still reference Privacy Shield.

• Vendor Obligations: Third-party vendors may continue to operate under Privacy Shield commitments.

• Swiss Data Transfers: Switzerland's recognition of the framework persisted longer, affecting certain data transfers.

• Organizational Transparency: Some businesses maintain references for historical accuracy and transparency.

Frequently Asked Questions