HomeInsightsUS Department of Commerce publishes updated FAQs on the EU-US Privacy Shield Program

Article by

The FAQs note that:

  • as a result of the CJEU decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Ltd (Schrems II), the EU-US Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US;
  • the decision does not relieve participants in the program of their obligations under the EU-US Privacy Shield Framework;
  • there is no grace period during which an organisation can keep on transferring data to the US without assessing its legal basis for the transfer;
  • the US Department of Commerce’s International Trade Administration (ITA) continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield and maintaining the Privacy Shield List;
  • organisations continue to be required to re-certify annually if they wish to remain on the Privacy Shield List;
  • organisations continue to be required to pay an annual processing fee to the ITA in order to participate in the Privacy Shield;
  • organisations continue to have additional direct costs associated with participation in the Privacy Shield. For example, they must provide a readily available independent recourse mechanism to hear individual complaints at no cost to the individual; and
  • organisations can withdraw from the Privacy Shield at any time; however, they must meet ongoing requirements related to data received under the Privacy Shield and must remove from their websites privacy policy statements, and any other public documents and representations that could be construed as claims that they participate in or comply with the Privacy Shield.

To read the FAQs in full, click here.