Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsThe U.S. Department of Commerce Vows to Continue Administering the Privacy Shield Program
Following the Court of Justice of the European Union’s (CJEU) invalidation of the EU-US Privacy Shield, the U.S. Secretary of Commerce Wilbur Ross stated that his Department “will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List.” Furthermore, according to the Secretary of Commerce, the CJEU’s decision “does not relieve participating organizations of their Privacy Shield obligations.”
The Privacy Shield is a voluntary, self-certification program and requires U.S. companies to commit to certain data management principles, including notice, choice, accountability for onward transfers and vendor agreements, security, data integrity, purpose limitation, and access. Companies are required to publicize their commitment, implement the principles, publicly disclose the organization’s privacy policy, and submit to an annual renewal of the certification, including the verification of ongoing compliance. More than 5,300 companies currently participate in the program.
The Privacy Shield replaced the Safe Harbor data transfer framework which was invalidated by the CJEU in 2015 as a result of a legal challenge brought by privacy advocate Max Schrems. The CJEU found that the Safe Harbor lacked protection of fundamental rights “essentially equivalent” to that in the EU. Particularly, it found that the U.S. national security, public interest and law enforcement have been placed above the Safe Harbor principles. In the decision issued on July 16, 2020 in a case known colloquially as Schrems II, the CJEU invalided the Privacy Shield on the same grounds.
Even though the Privacy Shield is no longer an adequate mechanism for transferring personal data from the European Union to the United States, it continues to offer significant protections for individuals whose data is transferred across the border. Since data transfers have not ceased as a result of the CJEU’s decision, it makes sense for the Department of Commerce to continue with the program for the time being as companies transition to other transfer mechanisms, such as the Standard Contractual Clauses which were upheld by the CJEU in Schrems II.
Ask Clarip today how we can solve your biggest privacy compliance pain points, Call Clarip at 1-888-252-5653
