White & Case: EU-US Privacy Shield: How to Certify

White & Case: EU-US Privacy Shield: How to Certify

Chamber Member News Post Date: 11/30/16 Source: White & Case By: Adam Chernichaw, Robert Blamires and Tim Hickman

On July 12, 2016, the European Commission formally approved and adopted the EU-US Privacy Shield, providing a new compliance framework for US organizations that are involved in the importation of personal data from Europe (see our recent Newsflash). Starting August 1, 2016, organizations can self-certify with the International Trade Administration, which administers the Privacy Shield Framework within the US Department of Commerce. Those that do so will appear on a public list available here.

Among other things, Privacy Shield certification requires that contracts with third parties involved with the onward transfer of personal data be amended, and organizations that submit their self-certification before September 30, 2016, have a nine-month grace period, starting from their certification date, to bring existing third-party contracts into conformity.

Who can certify?

Certification is available to US organizations that are processing personal data in connection with an activity that is subject to the jurisdiction of the Federal Trade Commission (the FTC) or the Department of Transportation. This covers most US organizations although general exclusions include: banks, federal credit unions, and savings and loan institutions, telecommunications and interstate transportation common carriers, labor associations, most nonprofit organizations, and most organizations involved in packer and stockyard activities, and the FTC only has limited jurisdiction over insurance companies. Read Full Article