On July 12, 2016 the EU adopted the EU-U.S. Privacy Shield Framework. This new framework is based on 7 core privacy principles and 16 supplemental principles and accompanying letters from International Trade Administration, Federal Trade Commission and the Department of Transportation. The Privacy Shield replaces the U.S.- EU Safe Harbor Framework for data flows between the European Union and United States.
On January 12, 2017, the Swiss Government adopted the Swiss-U.S. Privacy Shield Framework. This framework is also based on the same 7 core privacy principles as the EU Privacy Shield Framework and replaces the U.S.-Swiss Safe Harbor Framework for data flows between Switzerland and the United States. Key differences between the EU and Swiss Privacy Shield Principles are outlined here. Interested companies can begin self-certifying with the U.S. Department of Commerce on April 12, 2017.
The EU and Swiss Privacy Shield frameworks come as an update to the Safe Harbor Frameworks which were deemed invalid by EU and Swiss government officials due to privacy concerns. As a result, the framework requires “robust obligations” on the personal data of EU and Swiss citizens. The provisions in the Privacy Shield frameworks include heightened obligations and notification requirements on onward transfer of data to third-parties. These will be monitored by the U.S. Department of Commerce and enforced by the Federal Trade Commission (FTC).
No. If you were a participant in either the U.S.-EU or U.S.-Swiss Safe Harbor frameworks then you should consider joining the Privacy Shield Frameworks.
The U.S. Department of Commerce began accepting new applications under the EU Privacy Shield Framework on August 1st, 2016 and will begin new applications under the Swiss Privacy Shield Framework on April 12, 2017. Companies interested in self-certifying under the Privacy Shield Frameworks should begin reviewing the new requirements and creating a Privacy Shield compliant notice and incorporating these principles into its corporate practices. DMA shall serve as a dispute resolution provider under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (as it has done for Safe Harbor since inception.)
While joining the Privacy Shield Framework will be voluntary, once an eligible company makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All companies interested in joining the Privacy Shield Framework should review its requirements in their entirety. Please review your data flows and privacy practices with your legal counsel to ensure that your program is meeting the Shield requirements. The information provided by DMA is for your background and overall guidance and should not be considered as legal advice for your specific company’s needs.
Companies will have to select a 3rd party dispute provider before they can self-certify.
Yes. The company will have to fill-out a new application under the Shield framework. However, DMA will not charge it a fee until its "safe harbor" renewal date. At that time, we’ll provide a form for the participant to re-affirm its commitment to the DMA Shield program and submit the applicable fee. In effect, DMA is grandfathering the company fee but not the application. For members that are not current under the DMA Safe Harbor Program, then it will need to apply and submit fee at time of application.
The fees remain the same, ranging from $300 to $3500 annually depending on annual company revenue. The same fee applies whether you select one (EU or Swiss) or both Privacy Shield Programs. For instance, if your company’s annual revenue is in our largest category, and you select DMA for just the EU-U.S. Privacy Shield – the fee will be $3,500. If you select DMA for EU-U.S. and Swiss-U.S. Privacy Shield Programs it will still be $3,500.
Fill-out and submit this applications. The application includes -- company contact sheet, signed contract that you will abide by DMA Privacy Shield Program, copy of Shield Privacy Notice and payment (if not current DMA safe harbor participant). Submit application to: Lisa Brown Shosteck, Privacy Shield Administrator: firstname.lastname@example.org.
Yes. You do need to be a current member.