×
mobile logo
Stay In Touch

Privacy Shield and Safe Harbor Guide

Advisory: Privacy Shield Status


On July 12, 2016 the EU adopted the EU-U.S. Privacy Shield Framework. This new framework replaces the U.S.-EU Safe Harbor Framework for data flows between the European Union and United States. DMA applauds the EU-U.S. Privacy Shield Agreement which preserves the data flows between the EU and the United States.

The U.S. Department of Commerce began accepting new applications under the Shield framework on August 1st, 2016. Companies must select a dispute resolution provider before self-certifying to US Department of Commerce. DMA shall serve as a dispute resolution provider under the EU-US Privacy Shield program (as it has done for Safe Harbor since inception.)

For more information, please contact Lisa Brown Shosteck at: lshosteck@the-dma.org.


DMA EU-U.S. Privacy Shield and Safe Harbor Programs are available to DMA members ONLY!


Please check to make sure that your company is a DMA member before applying for membership in the DMA Shield or Safe Harbor Programs. If you would like to join DMA or have questions regarding membership then please contact us.

EU-U.S. Privacy Shield Framework

privacy shield logo
On July 12, 2016 the EU adopted the EU-U.S. Privacy Shield Framework which was negotiated by the EU and U.S. Department of Commerce. This new framework replaces the U.S.-EU Safe Harbor Framework and preserves data flows between the European Union and United States.

The U.S. Department of Commerce indicates that it will begin accepting new applications under the Shield framework on August 1st, 2016. Companies interested in self-certifying under the Privacy Shield Framework should begin reviewing the new requirements and creating a Privacy Shield compliant notice and incorporating these principles into its corporate practices. DMA shall serve as a dispute resolution provider under the EU-US Privacy Shield program (as it has done for Safe Harbor since inception.) Please see below for compliance and application materials.

The Privacy Shield Framework provides a set of robust and enforceable protections for the personal data of EU individuals. The Framework provides transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with EU data protection authorities (DPAs). The Privacy Shield Framework offers EU individuals’ access to multiple avenues to address any concerns regarding participants’ compliance with the Framework, including free dispute resolution which the DMA provides to participating member companies.

It is important to note that neither the DMA Shield Program nor the DMA Safe Harbor Program cover issues relating to the transfer of human resources data. However, the transfer of such data does fall under the frameworks and you must select DPAs as your independent third party dispute provider for this type of data. The DMA Shield & Safe Harbor Programs cover all other types of data.

While joining the Privacy Shield Framework will be voluntary, once an eligible company makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All companies interested in joining the Privacy Shield Framework should review its requirements in their entirety. To assist in that effort, key new elements are outlined in the right-hand column. Please review your data flows and privacy practices with your legal counsel to ensure that your program is meeting the Shield requirements. The information provided by DMA is for your background and overall guidance and should not be considered as legal advice for your specific company’s needs.

Apply for Privacy Shield Dispute Resolution Services

U.S.-Swiss Safe Harbor Framework

safe harbor shield logo
Effective February 16th, 2009 data transferred, collected, processed and/or imported from Switzerland is covered under the U.S.-Swiss safe harbor framework. The U.S. Department of Commerce is under negotiations with Switzerland to implement a Swiss-U.S. Privacy Shield Program. In the meantime, the U.S.-Swiss Safe Harbor Framework is still a valid means of data transfer.

If your organization transfers data from Switzerland to the U.S. and you would like it to be covered under the Safe Harbor framework then you would need to review the U.S.-Swiss Safe Harbor principles and FAQs posted on the U.S. Department of Commerce’s website at www.export.gov/safeharbor. Participation by companies in the U.S.-Swiss safe harbor framework is completely voluntary. However, if your company decides to take advantage of the safe harbor framework, then you must:

  • Comply with the seven safe harbor principles (notice, choice, onward transfer, access, security, data integrity and enforcement);
  • Review the 15 frequently asked questions prepared by the U.S. Department of Commerce;
  • Certify to the U.S. Department of Commerce that you have implemented and comply with the safe harbor principles;
  • Have in-house and third-party dispute and enforcement mechanisms in place to ensure your compliance; and
  • Continue to adhere to the safe harbor principles for data collected while participating in the framework, even if your company decides to leave the framework at a later date. This information must always be protected by the safe harbor principles even if your company decides to no longer participate in the program.

Apply for Safe Harbor Dispute Resolution Services

Who…

Who Should Consider Joining?

Category A

  • Are you a United States organization that receives or processes personally identifiable information directly from Europe or Switzerland?
  • Are you a subsidiary or affiliated company that processes this information here in the United States? (The Privacy Shield framework covers personal information that is collected on-line or off-line and filed manually or electronically.)

Category B

  • Do your company’s business practices fall under the jurisdiction of the Federal Trade Commission?
  • Do your company’s business practices fall under the jurisdiction of the U.S. Department of Transportation (e.g., air carriers, travel agents, airlines)?

If your company meets any one condition from each of these categories, then you should consider joining the EU-U.S. Privacy Shield and/or U.S.-Swiss Safe Harbor frameworks.

What…

What are the EU-U.S. Privacy Shield Principles?

In order for your company to be compliant with the Privacy Shield framework, you must abide by and incorporate the Privacy Shield principles into your privacy policy and corporate practices.

By adhering to the core principles of: notice; choice; security; accountability for onward transfer; data integrity and purpose limitation; access; and recourse, enforcement and liability, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ requests regarding use of their personal information.

These Privacy Shield principles pertain to the personal information that your company transfers from the EU to the United States. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information. Below is a chart highlighting the principles and new requirements under the Privacy Shield framework. You can click on each privacy principle to learn more about it or visit the Department of Commerce.

Privacy Principles Safe Harbor Privacy Shield
Notice To disclose that an organization adheres to principles/framework and states what information collection, sharing, access, opt-out, enforcement and security measures are in-place. New: Requires links to DOC Shield participant list and dispute provider website; disclose new ability for individuals to pursue binding arbitration if other mechanisms fail; disclose that you may share PI for lawful requests or national security; and liability in onward transfers to third parties.
Choice Provide consumers with the opportunity to opt-out or opt-in (sensitive information) depending on the nature of the data.

Set-up appropriate procedures to respect consumers’ opt-out/opt-in requests particularly with respect to consumers’ requests to not be approached for direct marketing (i.e., in-house suppression system.)

Opting-out should not require consumers to incur any fee or expense beyond a first-class stamp or phone call.

Opt-in for sensitive information: medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.

Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.

An organization must offer individuals the opportunity to choose to (opt out) whether their PI is to be disclosed to a third party or to be used for a materially different purpose.

Choice is not required when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of organization. However, an organization shall always enter into a contract with the agent.

Definition of sensitive information is same as safe harbor.

Accountability For Onward Transfer Determine the need for contracts with respect to the transfer of information to third parties.

You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers.

Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.

Same overall themes but participating company now has liability in cases of onward transfer of data to third parties.

Any onward transfer, can only take place for: 1) limited and specified purposes; 2) must have a contract or comparable arrangement within corporate group and 2) only if contract provides same level of protection as the one guaranteed by the Principles – and is limited to the extent necessary to meet national security, law enforcement & other public interest purposes.

This applies to any third parties regardless of location (within or outside U.S.)

Additionally, upon request by DOC, must provide a summary or a copy of relevant contract privacy provisions entered into with its agent.

Security Organization must take reasonable and appropriate measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Same general principles.

In instances, where organization uses sub-processor – they must enter into contract guaranteeing same level of protection as Principles and take steps to ensure proper implementation.

Data Integrity and Purpose Limitation Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes.

Your company should not process data that are not relevant to the purpose for which they were collected, unless subsequently authorized by the consumer.

Must limit personal information to the information relevant for the purposes of processing.

Must comply with new data retention principle.

Access You must provide customers the ability to access PI being maintained by the company and the ability to correct, amend or delete it where it is inaccurate or processed in violation of the Principles (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). Same.
Recourse, Enforcement and Liability Take reasonable steps to ensure that any consumer privacy concern will be addressed by:

  1. referring consumers to your customer service department or other in-house dispute resolution program;
  2. subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (DMA provided this service for 15 years); and
  3. having appropriate monitoring, verification and remedy procedures in place.
The independent dispute resolution service should be readily available and at no cost to consumer. (DMA never charged consumers for this service.)

New available remedy for EU individuals is binding arbitration – individuals must pursue other mechanisms first such as contacting:

  1. company directly;
  2. independent dispute provider; and
  3. then may pursue binding arbitration.

No monetary damages allowed under binding arbitration. Binding arbitration seeks to resolve an individual complaint.

A separate complaint process — consumers may also contact appropriate DPA and then DPA resolves complaint or works with DOC to resolve complaint. No binding arbitration under this scenario.


What are the U.S.-Swiss Safe Harbor Principles?

In order for your company to be compliant with the U.S.-Swiss Safe Harbor Framework, you must abide by and incorporate the safe harbor privacy principles into your privacy policy and corporate practices.

By adhering to the core principles of: notice, choice, onward transfer, access, security, data integrity and enforcement, your company is indicating that you place great value on data privacy protection and will make every effort to respect Swiss’s requests regarding use of their personal information.

By adhering to the following principles as developed by the Department of Commerce and the Federal Data Protection and Information Commission of Switzerland, you will stand out in the marketplace as one of the trusted organizations that promises to meet the requirements of the safe harbor framework.

These safe harbor principles pertain to the personal information that your company transfers from Switzerland to the United States. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information.

Safe Harbor Principles

  1. Notice
    You must clearly inform customers in a timely manner about what information you are collecting, why you are collecting it, who you are forwarding it to, how its use can be limited and how the customer can contact you for additional information;

    • Be easy to find, easy to read and easy to understand;
    • Be provided to your customers at the time you collect the personal information or as soon thereafter as practicable – in any case, before you use the personal information for a purpose other than that for which it was originally collected or before you disclose it to a third party;
    • Specify the types of information being collected;
    • Specify the purposes and uses of information collection;
    • Specify the types of third parties to which you are disclosing the information you collect;
    • Provide the choices and means available to the customer to limit the use and disclosure of information; and
    • Provide your company contact information for customer inquiries.
  2. Choice
    You must honor customers’ requests to opt-out of certain information uses and exchanges and opt-in if sensitive information is being used. You must provide customers with the ability to opt-out of certain information uses and exchanges. Where the information is sensitive, you must obtain opt-in consent. These choices should be clear and conspicuous, readily available and affordable.

    Your company must offer customers the ability to opt-out of your disclosing their information to a third-party or using their information for a purpose incompatible with that for which it was originally collected.

    In addition, the DMA Safe Harbor Program requires that your company accept and maintain consumer requests to be placed on your in-house suppression file to stop receiving solicitations from your company.

    Sensitive Information
    It is important to note that for “sensitive” information, consumers must be given the explicit ability to opt-in before you disclose that information to a third-party or use that information for a purpose different from that for which it was originally collected. You may not use or transfer this information unless the individuals have given affirmative or explicit “opt-in” choice.

    Sensitive information includes personal information regarding a medical or health condition, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sexual lifestyle. There are limited exceptions to the opt-in requirement. For further clarification, please refer to the Department of Commerce’s FAQ #1 at export.gov/safeharbor.

  3. Onward Transfer
    You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers. Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data.
  4. Access
    You must provide customers the ability to access the personal information being maintained by the company and the ability to correct it where it is inaccurate (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). You must provide customers the ability to access the personal information being maintained by the company. This access should be provided to the individual unless there would be: (1) a disproportionate effort on the part of the company relative to the potential risk to the individual’s privacy, (2) the rights of others would be violated, or (3) the request by the individual is clearly vexatious or repetitious. Companies can meet this requirement by providing customers with a copy of the personal information that is being maintained about them or by addressing the individual’s concerns through the company’s customer service department. You do not have to give customers access to your database.

    In addition, customers must be given the ability to correct, amend or delete their personal information if it is inaccurate. A reasonable fee can be charged to the individual for accessing information.

    In general, expense and burden can be considered in providing access to personal information. However, access to certain information that is used to grant or deny a significant benefit or service must always be provided regardless of the expense and burden. The following are examples of important benefits: insurance, grants, mortgages, loans, college admission, employment applications and similar benefits or services.

    Companies denying access to information citing disproportionate effort or cost should be in a position to substantiate their decision.

  5. Security
    Take reasonable care in protecting the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Your company should make every effort to use appropriate security measures to protect the information you collect from loss, misuse, unauthorized access, disclosure, alteration and destruction. Such measures should ensure an appropriate level of security given the nature of the data processed.
  6. Data Integrity
    Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. Your company should not process data that are not relevant to the purpose for which they were collected. Your company is responsible for ensuring that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. You should not use the information in a way that is incompatible with the purpose for which it was collected, unless subsequently authorized by the consumer.
  7. Enforcement
    Take reasonable steps to ensure that any consumer privacy concern will be addressed by: (1) referring consumers to your customer service department or other in-house dispute resolution program; (2) subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (The DMA is pleased to offer members this service.); and (3) having appropriate monitoring, verification and remedy procedures in place. The Safe Harbor Principles require companies to:

    1. Refer consumers to their customer service department or other in-house dispute resolution program;
    2. Subscribe to a readily available and affordable independent third-party dispute resolution mechanism – The DMA is pleased to serve as your third-party dispute resolution mechanism to address unresolved in-house consumer data privacy complaints. (For a complete description regarding the DMA’s process for handling complaints and serving as your independent enforcement mechanism, please refer to The DMA Privacy Shield/Safe Harbor Programs’ Complaint Procedures;
    3. Have appropriate verification procedures in place to comply with your safe harbor privacy policy. This policy must be verified at least annually by either an internal self-assessment review process, or by an outside third-party review/audit. (The DMA’s Safe Harbor Program does not provide for the DMA to act as the independent third-party auditor); and
    4. Train staff regarding your safe harbor privacy policy.

    In addition, your company should consider offering consumer education packages in languages which reflect your Swiss customer markets.

It is important to note that the DMA Safe Harbor Program does not cover issues relating to the transfer of human resources data. However, the transfer of such data does fall under the safe harbor framework. For further clarification, please refer to the Department of Commerce’s FAQ #9 export.gov/safeharbor.


How…

How does DMA’s Dispute Resolution Services Work?


The major component of DMA’s EU-U.S. Privacy Shield and U.S.-Swiss Safe Harbor Programs is to provide businesses seeking to certify under these Frameworks with an independent third party dispute resolution mechanism that complies with the enforcement requirements. The DMA will:

  • Serve as your third-party dispute and enforcement mechanism. European & Swiss consumers, companies and governments can be assured that your company will adhere to the third-party dispute and enforcement requirements of the Privacy Shield & Safe Harbor frameworks. This will solidify Europeans’ and Swiss’s trust and confidence in your organization.
  • Provide members with assistance in developing a privacy policy that is based on the Privacy Shield and/or Safe Harbor Principles. By adhering to those 7 core principles, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ and Swiss’s requests regarding use of their personal information.
  • The DMA stands ready to assist your company in:
    1. Meeting the U.S. Department of Commerce’s registration requirements for the EU-U.S. Privacy Shield and/or U.S.-Swiss Safe Harbor frameworks,
    2. Serving as your independent third-party dispute resolution mechanism, and
    3. Addressing any other questions or concerns your company has regarding the Privacy Shield or Safe Harbor process.
  • Provide the appropriate DMA EU-U.S. Shield and/or U.S.-Swiss Safe Harbor Program mark(s). These marks will provide consumers with an easily recognizable symbol that signifies and distinguishes your organization as being in compliance with the Privacy Shield and/or Safe Harbor enforcement principle(s).


DMA's Privacy Shield & Safe Harbor Complaint Handling Process

The major component of DMA’s EU-U.S. Privacy Shield and U.S.-Swiss Safe Harbor Programs is to provide businesses seeking to certify under these Frameworks with an independent third party dispute resolution mechanism that complies with the enforcement requirements.

The Shield requires that the dispute resolution mechanism be readily available to consumers and free-of-charge to European individuals, and be able to ensure compliance with the Shield privacy protections. The DMA has never charged consumers for this service and it will remain free to both European and Swiss consumers. The DMA’s EU-U.S. Privacy Shield & Safe Harbor Programs adhere to the belief that an independent dispute resolution mechanism should:

  • provide a fair and unbiased redress of the consumer’s concerns;
  • be visible so that consumers with concerns know where to turn for resolution of their problem;
  • be accessible so that there are no barriers to the filing of a complaint, whether they be financial or otherwise;
  • provide resolution in a timely manner;
  • provide finality for the consumer by reaching an independent determination of the dispute in a fair and timely manner; and
  • provide enforceability of the final conclusions in the determination of the consumer’s dispute.

To provide a mechanism that is fair, the DMA has created an EU-U.S. Privacy Shield/Safe Harbor Program Committee that is comprised of respected experts from the direct marketing industry. The Committee will have the power to hear both sides of a dispute, and provide a final determination. When businesses join the DMA’s EU-U.S. Privacy Shield Program and/or U.S.-Swiss Safe Harbor Program, they will be required to sign a Contract whereby they agree to abide by the decisions of the Committee. They will also be notified in the contract that the Committee will have the authority to issue certain sanctions as a result of their decision. The sanctions available to the Committee include, but are not limited to:

  1. Correction of actions found not to be in compliance with the Privacy Principles and framework(s).
  2. Correction or deletion of inaccurate personal information.
  3. Reimbursement of actual, direct monetary damages incurred by the consumer.
  4. Removal from the DMA EU-U.S. Privacy Shield Program and/or U.S.-Swiss Safe Harbor Program and revocation of the company’s ability to display the DMA Privacy Shield and/or Safe Harbor Mark.
  5. Public notification of the decision and action taken by the Committee.
  6. Notification to the U.S. Department of Commerce of the Committee’s decision and a request for removal from the Shield and/or Safe Harbor Certification List(s) due to failure to comply with the appropriate Privacy Principles.
  7. Referral of the matter to the Federal Trade Commission or other appropriate governmental agency for enforcement action.

The lynchpin to any dispute resolution mechanism is that it be impartial. One way to assure impartiality is to assure openness of the results of the program by publishing an annual report regarding the types of complaints processed during the reporting period, and for DMA staff to be constantly vigilant that the results are fair and legal.

To assure accessibility, there will be no cost to the consumer, and businesses will be required to notify consumers of the availability of DMA’s EU-U.S. Privacy Shield Program and/or U.S.-Swiss Safe Harbor Program in an open and conspicuous manner and prominently display the DMA Privacy Shield and/or U.S.-Swiss Safe Harbor Program Mark. The program will provide consumers an easy method to bring their disputes before the Committee. It is the goal of the Program to obtain a determination of all cases in a quick and timely manner, but in no case longer than 60 days.

The DMA Privacy Shield/Safe Harbor Programs’ Complaint Procedures

  1. When a complaint is received, staff will verify that the complaint involves matters over which the DMA EU-U.S. Privacy Shield/Safe Harbor Program Committee has jurisdiction.
  2. Staff will verify that the business’ in-house complaint handling system has had a reasonable opportunity to address the EU and/or Swiss’s resident’s complaint.
  3. Staff will write a letter to the business requesting that the complaint be reviewed and that a response be provided within 10 days.
  4. Staff will provide company response to complainant and after checking with the complainant, if the complaint has been resolved, the matter will be closed out.
  5. If the matter is still in dispute, the complaint (all written materials from both the consumer and the business) will be presented to the Committee for a determination (Initial Decision) on the matter. The meeting will take place by telephone conference call, unless the Committee decides that another meeting form is more appropriate.
  6. A conference call will be set up for the Committee to review the case and make an Initial Decision. The Committee can either find no violation of the appropriate Privacy Principles and close out the case, or find that a violation(s) of the Principles have occurred, and set a remedy that the Committee determines is appropriate.
  7. The business and the consumer will be notified by letter of the Initial Decision of the Committee. Within ten (10) days of their notification, either the consumer or the business can request a Further Consideration Hearing before the Committee. The request must state the reason(s) why the Further Consideration Hearing is being requested. If no request by either party has been made within 10 days, then the Initial Decision automatically becomes the Final Decision. The case will be followed-up by staff to verify adherence to the remedies stated in the Committee’s decision.
  8. If the matter is appealed within 10 days by either party, a Further Consideration Hearing will be set-up for the Committee by telephone conference call at a mutually agreed upon time for all the parties. Both the consumer and the business may submit any further informational materials for the Committee’s consideration, and both may take part in the Hearing via telephone conference call. After the Hearing, a Final Decision on the case will be made by the Committee. The consumer and the business will be notified by letter of the Committee’s Final Decision. Staff will provide any necessary follow-up to verify adherence to the Committee’s Final Decision.
  9. The cost of the conference call will be the responsibility of the DMA. The DMA will provide a telephone language translation service at no cost to the consumer, if requested.


To File a Complaint under the DMA Privacy Shield or Safe Harbor Program


Visit our EU-U.S. Privacy Shield and the U.S.-Swiss Safe Harbor Program for Consumers page to file a complaint.

Our Brands EducationEventsAdvocacy MembershipAccountability ResourcesKnowledge CenterAbout UsBlogContact Us

Login To Your Account