How to Re-certify to Privacy ShieldHow to Re-certify to Privacy Shield
Organizations participating in the Privacy Shield program are required to re-certify to the Department of Commerce annually. The Department will remove an organization from the Privacy Shield List if it voluntarily withdraws from the Privacy Shield or if it fails to complete its annual re-certification to the Department. An organization’s removal from the Privacy Shield List means it may no longer claim that it benefits from the Privacy Shield. If the organization elects to retain personal data received from the EU under the Privacy Shield, it must continue to apply the Privacy Shield Principles to the personal information it received while it participated in the Privacy Shield. It must also either affirm to the Department on an annual basis its commitment to continue to apply those Principles or provide adequate protection for the information by another authorized means, as set forth in the Privacy Shield Framework.
Following is an overview of steps required to complete the re-certification process.
2. Re-Register with Your Organization's Independent Recourse Mechanism: Your organization must provide access to an independent recourse mechanism (IRM) to investigate complaints about non-compliance with the Principles at no cost to the individual. Your organization must ensure that its IRM is in place prior to re-certification. Your organization must verify that its registration is current, re-register with its current IRM, or select and register with a new IRM prior to re-certification. Organizations that either choose to utilize the EU data protection authorities (DPAs) with regard to all data or cover human resources (HR) data and therefore must utilize the EU DPAs with regard to that data are required to pay an annual fee of US $50 prior to re-certification in order to cover the operating costs of the EU DPA panel. This fee is payable to the United States Council for International Business (USCIB), which has agreed to act as the trusted third party for this purpose. The fee can be paid online here. No fee is required with respect to the Swiss Federal Data Protection and Information Commissioner (FDPIC). See How to Join Privacy Shield for additional information regarding the IRM requirement.
3. Make the Required Contribution to ICDR-AAA for the Annex I Binding Arbitration Mechanism if Your Organization Has Not Yet Done So: As described in Annex I, the Privacy Shield Framework provides the option for an EU individual to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Principles as to that individual and whether any such violation remains fully or partially unremedied (“residual claims”). In Annex I, the Department of Commerce committed to facilitating the establishment of a fund into which Privacy Shield organizations will be required to pay contributions to cover the arbitral costs, including arbitrator fees, up to maximum amounts, in consultation with the European Commission. The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) was selected to administer these arbitrations and manage this fund. If your organization has not yet done so, you must visit ICDR-AAA’s website at http://go.adr.org/privacyshieldfund.html to make the required contribution prior to re-certifying.
4. Review the Information Required to Re-Certify: Your organization should review all information required as part of the Department of Commerce's online re-certification process. The information required during re-certification is identical to that required during the initial self-certification process (see self-certification form). The majority of the information previously submitted by organization will be viewable once you log in to your Privacy Shield record, where you will be required to verify or update each element. The one exception is that information in step 5, entitled “covered data and dispute resolution,” will not be prepopulated. In step 5, your organization will be required to indicate the type of data covered and select an IRM. Prior to completing the recertification process, you can view your prior year’s selections on your public Privacy Shield record at www.privacyshield.gov/list.
5. Log in to Your Organization’s Privacy Shield Record to Complete the Re-Certification Process: Click on “Log In” on the Privacy Shield website. Once logged in, click on “Self-Certify”. Scroll down to “Recertify Privacy Shield Participation” in the “Framework Actions” section, and then click “Recertify.” If you cannot log in to your organization’s existing record or if the “recertify” option is not visible, please contact the Privacy Shield Team before attempting to register a new profile and record. Proceed through the re-certification pages, verifying and updating as appropriate all information in your organization’s record, including the information for listed points of contact in step 2. We highly recommend including more than one “Organization Contact” to avoid missing important notifications regarding your organization’s participation in the program, for example if one contact leaves your organization or becomes unavailable.
6. Submit Your Organization's Re-Certification to the Department of Commerce: Once you have verified that the information in your certification record is correct, proceed to the final step and submit your organization's re-certification. Submission of your re-certification will require payment of a re-certification fee. The re-certification fee schedule is the same as the initial certification fee schedule and is part of the International Trade Administration's cost recovery program to support the operation of the Privacy Shield Program. See Privacy Shield Overview for additional information regarding the annual fee schedule. Once submitted, your organization’s re-certification will be reviewed by a member of the Privacy Shield Team to verify that it meets certification requirements. Your organization will receive an email regarding deficiencies, if any, that must be addressed before the re-certification may be finalized and an email notification once its re-certification has been finalized.