EU US PRIVACY SHIELD FRAMEWORK 2.2. Transparency, Administration and Oversight of the EU-U.S. Privacy Shield

1. The EU-U.S. Privacy Shield provides for oversight and enforcement mechanisms in order to verify and ensure that U.S. self-certified companies comply with the Principles and that any failure to comply is addressed. These mechanisms are set out in the Principles (Annex II) and the commitments undertaken by the Department of Commerce (Annex I), the FTC (Annex IV) and the Department of Transportation (Annex V).
2. To ensure the proper application of the EU-U.S. Privacy Shield, interested parties, such as data subjects, data exporters and the national Data Protection Authorities (DPAs), must be able to identify those organisations adhering to the Principles. To this end, the Department of Commerce has undertaken to maintain and make available to the public a list of organisations that have self-certified their adherence to the Principles and fall within the jurisdiction of at least one of the enforcement authorities referred to in Annexes I and II to this decision (‘Privacy Shield List’)[1]. The Department of Commerce will update the list on the basis of an organisation’s annual re-certification submissions and whenever an organisation withdraws or is removed from the EU-U.S. Privacy Shield. It will also maintain and make available to the public an authoritative record of organisations that have been removed from the list, in each case identifying the reason for such removal. Finally, it will provide a link to the list of Privacy Shield-related FTC enforcement cases maintained on the FTC website.
3. The Department of Commerce will make both the Privacy Shield List and the re-certification submissions publicly available through a dedicated website. Self-certified organisations must, in turn, provide the Department’s web address for the Privacy Shield List. In addition, if available online, an organisation’s privacy policy must include a hyperlink to the Privacy Shield website as well as a hyperlink to the website or complaint submission form of the independent recourse mechanism that is available to investigate unresolved complaints. The Department of Commerce will systematically verify, in the context of an organisation’s certification and re-certification to the framework, that its privacy policies conform to the Principles.
4. Organisations that have persistently failed to comply with the Principles will be removed from the Privacy Shield List and must return or delete the personal data received under the EU-U.S. Privacy Shield. In other cases of removal, such as voluntary withdrawal from participation or failure to recertify, the organisation may retain such data if it affirms to the Department of Commerce on an annual basis its commitment to continue to apply the Principles or provides adequate protection for the personal data by another authorised means (e.g. by using a contract that fully reflects the requirements of the relevant standard contractual clauses approved by the Commission). In this case, an organisation has to identify a contact point within the organisation for all Privacy Shield-related questions.
5. The Department of Commerce will monitor organisations that are no longer members of the EU-U.S. Privacy Shield, either because they have voluntarily withdrawn or because their certification has lapsed, to verify whether they will return, delete or retain[2] the personal data received previously under the framework. If they retain these data, organisations are obliged to continue to apply the Principles to them. In cases where the Department of Commerce has removed organisations from the framework due to a persistent failure to comply with the Principles, it will ensure that those organisations return or delete the personal data they had received under the framework.
6. When an organisation leaves the EU-U.S. Privacy Shield for any reason, it must remove all public statements implying that it continues to participate in the EU-U.S. Privacy Shield or is entitled to its benefits, in particular, any references to the EU-U.S. Privacy Shield in its published privacy policy. The Department of Commerce will search for and address false claims of participation in the framework, including by former members[3]. Any misrepresentation to the general public by an organisation concerning its adherence to the Principles in the form of misleading statements or practices is subject to enforcement action by the FTC, Department of Transportation or other relevant U.S. enforcement authorities; misrepresentations to the Department of Commerce are enforceable under the False Statements Act (18 U.S.C. § 1001)[4].
7. The Department of Commerce will ex officio monitor any false claims of Privacy Shield participation or the improper use of the Privacy Shield certification mark, and DPAs can refer organisations for review to a dedicated contact point at the Department. When an organisation has withdrawn from the EU-U.S. Privacy Shield, fails to re-certify or is removed from the Privacy Shield List, the Department of Commerce will on an on-going basis verify that it has deleted from its published privacy policy any references to the Privacy Shield that imply its continued participation and, if it continues to make false claims, refer the matter to the FTC, Department of Transportation or other competent authority for possible enforcement action. It will also send questionnaires to organisations whose self-certifications lapse or that have voluntarily withdrawn from the EU-U.S. Privacy Shield to verify whether the organisation will return, delete or continue to apply the Privacy Principles to the personal data that they received while participating in the EU-U.S. Privacy Shield and, if personal data are to be retained, verify who within the organisation will serve as an ongoing contact point for Privacy Shield-related questions.
8. On an ongoing basis, the Department of Commerce will conduct ex officio compliance reviews[5] of self-certified organisations, including through sending detailed questionnaires. It will also systematically carry out reviews whenever it has received a specific (non-frivolous) complaint, when an organisation does not provide satisfactory responses to its enquiries, or when there is credible evidence suggesting that an organisation may not be complying with the Principles. Where appropriate, the Department of Commerce will also consult with DPAs about such compliance reviews.

[1] Information about the management of the Privacy Shield List can be found in Annex I and Annex II (Sec. I.3, Sec. I.4, III.6.d, and Sec. III.11.g).

[2] See e.g. Annex II, Sec. I.3, Sec. III.6.f. and Sec. III.11.g.i.

[3] See Annex I, section on ‘Search for and Address False Claims of Participation’.

[4] See Annex II, Sec. III.6.h. and Sec. III.11.f.

[5] See Annex I.