By Jocelyn S Paulley

The Privacy Shield agreement was introduced rapidly in 2016 to fill the void left when the previous Safe Harbour regime was found not to offer the ‘adequate protection’ for personal data relied on by the European Commission when it approved the scheme to enable data transfers to the US. It was therefore intended to offer stronger protections for transatlantic data flows to rectify the Safe Harbour deficiencies.

Under the Privacy Shield scheme, organisations must annually self-certify (via the Department of Commerce website) that they agree to adhere to the Privacy Shield Principles, which are a detailed set of requirements based on privacy principles such as notice, choice, access, and accountability for onward transfer. Prior to submitting self-certification to the Department of Commerce, the organisation must develop a Privacy Shield compliant privacy policy.