A U.S. based organization that is subject to the enforcement authority of either the U.S. Federal Trade Commission (FTC) or U.S. Department of Transportation (DOT) may join Privacy Shield by self-certifying its commitment to comply with the seven Privacy Shield Principles. The seventh Privacy Shield Principle—recourse, enforcement, and liability—requires that an organization seeking Privacy Shield self-certification identify an “independent recourse mechanism” through which EU individuals may have privacy-related complaints investigated and resolved at no cost to the individual.
The available choices for an independent recourse mechanism will depend in part on the type of data for which self-certification is sought. Organizations seeking Privacy Shield self-certification that will cover employees’ personal information are required to cooperate and comply with EU Data Protection Authorities (DPAs) as their independent recourse mechanism with respect to that data, while organizations seeking Privacy Shield self-certification for data transfers unrelated to employee data may either cooperate and comply with EU DPAs or choose to name a private sector dispute resolution service as their independent recourse mechanism. An organization relying on the DPAs must pay an annual fee of $50. The fees charged by private sector programs vary. Some providers, such as the Council of Better Business Bureaus and the Direct Marketing Association, charge flat annual fees based on the participating organization’s annual revenues. Other providers, such as the International Centre for Dispute Resolution and JAMS, charge on a pay-per-dispute basis without charging any upfront fees. Finally, a number of providers, such as PrivacyTrust, VeraSafe, and TRUSTe, offer to provide dispute resolution services in addition to assisting with Privacy Shield self-certification. Specific pricing info for these services may depend on the scope and nature of the services provided.
Privacy Shield contains six additional principles: Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, and Access. By participating in Privacy Shield, an organization commits to adhere to these principles in their treatment of the personal information of individuals living in the European Union.