This document outlines the requirements for compliance with the United States Privacy Shield program, which companies must meet by May 25, 2018, to avoid hefty fines under the GDPR. Companies must establish contracts and processes for data transfer, update privacy policies for transparency, and ensure proper mechanisms for dispute resolution and data protection. Additionally, it emphasizes the need for compliance with various privacy principles, including accountability for onward transfers and the necessity of having robust security measures in place.

1. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
1
May 1, 2018
RE: Guide to United States Privacy Shield Program – Compliance Needed by May 25, 2018
Greetings,
Our firm has prepared the following overview of the United States Privacy Shield program.
For all companies that have not currently signed onto the EU-U.S. Privacy Shield and the Swiss-U.S.
Privacy Shield, you have until May 25, 2018, when the General Data Protection Regulation (GDPR)
goes into full effect in the European Union.
The Privacy Shield is one of many new legal obligations under the GDPR. Full compliance
procedures must be undertaken immediately to ensure that your company does not subject itself
to illegal transfers of personal data, fines which can equate to two (2) to four (4) percent of global
revenues.
Sign On to Privacy Shield Self-Certification
All companies should have signed on to the Privacy Shield Self-Certification with the
Department of Commerce within the first two (2) months of the program in order to gain the
nine (9) month grace period. The grace period started from the date the company is placed on the
Privacy Shield list, and the company will have that time to bring its onward transfer obligations in
line with the requirements. The nine (9) months was especially beneficial because it provided the
company time to implement the more complex and time-consuming requirements, such as the
contract and process changes around managing onward data transfers to sub-contractors
(controllers and processors).
If your company has not signed on to the Privacy Shield, then it will have to be in full
compliance with the requirements immediately upon submission, meaning all onward transfer
obligations attached at the time of certification. The company will not be placed on the
Department of Commerce list as self-certified until the company has all the required operational
changes in place.
Getting Ready Before Your Privacy Shield Application
Companies must be in compliance with all of the requirements prior to applying for Privacy
Shield Certification. Companies should get started on operational updates that have significant
impact on the business and take the longest to implement. The primary areas a company should
focus on include:
• Getting contracts in place to meet increased accountability obligations for onward
transfers to sub-contractors;

2. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
2
• Ensuring audit trail and dispute mechanisms meet stronger oversight and
enforcement requirements; and
• Updating privacy policies for increased transparency obligations.
Once a company signs on to the Privacy Shield they still must comply with the Notice and Choice
Privacy Principles, and further ensure that third-party recipients can provide the same level of
protection guaranteed by the privacy principles.
Three Main Areas of Focus
Transfers
First, before applying for Privacy Shield Program Certification, a company must implement
contracts and processes to meet the following obligations during the interim period for all transfers
to Third Parties:
1. For transfers to controllers, companies must ensure that the Notice and Choice
obligations are met.
- Notice Principle sets forth thirteen (13) items that must be addressed by
the company, and it includes a “clear and conspicuous” requirement. The
thirteen (13) items are listed below.
- Onward Transfers Principle now requires participating companies to
“provide a summary or a representative copy of the relevant privacy
provisions of its contract with that [service provider] to the Department
upon request.”
2. For transfers to agents (processors), companies must ascertain that an agent is
obligated to provide at least the same level of protection that is required by the
principles.
3. For transfers to Third Partied acting as a controller, companies must ensure:
a. The Notice and Choice obligations are met;
b. The personal information is processed for limited and specified purposes
consistent with the consent provided; and
c. That all personal information will be afforded the same level of protection as
the Principles.

3. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
3
4. For transfers to Third Parties acting as an agent, companies must:
a. Ensure the transfer of personal information is for limited and specified purposes;
b. Ascertain the agent is obligated to provide at least the same level of privacy
protection as is required by the Principles; and
c. Take reasonable and appropriate steps to ensure that the agent effectively
processes the personal information transferred in a manner consistent with the
company’s obligations under the Principles.
Implementing and satisfying these requirements will require contracts be in place to cover
all data transfer parties, with appropriate language to meet obligations, along with processes for
monitoring, reporting, remediation and disclosure.
Moreover, companies will remain responsible for EU personal information, even when it
goes to sub-contractors, and will have the burden of proof if liability arises. Therefore, it is critical
to have proper audit trail mechanisms in place to mitigate risk.
Audit Trail Processes and Dispute Resolution Mechanism
Second, a company must retain all records related to Privacy Shield verification and provide
it to the Department of Commerce or Federal Trade Commission upon request. Companies need
to build strong audit trail processes to respond to inquiries in the context of stepped up oversight
and enforcement.
Specifically, companies have two options for dispute resolution. One option is to elect an
independent Dispute Resolution Provider, which must be provided at no cost to the customer.
However, this option is not permitted for employee personal information issues.
The other option is for the company to use local Data Protection Authorities in the EU,
which is the required dispute resolution mechanism option for employee’s personal information. If
a company transfers both customer and employee data, an independent Dispute Resolution
Provider can be used for customer data, and a local Data Protection Authorities can be used for
employee’s personal information as long as it is clear which mechanism applies.
As a last resort, individuals can make use of an arbitration panel. In addition, EU citizens
now can sue in a private cause of action against US companies. Companies should have one of the
two listed mechanisms in place at the time of self-certification, including a designated Dispute
Resolution Provider. Companies should also do what they can to resolve any issue and, in any
event, they must respond within the required forty-five (45) days from the initial complaint.

4. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
4
Compliant Privacy Policies
Third, companies must update their privacy policies for increased transparency obligations.
It is important to plan ahead and allow the necessary time for policy redlining, review, and property
technology implementation and testing across all digital properties. The Privacy Shield has amended
and additional disclosure requirements for a company’s Privacy Policy, including:
- Declare compliance with the Privacy Shield and publish privacy policies that reflect the
privacy principles;
- The types of personal data collected and any subsidiaries adhering to the principles;
- The principles apply to all personal data from the EU under the Privacy Shield;
- The purposes for which it collected and uses personal information;
- Contact information for complaints and inquiries;
- Types of third parties where personal information is disclosed and purposes of
disclosure;
- The right of individuals to access their personal data;
- The choices offered for limiting the use and disclosure of personal data;
- The dispute resolution body designated to address complaints;
- That it is subject to Federal Trade Commission (FTC) and/or Department of
Transportation jurisdiction;
- The possibility to make use of binding arbitration where appropriate; and
- The disclosure policies in response to lawful requests by public authorities; and its
liability in cases of onward transfers to third parties.
The Seven Privacy Principles and New Requirements
To complete the certification process, companies must show compliance with the seven
Privacy Principles listed below. A list of new requirements is set out in relation to the Principles of
notice, choice, accountability for onward transfers, security, data integrity and purpose limitation,
access, recourse, enforcement, and liability.
Notice
The notification obligations require companies to notify individuals of new details in their
Privacy Policy, including:
Whether the company is subject to the investigatory and enforcement powers of the
Federal Trade Commission or other U.S. agencies;
Whether the company will adhere to an independent dispute resolution body to
address individual complaints;
The right of individuals to invoke binding arbitration against the company under certain
circumstances;

5. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
5
Its obligation to disclose personal data to public authorities in compliance with lawful
requests; and
Its responsibility and potential liability in cases of onward transfers to third parties.
The notice must be provided in clear and conspicuous language when individuals are first
asked to provide personal information to the company or as soon thereafter as is practicable, but
before the company uses that information for a purpose other than that for which it was originally
collected. Companies must also inform individuals about:
Its participation in the Privacy Shield and provide a link to, or the web address for, the
Privacy Shield list;
The types of personal data collected and, where applicable, the entities or subsidiaries of
the organization also adhering to the Principles;
Its commitment to subject to the Principles all personal data received from the EU in
reliance on the Privacy Shield;
The purposes for which it collects and uses personal information about them;
How to contact the organization with any inquiries or complaints, including any relevant
establishment in the EU that can respond to such inquiries or complaints;
The type or identity of third parties to which it discloses personal information, and the
purposes for which it does so;
The right of individuals to access their personal data;
The choices and means the company offers individuals for limiting the use and
disclosure of their personal data;
The independent dispute resolution body designated to address the complaints and
provide appropriate recourse free of charge to the individual, and whether it is (1) the
panel established by DPAs, (2) an alternative dispute resolution provider based in the
EU, or (3) an alternative dispute resolution provider based in the US;
Being subject to the investigatory enforcement powers of the FTC, the Department of
Transportation, or any other US authorized statutory body;
The possibility, under certain conditions, for the individual to invoke binding arbitration;
The requirement to disclose personal information in response to lawful requests by
public authorities, including to meet national security or law enforcement requirements;
and
Its liability in cases of onward transfers to third parties.
In addition to designating a dispute resolution body, the company must establish
mechanisms in order to respond within forty-five (45) days of the initial complaint lodged by the
data subject regarding their personal data.

6. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
6
Choice
Under the Choice Principle, a company must offer data subjects the opportunity to opt out
if the company plans to: (1) disclose their personal data to third parties other than
processors/agents acting on the company’s behalf; (2) use their personal data for materially
different purposes than for which it was originally collected; or (3) use their personal data for direct
marketing purposes. Special rules apply to direct marketing, which generally allow data subjects to
opt out at any time from the use of their personal data. Therefore, the company must ensure they
provide a clear, conspicuous, and readily available mechanisms that allows individuals this choice.
Once a U.S. company receives employee data from the EU under the Privacy Shield the
participating company may disclose it to a third party or use it for a different purpose, but only in
accordance with the Notice and Choice Privacy Principles.
Before disclosing sensitive data to any third parties, including processors, or using that
sensitive data for a materially different purpose, the company must obtain the individual’s “explicit”
(i.e. opt-in) consent. Sensitive data is defined as personal information specifying medical or health
conditions, racial or ethnic original, political opinions, religious or philosophical beliefs, trade union
membership or information specifying the sex life of the individual. Therefore, a data subject’s
affirmative, explicit consent is required when the processing of sensitive data is in the vital interest
of the data subject or another person, necessary to establish legal claims or defenses, or required
to provide medical care or carry out a company’s employment law obligations.
Accountability for Onward Transfers
The rules around onward transfers of data by a Privacy Shield member to third parties,
whether a data controller or data processor, have tightened. For onward transfers, the tightened
personal conditions apply to any third party and hold the self-certified company responsible for the
conduct of their third-party processors/agents. If compliance problems arise in a sub-processing
chain, the Privacy Shield company acting as data controller of the data will face liability unless it can
prove that it was not responsible for the event causing the damage. Additionally, companies can
face potential liability for the processing actions of their processors. Therefore, companies should
also be prepared to make available summaries or copies of the relevant privacy provisions in their
contracts to the data subjects or the Department of Commerce upon request.
Companies must execute contracts with third-party data recipients – whether the party is a
separate data controller or data processor (vendor) – obligating them to process data only for
limited and specified purposes and to provide the same level of protections guaranteed by the
Privacy Principles. The Onward Transfers Principle also effectively requires mechanisms for
oversight of third-party processors requiring participating companies to: (1) take steps to ensure
the processor handles the data in accordance with the Privacy Principles; and (2) remediate any
unauthorized processing by the processor.

7. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
7
Security
Companies must demonstrate that they have “reasonable and appropriate” data security
measures in place that take into account the relevant risk and nature of the data. These measures
must protect the data from loss, misuse and unauthorized access, disclosure, alteration and
destruction.
Data Integrity and Purpose Limitation
Companies must ensure the data is relevant and reliable for its intended purpose, and it is
accurate, complete and current. Without consent, the company cannot process personal data in a
way that is incompatible with the purpose for which it was originally collected or subsequently
authorized by an individual.
Access
Companies must implement mechanisms that provide data subjects with access to the
personal data about them, and the ability to correct, amend, or delete their personal data where it
is inaccurate or has been processed in violation of the Privacy Principles. In the employment
context, EU employers will usually provide such access as is required by the law in their home
countries, regardless of the location of data. However, the Privacy Shield nonetheless requires
participating US companies processing such data to cooperate with the EU employers in providing
employees with access to their data.
Recourse, Enforcement and Liability
Not only must companies have effective privacy protection, it must include robust
mechanisms for assuring compliance with the Principles, recourse for individuals who are affected
by non-compliance with the Principles and consequences for the organization when the Principles
are not followed. The necessary mechanisms, at a minimum, must include:
Readily available independent recourse mechanisms by which each individual’s
complaints and disputes are investigated and expeditiously resolved at no cost to
the individual (company must respond within 45 days of receiving complaint and
provide assessment of the merits of the complaint and the actions taken);
Follow-up procedures for verifying that the statements made by the company about
their privacy practices are true and that the privacy practices have been
implemented; and
Obligations to remedy problems arising out of non-compliance with the Principles
by the company announcing their adherence to them and consequences for such
companies.

8. 2352 Market Street
San Francisco, CA 94114
T: 415.795.1572
F: 909.972.1639
gamallp.com
8
Companies and their selected independent recourse mechanisms must respond promptly
to inquiries and requests by the Department for information relating to the Privacy Shield.
Additionally, companies must respond expeditiously to complaints regarding compliance with the
Principles referred by EU Member State authorities through the Department.
Companies are obligated to arbitrate claims provided that an individual has invoked binding
arbitration by delivering notice to the company at issue and following the procedures. In the
context of an onward transfer, a Privacy Shield company has responsibility for the processing of
personal information it receives under the Privacy Shield and subsequently transfers to a third party
acting as an agent on its behalf. The Privacy Shield company will remain liable under the Principles if
its agent processes such personal information in a manner inconsistent with the Principles, unless
the company can prove that it is not responsible for the event giving rise to the damage.
In addition, the company must not only self-certify their compliance with these Privacy
Principles, but must also meet annual verification requirements either through self-assessment or
outside compliance reviews. No matter what the company chooses, they must be prepared to
submit written verification statements to the Department of Commerce or EU data subjects upon
request.
Need guidance?
Contact Christina Gagnier, lead of GAMA’s Global Data Privacy Practice.
gagnier@gamallp.com
415.795.1572