Log in Search

ana privacy shield logo

In 2020, the EU court rendered the EU-U.S. Privacy Shield invalid under its current structure, and the FDPIC of Switzerland issued an opinion that the Swiss-U.S. Privacy Shield Framework is not adequate. 

In March 2022, The United States and the European Commission announced that they have agreed in principle on a new "Trans-Atlantic Data Privacy Framework." The U.S. Department of Commerce continues to accept and renew Privacy Shield certifications, and we continue to offer dispute resolution services under the Privacy Shield as officials continue to negotiate to implement this new framework.

If you have questions or need assistance, contact the ANA Privacy Shield administrator Lisa Shosteck at lshosteck@ana.net.

 

The Privacy Shield Frameworks provide a set of robust and enforceable protections for the personal data of individuals from EU and Switzerland. The Frameworks provide transparency regarding how participating companies use personal data, strong U.S. government oversight, and increased cooperation with data protection authorities and regulators in EU and Switzerland. The Privacy Shield Framework offers EU & Swiss individuals’ access to multiple avenues to address any concerns regarding participants’ compliance with the Frameworks, including free dispute resolution which ANA provides to participating companies.

It is important to note that the ANA Shield Program does not cover issues relating to the transfer of human resources data. However, the transfer of such data does fall under the frameworks and you must select the EU Data Protection Authorities (DPAs) or the Swiss Federal Data Protection and Information Commissioner’s authority as your independent third party dispute provider for this type of data. The ANA Shield Program covers all other types of data.

While joining the Privacy Shield Framework is voluntary, once an eligible company makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. Please review your data flows and privacy practices with your legal counsel to ensure that your program is meeting the Shield requirements. The information provided by ANA is for your background and overall guidance and should not be considered as legal advice for your specific company’s needs.

TO APPLY:
The ANA offers its Privacy Shield service as a member benefit, either complimentary or for $300, depending on membership level. Nonmembers can also select the ANA Privacy Shield for an applicable fee. Prices vary depending on a company’s annual revenue.

Click on the button below, to contact ANA staff for additional information on how to apply:

Apply Now

 

Who Should Consider Joining?

Category A

  • Are you a United States organization that receives or processes personally identifiable information directly from Europe or Switzerland?
  • Are you a subsidiary or affiliated company that processes this information here in the United States? (The Privacy Shield framework covers personal information that is collected online or offline and filed manually or electronically.)

Category B

  • Do your company’s business practices fall under the jurisdiction of the Federal Trade Commission?
  • Do your company’s business practices fall under the jurisdiction of the U.S. Department of Transportation (e.g., air carriers, travel agents, airlines)?

If your company meets any one condition from each of these categories, then you should consider joining one of the Privacy Shield Frameworks.

 

What are the Privacy Shield Principles?

In order for your company to be compliant with the Privacy Shield framework, you must abide by and incorporate the Privacy Shield principles into your privacy policy and corporate practices. By adhering to the core principles of: notice; choice; security; accountability for onward transfer; data integrity and purpose limitation; access; and recourse, enforcement and liability, your company is indicating that you place great value on data privacy protection and will make every effort to respect European and Swiss individuals' requests regarding use of their personal information. These Privacy Shield principles pertain to the personal information that your company transfers from the EU or Switzerland to the United States. Personal information is defined as information that directly identifies an individual – name, address, telephone number and similar identifying information. Below is a chart highlighting the principles and new requirements under the Privacy Shield framework. You can click on each privacy principle to learn more about it or visit the Department of Commerce. To learn more about the Swiss Privacy Shield, review Department of Commerce’s FAQ.

Privacy PrinciplesSafe HarborPrivacy Shield
Notice To disclose that an organization adheres to principles/framework and states what information collection, sharing, access, opt-out, enforcement and security measures are in-place. New: Requires links to DOC Shield participant list and dispute provider website; disclose new ability for individuals to pursue binding arbitration if other mechanisms fail; disclose that you may share PI for lawful requests or national security; and liability in onward transfers to third parties.
Choice Provide consumers with the opportunity to opt-out or opt-in (sensitive information) depending on the nature of the data. Set-up appropriate procedures to respect consumers’ opt-out/opt-in requests particularly with respect to consumers’ requests to not be approached for direct marketing (i.e., in-house suppression system.) Opting-out should not require consumers to incur any fee or expense beyond a first-class stamp or phone call. Opt-in for sensitive information: medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice. An organization must offer individuals the opportunity to choose to (opt out) whether their PI is to be disclosed to a third party or to be used for a materially different purpose. Choice is not required when disclosure is made to a third party that is acting as an agent to perform task(s) on behalf of organization. However, an organization shall always enter into a contract with the agent. Definition of sensitive information is same as safe harbor.
Accountability For Onward Transfer Determine the need for contracts with respect to the transfer of information to third parties. You must ensure that if information is disclosed to agents or subcontractors that they will agree to abide by the safe harbor principles. You should only transfer data to third parties consistent with the notice and choices you have given the consumers. Any agents of yours who handle or process your data, such as your service bureaus, must themselves either be subject to the EU Directive or be members of the safe harbor, or they must agree in writing to be bound by these principles. In all events, you must document your agreement with them as to their treatment of data. Same overall themes but participating company now has liability in cases of onward transfer of data to third parties. Any onward transfer, can only take place for: 1) limited and specified purposes; 2) must have a contract or comparable arrangement within corporate group and 2) only if contract provides same level of protection as the one guaranteed by the Principles – and is limited to the extent necessary to meet national security, law enforcement & other public interest purposes. This applies to any third parties regardless of location (within or outside U.S.) Additionally, upon request by DOC, must provide a summary or a copy of relevant contract privacy provisions entered into with its agent.
Security Organization must take reasonable and appropriate measures to protect data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Same general principles. In instances, where organization uses sub-processor – they must enter into contract guaranteeing same level of protection as Principles and take steps to ensure proper implementation.
Data Integrity and Purpose Limitation Ensure that the customer’s personal information is reliable, accurate, complete, current and used for intended purposes. Your company should not process data that are not relevant to the purpose for which they were collected, unless subsequently authorized by the consumer. Must limit personal information to the information relevant for the purposes of processing. Must comply with new data retention principle.
Access You must provide customers the ability to access PI being maintained by the company and the ability to correct, amend or delete it where it is inaccurate or processed in violation of the Principles (based on a sliding scale principle – the obligation to provide access to information increases where its use is more likely to significantly affect the individual). Same.
Recourse, Enforcement and Liability Take reasonable steps to ensure that any consumer privacy concern will be addressed by:
  1. referring consumers to your customer service department or other in-house dispute resolution program;
  2. subscribing to a third-party dispute resolution mechanism to address any unresolved in-house consumer data privacy complaints. (ANA provided this service for 15 years); and
  3. having appropriate monitoring, verification and remedy procedures in place.
 The independent dispute resolution service should be readily available and at no cost to consumer. (ANA never charged consumers for this service.) New available remedy for EU individuals is binding arbitration– individuals must pursue other mechanisms first such as contacting:
  1. company directly;
  2. independent dispute provider; and
  3. then may pursue binding arbitration.
No monetary damages allowed under binding arbitration. Binding arbitration seeks to resolve an individual complaint. Binding arbitration will not be available yet under Swiss Privacy Shield – process will be created at annual review meeting between U.S. & Swiss government. For EU Privacy Shield a separate complaint process -- consumers may also contact appropriate DPA and then DPA resolves complaint or works with DOC to resolve complaint. No binding arbitration under this scenario.

How does ANA’s Dispute Resolution Services Work?

The major component of ANA’s Privacy Shield Programs is to provide businesses seeking to certify under these Frameworks with an independent third party dispute resolution mechanism that complies with the enforcement requirements. ANA will:

  • Serve as your third-party dispute and enforcement mechanism. European & Swiss consumers, companies and governments can be assured that your company will adhere to the third-party dispute and enforcement requirements of the Privacy Shield Frameworks. This will solidify Europeans’ and Swiss’s trust and confidence in your organization.
  • Provide companies with assistance in developing a privacy policy that is based on the Privacy Shield Principles. By adhering to those 7 core principles, your company is indicating that you place great value on data privacy protection and will make every effort to respect Europeans’ and Swiss’s requests regarding use of their personal information.
  • ANA stands ready to assist your company in:
    1. Meeting the U.S. Department of Commerce’s registration requirements for the EU-U.S. Privacy Shield and/or Swiss-U.S. Privacy Shield Frameworks,
    2. Serving as your independent third-party dispute resolution mechanism, and
    3. Addressing any other questions or concerns your company has regarding the Privacy Shield process.
  • Provide the appropriate ANA Privacy Shield Program mark. This mark will provide consumers with an easily recognizable symbol that signifies and distinguishes your organization as being in compliance with the Privacy Shield enforcement principle(s).

 

ANA's Privacy Shield Complaint Handling Process

The major component of ANA’s Privacy Shield Program is to provide businesses seeking to certify under these Frameworks with an independent third party dispute resolution mechanism that complies with the enforcement requirements. The Shield requires that the dispute resolution mechanism be readily available to consumers and free-of-charge to European and Swiss individuals, and be able to ensure compliance with the Shield privacy protections. ANA has never charged consumers for this service and it will remain free to both European and Swiss consumers. ANA’s Privacy Shield Program adheres to the belief that an independent dispute resolution mechanism should:

  • provide a fair and unbiased redress of the consumer’s concerns;
  • be visible so that consumers with concerns know where to turn for resolution of their problem;
  • be accessible so that there are no barriers to the filing of a complaint, whether they be financial or otherwise;
  • provide resolution in a timely manner;
  • provide finality for the consumer by reaching an independent determination of the dispute in a fair and timely manner; and
  • provide enforceability of the final conclusions in the determination of the consumer’s dispute.

To provide a mechanism that is fair, ANA has created a Privacy Shield Program Committee that is comprised of respected experts from the data and marketing industry. The Committee will have the power to hear both sides of a dispute, and provide a final determination. When businesses join the ANA’s Privacy Shield Program, they will be required to sign a Contract whereby they agree to abide by the decisions of the Committee. They will also be notified in the contract that the Committee will have the authority to issue certain sanctions as a result of its decision. The sanctions available to the Committee include, but are not limited to:

  1. Correction of actions found not to be in compliance with the Privacy Principles and framework(s).
  2. Correction or deletion of inaccurate personal information.
  3. Reimbursement of actual, direct monetary damages incurred by the consumer.
  4. Removal from the ANA EU-U.S. Privacy Shield Program and/or Swiss-U.S. Privacy Shield Program and revocation of the company’s ability to display the ANA Privacy Shield Mark.
  5. Public notification of the decision and action taken by the Committee.
  6. Notification to the U.S. Department of Commerce of the Committee’s decision and a request for removal from the Shield Certification List(s) due to failure to comply with the appropriate Privacy Principles.
  7. Referral of the matter to the Federal Trade Commission or other appropriate governmental agency for enforcement action.

The linchpin to any dispute resolution mechanism is that it be impartial. One way to assure impartiality is to assure openness of the results of the program by publishing an annual report regarding the types of complaints processed during the reporting period, and for ANA staff to be constantly vigilant that the results are fair and legal. To assure accessibility, there will be no cost to the consumer, and businesses will be required to notify consumers of the availability of ANA’s Privacy Shield Program in an open and conspicuous manner and prominently display the ANA Privacy Shield Program Mark. The program will provide consumers an easy method to bring their disputes before the Committee. It is the goal of the Program to obtain a determination of all cases in a quick and timely manner, but in no case longer than 60 days. The ANA Privacy Shield Program's Complaint Procedures

  1. When a complaint is received, staff will verify that the complaint involves matters over which the ANA Privacy Shield Program Committee has jurisdiction.
  2. Staff will verify that the business’ in-house complaint handling system has had a reasonable opportunity to address the EU and/or Swiss’s resident’s complaint.
  3. Staff will contact the business requesting that the complaint be reviewed and that a response be provided within 10 days.
  4. Staff will provide company response to complainant and after checking with the complainant, if the complaint has been resolved, the matter will be closed out.
  5. If the matter is still in dispute, the complaint (all written materials from both the consumer and the business) will be presented to the Committee for a determination (Initial Decision) on the matter. The meeting will take place by telephone conference call, unless the Committee decides that another meeting form is more appropriate.
  6. A conference call will be set up for the Committee to review the case and make an Initial Decision. The Committee can either find no violation of the appropriate Privacy Principles and close out the case, or find that a violation(s) of the Principles have occurred, and set a remedy that the Committee determines is appropriate.
  7. The business and the consumer will be notified by letter of the Initial Decision of the Committee. Within ten (10) days of their notification, either the consumer or the business can request a Further Consideration Hearing before the Committee. The request must state the reason(s) why the Further Consideration Hearing is being requested. If no request by either party has been made within 10 days, then the Initial Decision automatically becomes the Final Decision. The case will be followed-up by staff to verify adherence to the remedies stated in the Committee’s decision.
  8. If the matter is appealed within 10 days by either party, a Further Consideration Hearing will be set-up for the Committee by telephone conference call at a mutually agreed upon time for all the parties. Both the consumer and the business may submit any further informational materials for the Committee’s consideration, and both may take part in the Hearing via telephone conference call. After the Hearing, a Final Decision on the case will be made by the Committee. The consumer and the business will be notified by letter of the Committee’s Final Decision. Staff will provide any necessary follow-up to verify adherence to the Committee’s Final Decision.
  9. The cost of the conference call will be the responsibility of ANA. ANA will provide a telephone language translation service at no cost to the consumer, if requested.

To view the latest compliance information regarding the ANA Privacy Shield Program, download the 2022 ANA Privacy Shield Report.

 

To File a Complaint under the ANA Privacy Shield Programs

Visit the ANA Privacy Shield Program for Consumers page to file a complaint.