EU US PRIVACY SHIELD FRAMEWORK 2.3. Redress mechanisms, complaint handling and enforcement

1. The EU-U.S. Privacy Shield, through the Recourse, Enforcement and Liability Principle, requires organisations to provide recourse for individuals who are affected by non-compliance and thus the possibility for EU data subjects to lodge complaints regarding non-compliance by U.S. self-certified companies and to have these complaints resolved, if necessary by a decision providing an effective remedy.
2. As part of their self-certification, organisations must satisfy the requirements of the Recourse, Enforcement and Liability Principle by providing for effective and readily available independent recourse mechanisms by which each individual’s complaints and disputes can be investigated and expeditiously resolved at no cost to the individual.
3. Organisations may choose independent recourse mechanisms in either the Union or in the United States. This includes the possibility to voluntarily commit to cooperate with the EU DPAs. However, no such choice exists where organisations process human resources data as cooperation with the DPAs is then mandatory. Other alternatives include independent Alternative Dispute Resolution (ADR) or private-sector developed privacy programs that incorporate the Privacy Principles into their rules. The latter must include effective enforcement mechanisms in accordance with the requirements of the Recourse, Enforcement and Liability Principle. Organisations are obliged to remedy any problems of non-compliance. They must also specify that they are subject to the investigatory and enforcement powers of the FTC, the Department of Transportation or any other U.S. authorized statutory body.
4. Consequently, the Privacy Shield framework provides data subjects with a number of possibilities to enforce their rights, lodge complaints regarding non-compliance by U.S. self-certified companies and to have their complaints resolved, if necessary by a decision providing an effective remedy. Individuals can bring a complaint directly to an organisation, to an independent dispute resolution body designated by the organisation, to national DPAs or to the FTC.
5. In cases where their complaints have not been resolved by any of these recourse or enforcement mechanisms, individuals also have a right to invoke binding arbitration under the Privacy Shield Panel (Annex 1 of Annex II of this decision). Except for the arbitral panel, which requires certain remedies to be exhausted before it can be invoked, individuals are free to pursue any or all of the redress mechanism of their choice and are not obliged to choose one mechanism over the other or to follow a specific sequence. However, there is a certain logical order that is advisable to follow, as set out below.
6. First, EU data subjects may pursue cases of non-compliance with the Principles through direct contacts with the U.S. self-certified company. To facilitate resolution, the organisation must put in place an effective redress mechanism to deal with such complaints. An organisation’s privacy policy must therefore clearly inform individuals about a contact point, either within or outside the organisation, that will handle complaints (including any relevant establishment in the Union that can respond to inquiries or complaints) and about the independent complaint handling mechanisms.
7. Upon receipt of an individual’s complaint, directly from the individual or through the Department of Commerce following referral by a DPA, the organisation must provide a response to the EU data subject within a period of 45 days. This response must include an assessment of the merits of the complaint and information as to how the organisation will rectify the problem. Likewise, organisations are required to respond promptly to inquiries and other requests for information from the Department of Commerce or from a DPA[1] (where the organisation has committed to cooperate with the DPA) relating to their adherence to the Principles. Organisations must retain their records on the implementation of their privacy policies and make them available upon request to an independent recourse mechanism or the FTC (or other U.S. authority with jurisdiction to investigate unfair and deceptive practices) in the context of an investigation or a complaint about non-compliance.
8. Second, individuals can also bring a complaint directly to the independent dispute resolution body (either in the United States or in the Union) designated by an organisation to investigate and resolve individual complaints (unless they are obviously unfounded or frivolous) and to provide appropriate recourse free of charge to the individual. Sanctions and remedies imposed by such a body must be sufficiently rigorous to ensure compliance by organisations with the Principles and should provide for a reversal or correction by the organisation of the effects of non-compliance and, depending on the circumstances, the termination of the further processing of the personal data at stake and/or their deletion, as well as publicity for findings of non-compliance. Independent dispute resolution bodies designated by an organisation will be required to include on their public websites relevant information regarding the EU-U.S. Privacy Shield and the services they provide under it. Each year, they must publish an annual report providing aggregate statistics regarding these services[2].
9. As part of its compliance review procedures, the Department of Commerce will verify that self-certified U.S. companies have actually registered with the independent recourse mechanisms they claim they are registered with. Both the organisations and the responsible independent recourse mechanisms are required to respond promptly to inquiries and requests by the Department of Commerce for information relating to the Privacy Shield.
10. In cases where the organisation fails to comply with the ruling of a dispute resolution or self-regulatory body, the latter must notify such non-compliance to the Department of Commerce and the FTC (or other U.S. authority with jurisdiction to investigate unfair and deceptive practices), or a competent court[3]. If an organisation refuses to comply with a final determination by any privacy self-regulatory, independent dispute resolution or government body or where such a body determines that an organisation frequently fails to comply with the Principles, this will be considered as a persistent failure to comply with the result that the Department of Commerce, after first providing 30 days’ notice and an opportunity to respond to the organization that has failed to comply, will strike the organisation off the list[4]. If, after removal from the list, the organisation continues to make the claim of Privacy Shield certification, the Department will refer it to the FTC or other enforcement agency[5].
11. Third, individuals may also bring their complaints to a national Data Protection Authority. Organisations are obliged to cooperate in the investigation and the resolution of a complaint by a DPA either when it concerns the processing of human resources data collected in the context of an employment relationship or when the respective organisation has voluntarily submitted to the oversight by DPAs. Notably, organisations have to respond to inquiries, comply with the advice given by the DPA, including for remedial or compensatory measures, and provide the DPA with written confirmation that such action has been taken.
12. The advice of the DPAs will be delivered through an informal panel of DPAs established at Union level[6], which will help to ensure a harmonised and coherent approach to a particular complaint. Advice will be issued after both sides in the dispute have had a reasonable opportunity to comment and to provide any evidence they wish. The panel will deliver advice as quickly as the requirement for due process allows, and as a general rule within 60 days after receiving a complaint. If an organisation fails to comply within 25 days of delivery of the advice and has offered no satisfactory explanation for the delay, the panel will give notice of its intention either to submit the matter to the FTC (or other competent U.S. enforcement authority), or to conclude that the commitment to cooperate has been seriously breached. In the first alternative, this may lead to enforcement action based on Section 5 of the FTC Act (or similar statute). In the second alternative, the panel will inform the Department of Commerce which will consider the organisation’s refusal to comply with the advice of the DPA panel as a persistent failure to comply that will lead to the organisation’s removal from the Privacy Shield List.
13. If the DPA to which the complaint has been addressed has taken no or insufficient action to address a complaint, the individual complainant has the possibility to challenge such (in-) action in the national courts of the respective Member State.
14. Individuals may also bring complaints to DPAs even when the DPA panel has not been designated as an organisation’s dispute resolution body. In these cases, the DPA may refer such complaints either to the Department of Commerce or the FTC. In order to facilitate and increase cooperation on matters relating to individual complaints and non-compliance by Privacy Shield organisations, the Department of Commerce will establish a dedicated contact point to act as a liaison and to assist with DPA inquiries regarding an organisation’s compliance with the Principles[7]. Likewise, the FTC has committed to establish a dedicated point of contact[8] and provide the DPAs with investigatory assistance pursuant to the U.S. SAFE WEB Act[9].
15. Fourth, the Department of Commerce has committed to receive, review and undertake best efforts to resolve complaints about an organisation’s non-compliance with the Principles. To this end, the Department of Commerce provides special procedures for DPAs to refer complaints to a dedicated contact point, track them and follow up with companies to facilitate resolution. In order to expedite the processing of individual complaints, the contact point will liaise directly with the respective DPA on compliance issues and in particular update it on the status of complaints within a period of not more than 90 days following referral. This allows data subjects to bring complaints of non-compliance by U.S. self-certified companies directly to their national DPA and have them channelled to the Department of Commerce as the U.S. authority administering the EU-U.S. Privacy Shield. The Department of Commerce has also committed to providing, in the annual review of the functioning of the EU-U.S. Privacy Shield, a report that analyses in aggregate form the complaints it receives each year[10].
16. Where, on the basis of its ex officio verifications, complaints or any other information, the Department of Commerce concludes that an organisation has persistently failed to comply with the Privacy Principles it will remove such an organisation from the Privacy Shield list. Refusal to comply with a final determination by any privacy self-regulatory, independent dispute resolution or government body, including a DPA, will be regarded as a persistent failure to comply.
17. Fifth, a Privacy Shield organisation must be subject to the investigatory and enforcement powers of the U.S. authorities, in particular, the Federal Trade Commission[11] that will effectively ensure compliance with the Principles. The FTC will give priority consideration to referrals of non-compliance with the Privacy Principles received from independent dispute resolution or self-regulatory bodies, the Department of Commerce and DPAs (acting on their own initiative or upon complaints) to determine whether Section 5 of the FTC Act has been violated[12]. The FTC has committed to create a standardised referral process, to designate a point of contact at the agency for DPA referrals, and to exchange information on referrals. In addition, it will accept complaints directly from individuals and will undertake Privacy Shield investigations on its own initiative, in particular as part of its wider investigations of privacy issues.
18. The FTC can enforce compliance through administrative orders (‘consent orders’), and it will systematically monitor compliance with such orders. Where organisations fail to comply, the FTC may refer the case to the competent court in order to seek civil penalties and other remedies, including for any injury caused by the unlawful conduct. Alternatively, the FTC may directly seek a preliminary or permanent injunction or other remedies from a federal court. Each consent order issued to a Privacy Shield organisation will have self-reporting provisions[13], and organisations will be required to make public any relevant Privacy Shield-related sections of any compliance or assessment report submitted to the FTC. Finally, the FTC will maintain an online list of companies subject to FTC or court orders in Privacy Shield cases.
19. Sixth, as a recourse mechanism of ‘last resort’ in case, none of the other available redress avenues has satisfactorily resolved an individual’s complaint, the EU data subject may invoke binding arbitration by the ‘Privacy Shield Panel’. Organisations must inform individuals about their possibility, under certain conditions, to invoke binding arbitration and they are obliged to respond once an individual has invoked this option by delivering notice to the concerned organisation[14].
20. This arbitral panel will consist of a pool of at least 20 arbitrators designated by the Department of Commerce and the Commission based on their independence, integrity, as well as experience in U.S. privacy and Union data protection law. For each individual dispute, the parties will select from this pool a panel of one or three[15] The proceedings will be governed by standard arbitration rules to be agreed between the Department of Commerce and the Commission. These rules will supplement the already concluded framework which contains several features which enhance the accessibility of this mechanism for EU data subjects: (i) in preparing a claim before the panel, the data subject may be assisted by his or her national DPA; (ii) while the arbitration will take place in the United States, EU data subjects may choose to participate through video or telephone conference, to be provided at no cost to the individual; (iii) while the language used in the arbitration will, as a rule, be English, interpretation at the arbitral hearing and translation will normally[16] be provided upon a reasoned request and at no cost to the data subject; (iv) finally, while each party has to bear its own attorney’s fees, if represented by an attorney before the panel, the Department of Commerce will establish a fund supplied with annual contributions by the Privacy Shield organisations, which shall cover the eligible costs of the arbitration procedure, up to maximum amounts, to be determined by the U.S. authorities in consultation with the Commission.
21. The Privacy Shield Panel will have the authority to impose ‘individual-specific, non-monetary equitable relief’[17] necessary to remedy non-compliance with the Principles. While the panel will take into account other remedies already obtained by other Privacy Shield mechanisms when making its determination, individuals may still resort to arbitration if they consider these other remedies to be insufficient. This will allow EU data subjects to invoke arbitration in all cases where the action or inaction of the competent U.S. authorities (for instance the FTC) has not satisfactorily resolved their complaints. Arbitration may not be invoked if a DPA has the legal authority to resolve the claim at issue with respect to the U.S. self-certified company, namely in those cases where the organisation is either obliged to cooperate and comply with the advice of the DPAs as regards the processing of human resources data collected in the employment context, or has voluntarily committed to do so. Individuals can enforce the arbitration decision in the U.S. courts under the Federal Arbitration Act, thereby ensuring a legal remedy in case a company fails to comply.
22. Seventh, where an organisation does not comply with its commitment to respect the Principles and published privacy policy, additional avenues for judicial redress may be available under the law of the U.S. States which provide for legal remedies under tort law and in cases of fraudulent misrepresentation, unfair or deceptive acts or practices, or breach of contract.
23. In addition, where a DPA, upon receiving a claim by an EU data subject, considers that the transfer of an individual’s personal data to an organisation in the United States is carried out in violation of EU data protection law, including when the EU data exporter has reason to believe that the organisation is not complying with the Principles, it can also exercise its powers vis-à-vis the data exporter and, if necessary, order the suspension of the data transfer.
24. In the light of the information in this section, the Commission considers that the Principles issued by the U.S. Department of Commerce as such ensure a level of protection of personal data that is essentially equivalent to the one guaranteed by the substantive basic principles laid down in Directive 95/46/EC.
25. In addition, the effective application of the Principles is guaranteed by the transparency obligations and the administration and compliance review of the Privacy Shield by the Department of Commerce.
26. Moreover, the Commission considers that, taken as a whole, the oversight, recourse and enforcement mechanisms provided for by the Privacy Shield enable infringements of the Principles by Privacy Shield organisations to be identified and punished in practice and offer legal remedies to the data subject to gain access to personal data relating to him and, eventually, to obtain the rectification or erasure of such data.

[1] This is the handling authority designated by the panel of DPAs provided for in the supplemental principle on ‘The Role of the Data Protection Authorities’ (Annex II, Sec. III.5).

[2] The annual report must include: (1) the total number of Privacy Shield-related complaints received during the reporting year; (2) the types of complaints received; (3) dispute resolution quality measures, such as the length of time taken to process complaints; and (4) the outcomes of the complaints received, notably the number and types of remedies or sanctions imposed.

[3] See Annex II, Sec. III.11.e.

[4] See Annex II, Sec. III.11.g, in particular, points (ii) and (iii).

[5] See Annex I, section on ‘Search for an Address False Claims of Participation’.

[6] The rules of procedure of the informal DPA panel should be established by the DPAs based on their competence to organise their work and cooperate among each other.

[7] See Annex I, sections on ‘Increase Cooperation with DPAs’ and ‘Facilitate Resolution of Complaints about Non-Compliance’ and Annex II, Sec. II.7.e.

[8] See Annex IV, p. 6.

[9] Ibid.

[10] See Annex I, section on ‘Facilitate Resolution of Complaints about Non-Compliance’.

[11] A Privacy Shield organisation has to publicly declare its commitment to comply with the Principles, publicly disclose its privacy policies in line with these Principles and fully implement them. Failure to comply is enforceable under Section 5 of the FTC Act prohibiting unfair and deceptive acts in or affecting commerce.

[12] According to information from the FTC, it has no power to conduct on-site inspections in the area of privacy protection. However, it has the power to compel organisations to produce documents and provide witness statements (see Section 20 of the FTC Act) and may use the court system to enforce such orders in case of non-compliance.

[13] FTC or court orders may require companies to implement privacy programs and to regularly make compliance reports or independent third-party assessments of those programs available to the FTC.

[14] See Annex II, Sec. II.1.xi and III.7.c.

[15] The number of arbitrators on the panel will have to be agreed between the parties.

[16] However, the panel may find that, under the circumstances of the specific arbitration, coverage would lead to unjustified or disproportionate costs.

[17] Individuals may not claim damages in arbitration, but in turn, invoking arbitration will not foreclose the option to seek damages in the ordinary U.S. courts.