EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks
JAMS is available to serve as your organization’s designated ADR provider and to assist in resolving disputes under U.S. Department of Commerce (DOC)-administered Privacy Shield Frameworks self-certification privacy compliance programs, up to the point of any final arbitration invoked in accordance with the procedures and conditions set forth in the EU-U.S. Privacy Shield Framework and/or the Swiss-U.S. Privacy Shield Framework. With a panel of over 400 neutrals around the world, JAMS specializes in resolving disputes of all sizes and levels of complexity and our neutrals have significant experience resolving issues involving privacy.
What are the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks?
The EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce (DOC) and the European Commission and Swiss Government to provide organizations on both sides of the Atlantic with a mechanism to comply with EU and Swiss data protection requirements when transferring personal data from the European Union (EU) to the United States and from Switzerland to the United States in support of transatlantic trade. On July 12, 2016 the European Commission announced the approval of the EU-U.S. Privacy Shield Framework, as a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the United States. And, on January 12, 2017 the Swiss government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States.
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework. On September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework. The DOC will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. (see https://www.privacyshield.gov/NewsEvents).
To join the Privacy Shield Frameworks, which are administered by the International Trade Administration (ITA) within the DOC, a U.S.-based organization will be required to self-certify to the DOC and publicly commit to comply with the respective Frameworks’ requirements. While joining either of these DOC-administered programs is voluntary, once an eligible organization makes the public commitment to comply with the respective Frameworks’ requirements, the commitment will become enforceable under U.S. law. All organizations interested in joining one or both of these DOC-administered programs should review the requirements in their entirety. The DOC’s Privacy Shield website provides useful information regarding the benefits and requirements of participation in these programs. U.S. Department of Commerce's Privacy Shield Frameworks Website
Requirements for System of Alternative Dispute Resolution (ADR)
U.S.-based organizations that self-certify their compliance under the Privacy Shield Frameworks must, amongst other things, provide readily available recourse mechanisms available to investigate unresolved complaints, including a system of alternative dispute resolution (ADR) by an independent third party. The independent recourse mechanisms must be in place prior to self-certification, and must be available at no cost to the individual. Although organizations self-certifying under either Privacy Shield Framework may utilize private sector developed dispute resolution programs for most categories of personal data covered under their self-certifications, those organizations covering human resources data (i.e., personal information about employees, past or present, collected in the context of the employment relationship) transferred from the EU or Switzerland must agree to cooperate and comply with the EU data protection authorities (DPAs) and Swiss Federal Data Protection and Information Commissioner respectively with regard to such data. Connect with us to learn more about JAMS serving as your organization's designated ADR provider.