File A Data Privacy Framework (DPF) Dispute Resolution Claim with JAMS
If (1) your personal data was collected in a European Union (EU) / European Economic Area (EEA) member country, the United Kingdom, and / or Switzerland, and (2) you believe you have a claim concerning the collection, use, and retention of your personal data by an organization in the United States that has chosen JAMS to be its Alternative Dispute Resolution (ADR) provider for disputes under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and / or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce, then you may contact JAMS to begin the process of opening a DPF Dispute Resolution case. Your case must address an alleged breach of one or more of the EU-U.S. DPF Principles and/or Swiss-U.S. DPF Principles (as applicable).
Seven Promises to Protect Individual Privacy
If your organization processes any personal data received from EU / EEA countries and, as applicable, the United Kingdom, and/or Switzerland it must first self-certify that it complies with the seven DPF Principles:
- Notice
- Choice
- Accountability for Onward Transfer
- Security
- Data Integrity and Purpose Limitation
- Access
- Recourse, Enforcement and Liability
These seven principles, as well as the Supplemental Principles are detailed by the U.S. Department of Commerce.
Individual Recourse
U.S.-based organizations that self-certify their compliance pursuant to the relevant part(s) of the DPF Program must, amongst other things, provide readily available recourse mechanisms available to investigate unresolved complaints, including a system of alternative dispute resolution (ADR) by an independent third party. Although organizations self-certifying their compliance pursuant to the relevant part(s) of the DPF Program may utilize private sector developed dispute resolution programs for most categories of personal data covered under their self-certifications, those organizations covering human resources data (i.e., personal information about employees, past or present, collected in the context of the employment relationship) transferred from the European Union, the United Kingdom, or Switzerland must agree to cooperate and comply with the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) respectively with regard to such data. Such organizations and their selected independent dispute resolution body must respond promptly to inquiries and requests by the U.S. Department of Commerce for information relating to the DPF Program, and all such organizations must respond expeditiously to complaints regarding compliance with DPF Principles referred by EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC). EU / EEA, UK (and Gibraltar), and Swiss individuals have the option of filing complaints directly with their local data protection authority, which will work with the U.S. Department of Commerce and the Federal Trade Commission (FTC) or the U.S. Department of Transportation (as applicable) to investigate and resolve complaints. As a last resort, for complaints left unresolved by all other available mechanisms, EU / EEA, UK (and Gibraltar), and Swiss individuals may, under certain conditions, invoke binding arbitration as set forth respectively in Annex I of the EU-U.S. DPF Principles and Annex I of the Swiss-U.S. DPF Principles.
Consequences for Non-Compliance
In addition to enforcement by the FTC or U.S. Department of Transportation for its own privacy violations, an organization also remains liable for its agents’ or service providers’ failure to comply with the DPF Principles unless the organization can show it was not responsible for the event giving rise to the violation.
Compliance Verification
Organizations must verify their compliance with the DPF Principles, either through a documented internal self-assessment process or by engaging a third party verifier. Organizations must keep records of the implementation of their DPF privacy practices and make them available to enforcement agencies in the course of an investigation.
So long as an organization retains personal data received in reliance on the relevant part(s) of the DPF Program, it must either continue to apply the DPF Principles to said data and affirm to the U.S. Department of Commerce on an annual basis its commitment to do so (i.e., for as long as it retains such data), provide “adequate” protection for the data by another authorized means (for example, using a contract that fully reflects the requirements of the relevant standard contractual clauses adopted by the European Commission and / or the relevant standard contractual clauses approved, established or recognized by the Swiss Federal Data Protection and Information Commissioner as applicable]); otherwise it must return or delete the information.
Requirements
- You must be eligible to file.
a. You are the subject of personal data collected in the European Union / European Economic Area, the United Kingdom, and / or Switzerland; or
b. You are the parent or legal guardian of that data subject in the case of personal data collected from a child under the age of 13.
Please note, if JAMS cannot verify your identity, JAMS may choose not to open a case. - To be accepted your complaint must:
a. Be filed by an eligible Complainant (either the subject of the alleged data protection breach, or the parent/legal guardian of a child under the age of 13 who is of the subject of the alleged data protection breach).
b. Be made against an entity in the United States that (1) has self-certified its compliance with the EU–U.S. Data Privacy Framework (EU-U.S. DPF) and, as applicable, the UK Extension to the EU-U.S. DPF, and / or Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) to the U.S. Department of Commerce and (2) has designated JAMS as its ADR provider for disputes under the relevant part(s) of the DPF Program.
c. Allege that the Respondent failed to comply with the EU-U.S. DPF Principles and / or the Swiss-U.S. DPF Principles (as applicable) in relation to the Complainant’s covered personal data.
d. Include credible documentation to support the Complainant’s allegations.
e. Provide evidence that you have completed a good faith effort to resolve the Complaint in accordance with the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and /or the Swiss-U.S. DPF (as applicable).
f. Have not been previously resolved by negotiation, court action, arbitration, or any other form of dispute settlement; and
g. Unless agreed by both Parties to the case, not be the subject of current litigation or any other adjudicatory process (including claims submitted for resolution through binding arbitration). - Information submitted with your claim:
Information submitted by a Complainant must be sufficiently complete to permit both JAMS and the Respondent to evaluate and understand the Complaint adequately, and to enable the Respondent to respond to the Complaint. JAMS has sole authority to determine whether the information submitted is sufficiently complete to open a case.
Please note that all complaint materials should be submitted in English.
Annual Report
Fees
As with all DPF Dispute Resolution cases, the Claimant does not have to pay to bring an ADR case. All ADR costs will be paid by the Respondent organization. Standard JAMS rates apply to all DPF cases. Rates vary by location and neutral agreed upon by the Claimant and the Respondent. (Please note this fee arrangement is unique to DPF Dispute Resolution cases.)
Rules
All DPF Dispute Resolution cases that are accepted will be conducted using the JAMS International Mediation Rules, unless other rules have been specified in the privacy policy of the organization in this case.
Submit a Claim
If your complaint meets all of the requirements and you are ready to open a request to submit a claim please use the link below: