If (1) your personal data was collected in a European Union (EU) / European Economic Area (EEA) member country and / or Switzerland, and (2) you believe you have a claim concerning the collection, use, and retention of your personal data by an organization in the United States that has chosen JAMS to be its Alternative Dispute Resolution (ADR) provider for disputes under the EU-U.S. Privacy Shield Framework and / or the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce, whichever applies, then you may contact JAMS to begin the process of opening a Data Privacy case. Your case must address an alleged breach of one or more of the Privacy Shield Principles.
EU-U.S. Privacy Shield Principles
The Privacy Shield Principles include seven Privacy Principles, agreed to by the U.S. Department of Commerce and the European Commission, regarding the processing of personal data of EU citizens and residents under the EU-U.S. Privacy Shield Framework. These principles are contained in the document titled “ANNEXES to the Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield."
Seven Promises to Protect Individual Privacy
If your organization processes any personal data received from European Union and EEA countries, participating organizations in the United States must first self-certify that they comply with the seven Privacy Shield Principles:
- Notice
- Choice
- Accountability for Onward Transfer
- Security
- Data Integrity and Purpose Limitation
- Access
- Recourse, Enforcement and Liability
These seven principles, as well as the Supplemental Principles are detailed by the U.S. Department of Commerce.
Individual Recourse
Organizations may subscribe to “readily available independent recourse mechanisms”— conciliation and / or arbitration services offered at no cost to the individual —to resolve complaints from EU and Swiss individuals that the parties were unable to resolve on their own. Privacy Shield organizations and their independent dispute resolution body must respond promptly to inquiries and requests by the Department of Commerce, which is obligated to pass along complaints referred by EU DPAs and Swiss Federal Data Protection and Information Commissioner (FDPIC). EU and Swiss individual have the option of filing complaints directly with their local DPA, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints. As a last resort, for complaints left unresolved by all other available mechanisms, EU individuals may invoke binding arbitration before a newly constituted Privacy Shield Panel, consisting of a pool of 20 arbitrators designated by the Department of Commerce and the European Commission, from which the parties will be able to select either one or three arbitrators. A similar arbitration option will also be available to Swiss individuals.
Consequences for Non-Compliance
In addition to enforcement by the FTC or Department of Transportation for its own privacy violations, an organization also remains liable for its agents’ or service providers’ failure to comply with the Principles unless the organization can show it was not responsible for the event giving rise to the violation.
Compliance Verification
Organizations must verify their compliance with Privacy Shield, either through a documented internal self-assessment process or by engaging a third party verifier. Organizations must keep records of the implementation of their Privacy Shield privacy practices and make them available to enforcement agencies in the course of an investigation.
So long as an organization retains Privacy Shield data, it must affirm its compliance to the Department of Commerce on an annual basis, even if it withdraws from the framework. Alternatively, the organization must either return or delete the information, or affirm that it will provide adequate protection for the Privacy Shield data by another authorized means such as the EU standard contractual clauses.
Requirements
- You must be eligible to file.
a. You are the subject of personal data collected in the European Union / European Economic Area, and / or Switzerland; or
b. You are the parent or legal guardian of that data subject in the case of personal data collected from a child under the age of 13.
Please note, if JAMS cannot verify your identity, JAMS may choose not to open a case. - To be accepted your complaint must:
a. Be filed by an eligible Complainant (either the subject of the alleged data protection breach, or the parent/legal guardian of a child under the age of 13 who is of the subject of the alleged data protection breach).
b. Be made against an entity in the United States that (1) has self-certified its compliance with the EU – U.S. Privacy Shield Framework and / or Swiss-U.S. Privacy Shield Framework to the U.S. Department of Commerce, whichever applies, and (2) has designated JAMS as its ADR provider for disputes under the Privacy Shield Frameworks.
c. Allege that the Respondent failed to comply with the EU-U.S. Privacy Shield Principles or Swiss-U.S. Privacy Shield Principles in relation to the Complainant’s covered personal data.
d. Include credible documentation to support the Complainant’s allegations.
e. Provide evidence that you have completed a good faith effort to resolve the Complaint in accordance with the EU-U.S. Privacy Shield Framework and /or the Swiss-U.S. Privacy Shield Framework, whichever applies.
f. Have not been previously resolved by negotiation, court action, arbitration, or any other form of dispute settlement; and
g. Unless agreed by both Parties to the case, not be the subject of current litigation or any other adjudicatory process (including claims submitted for resolution through binding arbitration). - Information submitted with your claim:
Information submitted by a Complainant must be sufficiently complete to permit both JAMS and the Respondent to evaluate and understand the Complaint adequately, and to enable the Respondent to respond to the Complaint. JAMS has sole authority to determine whether the information submitted is sufficiently complete to open a case.
Please note that all complaint materials should be submitted in English.
Annual Report
Fees
As with all EU-U.S. or Swiss-U.S. Privacy Shield cases, the Claimant does not have to pay to bring an ADR case. All ADR costs will be paid by the Respondent organization. Standard JAMS rates apply to all EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield cases. Rates vary by location and neutral agreed upon by the Claimant and the Respondent. (Please note this fee arrangement is unique to Privacy Shield cases.)
Rules
All Privacy Shield cases that are accepted will be conducted using the JAMS International Mediation Rules, unless other rules have been specified in the privacy policy of the organization in this case.
Name JAMS as Your Dispute Resolution Provider
If you wish to name JAMS as your Dispute Resolution provider under the EU-U.S. Privacy Shield program or the Swiss-U.S. Privacy Shield program, please register using the link below.