File An EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield Claim with JAMS
If (1) your personal data was collected in a European Union (EU) / European Economic Area (EEA) member country and / or Switzerland, and (2) you believe you have a claim concerning the collection, use, and retention of your personal data by an organization in the United States that has chosen JAMS to be its Alternative Dispute Resolution (ADR) provider for disputes under the EU-U.S. Privacy Shield Framework and / or the Swiss-U.S. Privacy Shield Program, Swiss Safe Harbor Framework and / or the U.S.-EU Safe Harbor Framework as set forth by the U.S. Department of Commerce, whichever applies, then you may contact JAMS to begin the process of opening a Data Privacy case. Your case must address an alleged breach of one or more of the Privacy Shield Principles or Safe Harbor Privacy Principles.
EU-U.S. Privacy Shield Principles
The Privacy Shield Principles include seven Privacy Principles, agreed to by the U.S. Department of Commerce and the European Commission, regarding the processing of personal data of EU citizens and residents under the EU-U.S. Privacy Shield Framework. These principles are contained in the document titled “ANNEXES to the Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield."
Seven Promises to Protect Individual Privacy
If your organization processes any personal data received from European Union and EEA countries, participating organizations in the United States must first self-certify that they comply with the seven Privacy Shield Principles:
- Accountability for Onward Transfer
- Data Integrity and Purpose Limitation
- Recourse, Enforcement and Liability
These seven principles, as well as the Supplemental Principles are detailed by the U.S. Department of Commerce.
Organizations may subscribe to “readily available and affordable independent recourse mechanisms”— conciliation and / or arbitration services offered at no cost to the individual —to resolve complaints from EU individuals that the parties were unable to resolve on their own. Privacy Shield organizations and their independent dispute resolution body must respond promptly to inquiries and requests by the Department of Commerce, which is obligated to pass along complaints referred by EU DPAs. EU residents have the option of filing complaints directly with their local DPA, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints. As a last resort, for complaints left unresolved by all other available mechanisms, individuals may invoke binding arbitration before a newly constituted Privacy Shield Panel, consisting of a pool of 20 arbitrators designated by the Department of Commerce and the European Commission, from which the parties will be able to select either one or three arbitrators.
Consequences for Non-Compliance
In addition to enforcement by the FTC or Department of Transportation for its own privacy violations, an organization also remains liable for its agents’ or service providers’ failure to comply with the Principles unless the organization can show it was not responsible for the event giving rise to the violation.
Organizations must verify their compliance with Privacy Shield, either through a documented internal self-assessment process or by engaging a third party verifier. Organizations must keep records of the implementation of their Privacy Shield privacy practices and make them available to enforcement agencies in the course of an investigation.
So long as an organization retains Privacy Shield data, it must affirm its compliance to the Department of Commerce on an annual basis, even if it withdraws from the framework. Alternatively, the organization must either return or delete the information, or affirm that it will provide adequate protection for the Privacy Shield data by another authorized means such as the EU standard contractual clauses.
- You must be eligible to file.
a. You are the subject of personal data collected in the European Union / European Economic Area, and / or Switzerland; or
b. You are the parent or legal guardian of that data subject in the case of personal data collected from a child under the age of 13.
Please note, if JAMS cannot verify your identity, JAMS may choose not to open a case.
- To be accepted your complaint must:
a. Be filed by an eligible Complainant (either the subject of the alleged data protection breach, or the parent/legal guardian of a child under the age of 13 who is of the subject of the alleged data protection breach).
b. Be made against an entity in the United States that (1) has self-certified its compliance with the EU – U.S. Privacy Shield Framework and / or U.S.-Swiss Safe Harbor Framework and / or the U.S.-EU Safe Harbor Framework to the U.S. Department of Commerce, whichever applies, and (2) has designated JAMS as its ADR provider for disputes under the Privacy Shield and / or Swiss Safe Harbor Framework.
c. Allege that the Respondent failed to comply with the EU-U.S. Privacy Shield Principles or Safe Harbor Privacy Principles in relation to the Complainant’s covered personal data.
d. Include credible documentation to support the Complainant’s allegations.
e. Provide evidence that you have completed a good faith effort to resolve the Complaint in accordance with the EU-U.S. Privacy Shield and /or the U.S.-Swiss Safe Harbor Framework and / or the U.S.-EU Safe Harbor Framework, whichever applies.
f. Have not been previously resolved by negotiation, court action, arbitration, or any other form of dispute settlement; and
g. Unless agreed by both Parties to the case, not be the subject of current litigation or any other adjudicatory process (including claims submitted for resolution through binding arbitration).
- Information submitted with your claim:
Information submitted by a Complainant must be sufficiently complete to permit both JAMS and the Respondent to evaluate and understand the Complaint adequately, and to enable the Respondent to respond to the Complaint. JAMS has sole authority to determine whether the information submitted is sufficiently complete to open a case.
Please note that all complaint materials should be submitted in English.
As with all EU-U.S. or Swiss-U.S. Privacy Shield and / or the Safe Harbor cases, the Claimant does not have to pay to bring an ADR case. All ADR costs will be paid by the Respondent organization. Standard JAMS rates apply to all EU-U.S. Privacy Shield and / or the Safe Harbor cases. Rates vary by location and neutral agreed upon by the Claimant and the Respondent. (Please note this fee arrangement is unique to EU-U.S. Privacy Shield and Safe Harbor cases.)
Submit a Claim
If your complaint meets all of the requirements and you are ready to open a request to submit a claim please use the link below.
Name JAMS as Your Dispute Resolution Provider
If you wish to name JAMS as your Dispute Resolution provider under the EU-U.S. Privacy Shield program or the Swiss-U.S. Privacy Shield program, please register using the link below.
- Mara E. Satterthwaite, Esq.
3800 Howard Hughes Parkway, 11th Floor
Las Vegas, NV 89169