The strong emphasis on the accountability principle in some regulations allows organizations to resolve complaints or disputes relating to the data protection (or data privacy) provisions through alternate dispute resolution mechanisms, such as conciliation, negotiation or mediation, or even arbitration.
For instance, the Personal Data Protection Act 2012 of Singapore establishes the possibility that any complaint by an individual against an organization might be more appropriately resolved through mediation (Article 27).
Resolving issues through alternative dispute resolution (ADR) mechanisms generally lead to much faster resolutions, with less expense and with more goodwill than any other mechanism. This is the approach of the Dutch Data Protection Authority in its report on the mediation concerning the delisting of search results by Google.
The main key of an ADR approach is to facilitate mutual settlement agreement among the parties, including effective remedies such as compensation, correction or deletion of individual’s personal information, extra services or services at reduced costs, privacy notices changed or updated, appropriate, systematic and regular due diligence procedures, workable compromises or apologies to the individual.
This approach also empowers the authority to refuse, discontinue or close an investigation as part of the agreement reached between the organization and the individual.
In the matter of PIPEDA Case Summary #2001-11, the Office of the Privacy Commissioner of Canada concluded that the complaint was well-resolved by the parties concerned and no further action necessary. In this case, the OPC highlighted:
“At the outset of the Commissioner's investigation, the parties indicated an interest in resolving the matter. Discussions ensued, and a settlement satisfactory to both parties eventually resulted. Furthermore, the Commissioner was satisfied that the bank in question had taken steps to ensure that appropriate safeguard policies, practices, and procedures were in place.”
Several reasons support the argument for an ADR approach to resolving data protection (or data privacy) discussions between individuals and organizations, which include, but are not limited to:
- Facilitate and simplify the resolution of complaints about non-compliance with the regulation applicable to personal data or data privacy.
- Allow parties to discuss the issues relating to data protection or data privacy, to find consensus and dialogue between them, and to reach a mutually acceptable resolution, at no cost to the individual concerned.
- Focus on the issues that are important to the individual in dispute instead of just their legal rights and obligations.
- Satisfy the requirements for individuals, who seek organizations to recognize its mistake and to fix the error.
- Force organizations to respond promptly to inquiries and other requests for information from the self-resolution body relating to the case in concrete.
- Ensure that organizations put in place effective redress mechanisms to deal with any complaints, including the provision of monetary resources or any non-monetary equitable relief (such as access, correction or deletion of the individual's information in question) for those individuals who are affected by non-compliance with the regulation.
- Ensure that organizations agree to take actions to bring itself into compliance with the data privacy or data protection regulation, such as informing individuals of any relevant steps taken.
- Simplify the complaint where it involves multiple issues, including any matter the organization considers relevant.
- Help to preserve or restore the individual’s confidence and trust in the personal information handling practices and policies adopted by the organizations so as to continue enjoying a relationship with the individual.
- Have an opportunity to avoid disruptions in operations as a result of investigations arising from consumer complaints to regulators.
- Potentially avoid reputational impacts arising from consumer tipoffs to media outlets.
- Satisfy legal obligations (such as fulfilling an organizations duty under the "access & correction obligation" of Singapore’s PDPA).
- Assign the matter to a self-resolution body with the skills necessary in the subject matter in dispute to review it fairly and impartially for expedited resolution.
- The supervisory authority may, upon receiving a claim by the individual, refer the issues to mediation, with the consent of both the individual and the organization, following up with the organization to facilitate an expedited resolution.
- If an alternative dispute-resolution mechanism does not produce the desired result, the self-resolution body must prepare a statement to that effect to confirm that the process has been undertaken as part of the incident response audit trail.
- The organization must maintain a record containing information regarding the decisions taken under an alternative dispute-resolution mechanism and make them available upon request in the context of an investigation or a complaint about non-compliance.
It is important to stress that the self-resolution approach applies for cases of fraudulent misrepresentation, unfair or deceptive acts or practices, breach of contract, or specific aspects of the organization’s collection, use or disclosure of personal data. In addition, the agreement must be consistent with the decisions taken by the supervisory authority in similar cases.
Nevertheless, the mere fact that individuals resolve their data protection or data privacy issues through an alternate dispute-resolution mechanism does not mean that they lose their rights to bring a complaint to the supervisory authority.
In addition, if an organization fails to live up to commitments in an agreement, the supervisory authority can, after receiving the complaint by the individual concerned, the self-resolution body, or both, enforce compliance through administrative orders requiring the organization to comply with any matter covered by the compromise as appropriate, initiate an investigation, as well as refer the case to the competent court in order to seek civil penalties and other remedies sufficiently rigorous to ensure compliance by the organization.
It is also important to note that appropriate ADR methods make good business sense, and failure to do so can incur disastrous outcomes. For instance, in case DP-1409-A100, where the organization’s website was taken down following the breach and customers were left without an outlet to allay their concerns. This obviously hit customer confidence in the organization and in an industry where competitors are in abundance, we can infer that it likely led to a loss of customers as well as significant downtime due to investigations by the regulator. Hence, when assessing the feasibility of a dispute resolution program, organizations should take into account other business risks besides fines by the regulatory bodies.
No organization can please everyone, and the best way forward is to have your customers raise their concerns to your organization for a faster, better and possibly cheaper solution.
If you want to comment on this post, you need to login.