Over the past few months, as the “Schrems II” dust has settled, there has been time to reflect on the Privacy Shield frameworks as a model for what may come next. Many aspects of Privacy Shield that foster transparency and accountability to both regulators and data subjects are absent from other EU-U.S. transfer mechanisms. Notably, as we reevaluate this framework in anticipation of a replacement — and as we consider other models for domestic and global privacy compliance — we should not underestimate the value of independent dispute resolution in delivering privacy rights to individuals.
In its decision, the Court of Justice of the European Union described the preeminent importance of “the availability of enforceable data subject rights,” finding Privacy Shield provided inadequate redress for EU data subjects with respect to the U.S. government's access to personal data. The CJEU offered no such critique, however, of the Privacy Shield’s consumer redress mechanisms for business processing of personal data, which the European Commission had reviewed positively during the last annual review of Privacy Shield. In fact, these consumer redress mechanisms have continuously enhanced the ability of Europeans to exercise their privacy rights and seek recourse against private sector organizations since well before the EU General Data Protection Regulation came into effect.
Co-regulatory frameworks
The co-regulatory framework first set out in the Safe Harbor and later refined in Privacy Shield serves as a case study for designing multitiered accountability and accessible consumer redress into an achievable, transparent privacy framework for commercial enterprises.
For EU data subjects, the most tangible innovation of the Privacy Shield model has been the role that independent recourse mechanisms have played in providing responsive and meaningful redress for privacy inquiries. Given BBB National Programs’ longstanding role as a consumer dispute resolution provider, and with more than 1,100 U.S. businesses of all sizes in our IRM program, BBB EU Privacy Shield, it should come as no surprise that we receive hundreds of consumer privacy complaints every year — 867 in the last reporting year. Due to the scope of the Privacy Shield framework itself, many of these inquiries are not eligible for full resolution within the confines of the framework. But we have observed a continuous increase in the percentage of complaints that indicate personal data concerns about U.S. businesses, originating from both Europe and the United States, as well as from Asia and other regions.
With each passing year, as data subjects become more familiar with their rights in the European Union and elsewhere, they increasingly demand to exercise those rights and hold businesses to their privacy promises.
The co-regulatory redress structure baked into Privacy Shield has proven to be a trusted and responsive mechanism for individuals to address inquiries, complaints and data subject rights requests to companies. Even a well-intentioned and highly compliant business may not detect points of failure in its privacy operations without some external inputs, often including consumer feedback. IRMs can provide a second layer of accountability, ensuring consumers’ voices are heard, data subject rights are enforced, and, when necessary, prompting the company to take a second look at its practices and implement corrective actions.
Under Privacy Shield, data subjects must first reach out to the business with their request or complaint before involving the IRM. Thus, in most cases, the IRM becomes involved when there is a failure of communication between the parties or a disagreement as to the resolution of the complaint. In these situations, BBB EU Privacy Shield works with both parties to come to an equitable resolution of the issues through a model we call “conciliation.”
In our experience, both parties benefit from this process. We assist consumers in framing their requests and understanding the scope of their redress options. At the same time, we remind businesses of their obligations, help them address common operational pitfalls and ensure they hear and respond to consumer concerns. Where a dispute cannot be resolved through conciliation, a data subject has the option — rarely invoked — of requesting a data privacy review, resulting in a decision of the matter by an independent arbitrator.
The layers of accountability do not stop there. Although participating businesses are bound contractually by the outcome of our dispute resolution process, which provides that they can be referred to the U.S. Federal Trade Commission for failure to meet their conciliation commitments or implement an arbitrator’s decision, data subjects are not so bound. Individual complainants retain the right to pursue their claim through their national data protection authority, in coordination with the U.S. Department of Commerce, before finally triggering the backstop Privacy Shield arbitration mechanism.
Annual IRM report findings
A close read of this year’s annual IRM reports — a key element of transparency baked into the Privacy Shield Framework — shows a broad spectrum of data subject concerns being addressed by those IRMs that received actionable complaints. (Full reports, along with detailed case notes, from the two IRM organizations that reported eligible cases in the 2019–20 reporting period are available here: BBB National Programs and TrustArc.)
Consumer inquiries and complaints ranged from data subject access and deletion requests to allegations of data mismanagement to requests for the source of data held by the business. In some cases, where an actionable “right” was not clearly available under the Privacy Shield frameworks, businesses nonetheless elected to accommodate reasonable requests to the satisfaction of the data subjects.
To my eye, this is precisely what enforceable data subject rights should look like in practice.
There is reason to believe consumers will continue to avail themselves of privacy rights conferred by new privacy legislation. As the
