Over the past few months, as the “Schrems II” dust has settled, there has been time to reflect on the Privacy Shield frameworks as a model for what may come next. Many aspects of Privacy Shield that foster transparency and accountability to both regulators and data subjects are absent from other EU-U.S. transfer mechanisms. Notably, as we reevaluate this framework in anticipation of a replacement — and as we consider other models for domestic and global privacy compliance — we should not underestimate the value of independent dispute resolution in delivering privacy rights to individuals.
In its decision, the Court of Justice of the European Union described the preeminent importance of “the availability of enforceable data subject rights,” finding Privacy Shield provided inadequate redress for EU data subjects with respect to the U.S. government's access to personal data. The CJEU offered no such critique, however, of the Privacy Shield’s consumer redress mechanisms for business processing of personal data, which the European Commission had reviewed positively during the last annual review of Privacy Shield. In fact, these consumer redress mechanisms have continuously enhanced the ability of Europeans to exercise their privacy rights and seek recourse against private sector organizations since well before the EU General Data Protection Regulation came into effect.
Co-regulatory frameworks
The co-regulatory framework first set out in the Safe Harbor and later refined in Privacy Shield serves as a case study for designing multitiered accountability and accessible consumer redress into an achievable, transparent privacy framework for commercial enterprises.
For EU data subjects, the most tangible innovation of the Privacy Shield model has been the role that independent recourse mechanisms have played in providing responsive and meaningful redress for privacy inquiries. Given BBB National Programs’ longstanding role as a consumer dispute resolution provider, and with more than 1,100 U.S. businesses of all sizes in our IRM program, BBB EU Privacy Shield, it should come as no surprise that we receive hundreds of consumer privacy complaints every year — 867 in the last reporting year. Due to the scope of the Privacy Shield framework itself, many of these inquiries are not eligible for full resolution within the confines of the framework. But we have observed a continuous increase in the percentage of complaints that indicate personal data concerns about U.S. businesses, originating from both Europe and the United States, as well as from Asia and other regions.
With each passing year, as data subjects become more familiar with their rights in the European Union and elsewhere, they increasingly demand to exercise those rights and hold businesses to their privacy promises.
The co-regulatory redress structure baked into Privacy Shield has proven to be a trusted and responsive mechanism for individuals to address inquiries, complaints and data subject rights requests to companies. Even a well-intentioned and highly compliant business may not detect points of failure in its privacy operations without some external inputs, often including consumer feedback. IRMs can provide a second layer of accountability, ensuring consumers’ voices are heard, data subject rights are enforced, and, when necessary, prompting the company to take a second look at its practices and implement corrective actions.
Under Privacy Shield, data subjects must first reach out to the business with their request or complaint before involving the IRM. Thus, in most cases, the IRM becomes involved when there is a failure of communication between the parties or a disagreement as to the resolution of the complaint. In these situations, BBB EU Privacy Shield works with both parties to come to an equitable resolution of the issues through a model we call “conciliation.”
In our experience, both parties benefit from this process. We assist consumers in framing their requests and understanding the scope of their redress options. At the same time, we remind businesses of their obligations, help them address common operational pitfalls and ensure they hear and respond to consumer concerns. Where a dispute cannot be resolved through conciliation, a data subject has the option — rarely invoked — of requesting a data privacy review, resulting in a decision of the matter by an independent arbitrator.
The layers of accountability do not stop there. Although participating businesses are bound contractually by the outcome of our dispute resolution process, which provides that they can be referred to the U.S. Federal Trade Commission for failure to meet their conciliation commitments or implement an arbitrator’s decision, data subjects are not so bound. Individual complainants retain the right to pursue their claim through their national data protection authority, in coordination with the U.S. Department of Commerce, before finally triggering the backstop Privacy Shield arbitration mechanism.
Annual IRM report findings
A close read of this year’s annual IRM reports — a key element of transparency baked into the Privacy Shield Framework — shows a broad spectrum of data subject concerns being addressed by those IRMs that received actionable complaints. (Full reports, along with detailed case notes, from the two IRM organizations that reported eligible cases in the 2019–20 reporting period are available here: BBB National Programs and TrustArc.)
Consumer inquiries and complaints ranged from data subject access and deletion requests to allegations of data mismanagement to requests for the source of data held by the business. In some cases, where an actionable “right” was not clearly available under the Privacy Shield frameworks, businesses nonetheless elected to accommodate reasonable requests to the satisfaction of the data subjects.
To my eye, this is precisely what enforceable data subject rights should look like in practice.
There is reason to believe consumers will continue to avail themselves of privacy rights conferred by new privacy legislation. As the IAPP’s recent joint report with BigID made clear, U.S. businesses are experiencing a sustained surge in data subject access requests, driven primarily by the GDPR and more recently by the California Consumer Privacy Act. Of the 475 businesses surveyed in the report, 44% had received more than 75 requests in 2020, including 13% that received more than 1,000 requests. These numbers would have been exceptional just a few years ago; our experience with Privacy Shield and GDPR suggests they are only likely to grow.
Recent conversations with our diverse stakeholders at BBB National Programs have underscored that U.S. companies are well aware of the operational challenges posed by this trend. Even as businesses work to standardize their implementation of new regulatory requirements, they are seeking mechanisms that will educate consumers about their rights and how to exercise them in a constructive manner.
In considering how best to approach this challenge, there is no need to reinvent the wheel. Transparency, consumer education and complaint management can all be facilitated by independent third parties. This is apparent in the role of IRMs under Privacy Shield — and the similar role played by Accountability Agents under the APEC Cross-Border Privacy Rules System. Independent recourse, when implemented appropriately, has the added benefit of providing an outside perspective on data rights, educating consumers and businesses alike as standard practices mature. An independent interlocutor thus helps all parties engage efficiently and equitably.
As we look to operationalize what are still inchoate data subject rights, it is my hope these and similar mechanisms will be incorporated into new cross-border and domestic privacy frameworks. Improving business responsiveness to consumer concerns is about more than satisfying regulators — and it requires enduring mechanisms of accountability and transparency.
Photo by Shahadat Rahman on Unsplas