TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout



An essential component of the Privacy Shield framework, which allows companies to transfer data from the EU to the U.S., is its dispute-resolution mechanism. It's maybe the most important component. After all, Safe Harbor essentially went down because companies that said they were complying with its rules were not, and that came to the attention of an unimpressed European Commission. Well, that, and the revelations, via Snowden, that U.S. intelligence was spying on a whole lot of data subjects, sans notice. Some things had to change in the new data-transfer agreement for trust to be restored between the two continents. The recourse mechanism gives European citizens some agency, some power they maybe didn't feel they had in the Safe Harbor mechanism, so if something happens that doesn't feel right, there's a tool at their disposal to right it. 

"What this scheme is supposed to do is to bridge the gap that the U.S. and EU have in their different approaches to privacy by creating a framework that ensures that European data subjects continue to benefit from the safeguards that exist in the European approach," said Kenneth Bamberger, a law professor of the University of California Berkeley. 

That dispute mechanism tool is called the "Annex I Binding Arbitration Mechanism."

To administer that, the Department of Commerce, which oversaw Safe Harbor and now oversees the Privacy Shield, contracted with the International Centre for Dispute Resolution — specifically, its U.S. arm, the American Arbitration Association (AAA). And Commerce recently named its first class of arbitrators — 16 people who'll handle disputes as they arise. We'll get to them in a minute. Should a dispute arise, IDCR/AAA sends each party involved in the dispute (the data subject and the controller, most likely) an identical list of five potential arbitrators. The parties can agree to an arbitrator, or, if they can't, each party can strike two names from the list, number the remaining three names in order of preference, and send it back to IDCR/AAA. The same process applies for cases in which three arbitrators are needed, but the initial list has 10 names on it instead of five. 

It is possible for a party to challenge the appointment of an arbitrator if a conflict of interest seems likely. Barring a challenge from the other party involved, the ICDR/AAA would replace that arbitrator, and notify Commerce and the EC that it's done so. 

The arbitrators themselves, U.S. attorneys and experts in both U.S. and EU privacy law, will serve three-year periods which are renewable for another three years once that term expires. They were selected jointly by the Department of Commerce and the European Commission and solicited via notices in the Federal Register. 

So who are these arbitrators, and why did they want the gig?

One such expert to successfully apply for the gig was Shira Scheindlin, a U.S. federal judge for more than two decades and now in private practice. You may remember her as the judge who halted New York City's "stop-and-frisk" policy. She was interested in becoming an arbitrator on cross-border data transfers because of the trend she saw in her courtroom. 

As I was on the bench as a federal judge for 22 years, I handled an actual cross-border data transfer. However, because the issue frequently arose in court I’ve been reading about it, writing about it and lecturing about it," she said. “I thought this was a chance to be up close and hands on, which I haven’t been able to do except in authoring judicial opinions on requests for foreign data."

In many American litigations, parties request data from a foreign entity which responds that, “We can’t do that without facing criminal or civil liability,” Scheindlin recalled. “And then the American court has to rule and often says, ‘Our courts are not bound by the foreign law.' That was the trend of American court opinions for a long time. More recently, however, in the last three or four years, American courts have become more respectful of foreign countries asserting their domestic law as a basis to resist a request for discovery in an American court.”  

Scheindlin's fellow arbitrator Bamberger, who co-authored "Privacy on the Ground," a study of corporate data practices between the EU and U.S., was similarly concerned with the intercontinental relationship between the two continents, inciting him to apply for the gig. 

"The existence of robust commerce between U.S. and the EU in the digital age rests on the success of the Privacy Shield framework," Bamberger said. "And the success of the Privacy Shield work rests on mutual trust in the system, and that involves having an arbitration system to resolve disputes when parties are aggrieved." 

Gabe Maldoff, CIPP/US, is a Canadian, a licensed U.S. attorney, and an associate working at Bird & Bird in London (and formerly an IAPP Westin Fellow) and was selected alongside Bamberger and Scheindlin to facilitate disputes under the new framework. Now in his late 20s, he's likely the youngest of the group. But his generational positioning is, in large part, what moved him to apply.

"I guess I’ve always been really interested in these restrictions on international data transfers because it’s so anomalous to what we see in the world," he said. "Especially if you're of our generation, you tend to see the world as this place that's increasingly interconnected and smaller and flatter, even though all these news stories are putting that in doubt right now; we have this unshakable faith that we are going to be more connected throughout our lives and that geography is going to be less important." 

He sees the Privacy Shield as a response to a discouraging global trend. 

"We're more connected but we also feel alienated by the distance we have from how decisions are made, and that loss of control that comes with being in a more globalized world. The world's becoming more and more fragmented and people are turning inward in response to the pressure," he said. Privacy Shield is "one of the few examples we have of governments working together to overcome barriers and cultural differences, and it may not be perfect, but it's a start at trying to create some accountability and trust in what otherwise seems like very big and far away issues." 

Luis Martinez is vice president of the American Arbitrators Association. He said the aim of this framework, or any arbitration framework, is for disputes to be resolved as quickly and as economically as possible. 

"People who use arbitration want to get on with their business, they don't want to be involved in extended processes," he said. "It's supposed to be quicker than the courts, and it's supposed to be final and binding. That's how we approach it. To us, it's successful if at the end of the day, the parties feel that the concerns have been addressed and they feel it's in the spirit of arbitration, with justice being provided." 

Here's how it looks: The dispute mechanism is funded by the companies certifying to Privacy Shield themselves. The cost each company pays into the fund depends on that company's annual revenue. If a dispute is filed with the ICDR/AAA under the Privacy Shield's "principle of recourse, enforcement and liability," a respondent has 10 days from when an arbitration request is processed to provide an answer to both the claimant and the ICDR/AAA, in writing. All communications are to be via email. The number of arbitrators assigned to a case will consist of either one or three arbitrators, depending on what the involved parties agree on. If the parties can't agree, the ICDR/AAA will look at the "novelty, scope, complexity and other circumstances" of the case to determine that.

Once the hearing is closed, an arbitrator, or the arbitrators, have 20 days to make an award, in writing, which is final and binding. 

Maldoff, for one, anticipates putting to use skills he learned during his law school days interning for a judge who arbitrated appeals for people denied Social Security benefits. 

"What I learned from that experience ... was how important it is to listen and be able to understand what the different people involved are saying and are trying to achieve when they don't necessarily speak the same language or have the same vocabulary," he said. "You can sometimes find common ground that isn't necessarily apparent at the outset. The way people have framed things might be different, but what you're trying to get at might be closer than it seemed at first glance." 

As this first class of arbitrators, which hasn't yet been handed a dispute, starts to take on cases, the Department of Commerce recently closed applications for additional arbitrators, hoping to extend its list of 16 to 20. The deadline for applications was October 6. 

Photo credit: archer10 (Dennis) 104M Views Poland-00765 - Mermaid Legend via photopin (license)


If you want to comment on this post, you need to login.

  • comment Randall Wilson • Nov 3, 2017
    Thanks Angelique for the article.  Great to get a sense of who these  arbitrators are for this important role enforcing the Privacy Shield.  Will the written award statement be confidential or is there a mechanism for them to get published?  One of the difficulties in this area is the lack of fact-based guidance and such statements would be useful in that regard.  Obviously, confidentiality would still need to be preserved but perhaps through redacting these statements could still be released.
  • comment Angelique Carson • Nov 3, 2017
    Randall, thanks! It's a good question. Here's what the rules say relating to confidentiality and awards. "An award may be made public by the ICDR/AAA only with the consent of all parties, or as
    required by law or the Department of Commerce." For a more thorough read on this framework, here's the process document:
  • comment Florin Georgescu • Nov 23, 2017
    "[…] 'Our courts are not bound by the foreign law.' That was the trend of American court opinions for a long time. More recently, however, in the last three or four years, American courts have become more respectful of foreign countries asserting their domestic law as a basis to resist a request for discovery in an American court.[…]”  
    Hmm, I can't help but wonder if that statement really reflects 'the truth, the whole truth and nothing but the truth',  considering that:
    -	To this date no US Privacy Shield Ombudsperson has been appointed, and a clear list of tasks, duties as well as powers for this position are still to be defined.
    -	There is still a lack of cooperation between the enforcement authorities on the left side of the Atlantic regarding the legal enforcement of the rights of the EU residents (data subjects) and providing compliant and satisfactory legal redress means to the individual complaints for personal data misuse, breach by US companies, and lack of availability of judicial means for reparation for the damages incurred. 
    -	There is in the EU quite a long list of complaints addressed by EU residents to various EU DPAs, against a large number of US based companies and organizations for personal data misuse and/or data breaches that has still need to be addressed and a form of judicial redress to be provided, yet due to the lack of legal redress measures in the US for non-US nationals on privacy matters, to the date, no form of legal representation, and reparations for the damages incurred, has been provided to the respective EU individuals.
    -	And speaking of the fact that “[the] American courts have become more respectful of foreign countries asserting their domestic law as a basis to resist a request for discovery in an American court.[…]”, on Nov. 8, 2017, the US District Court for the Northern District of California ordered German defendants in an ongoing patent suit (BrightEdge Technologies, Inc. v. Searchmetrics GmbH), to produce a particular CRM database stored in the EU, despite the defendants’ arguments that production such CRM database before an US Court would constitute an unauthorized transfer of personal data outside the EU to a country not covered by an adequacy decision from the EU Commission, and consequently would violate German (and the EU) privacy laws. 
    Should I continue?