Last month, the European Commission and U.S. Department of Commerce held their second annual joint review of the EU-U.S. Privacy Shield Framework in Brussels, Belgium. The review revealed, among other things, that European data subjects are simply not filing complaints under the Shield’s dispute resolution scheme.
As the event began, Věra Jourová, EU Commissioner for Justice, Consumers and Gender Equality, took to Twitter to express her hopes for a “good and thorough” review of the Shield, calling the U.S. delegation to the 2018 joint review “impressive.” Attending on behalf of the U.S. were U.S. Department of Commerce Secretary Wilbur Ross, Federal Trade Commission Chairman Joe Simons, and the newly appointed Privacy and Civil Liberties Oversight Board Chairman Adam Klein, along with dozens of other senior officials from relevant U.S. agencies, such as the Office of the Director of National Intelligence.
My organization, VeraSafe, is a private-sector provider of, among other things, self-regulatory programs that support the Privacy Shield. Our services include Privacy Shield mediation as an “Independent Recourse Mechanism," the second dispute resolution tier available to data subjects under Shield. VeraSafe was asked by the Department of Commerce to speak during a session focused on Privacy Shield dispute resolution. VeraSafe was the only Privacy Shield IRM service provider in attendance at this year’s joint review.
The main take away from VeraSafe’s presentation: There were zero qualified privacy disputes filed under the VeraSafe Privacy Shield dispute resolution program in the past year.
This lack of dispute submissions appears to be characteristic of a general trend. Representatives of the International Trade Administration, the division of the Department of Commerce tasked with immediate oversight of the Privacy Shield, revealed at the IRM session on Oct. 18 that the total number of complaints filed across all of the IRM providers was less than 40.
Following a brief presentation by the VeraSafe team highlighting its annual report on IRM activities, Bruno Gencarelli, head of the International Data Flows and Protection Unit at the European Commission, led officials from the Commission along with representatives from numerous data protection authorities in the EU member states in a robust exchange of views with the American delegation on the topic of dispute resolution under the Shield.
The European delegation was particularly eager to quiz VeraSafe on the organization’s procedures for qualifying and handling privacy disputes that might arise under the Privacy Shield and what sanctions would theoretically be meted out by VeraSafe to misbehaving U.S. organizations found to be in violation of the Privacy Shield Principles.
As the European delegation dug into the nuances of VeraSafe’s procedures for qualifying eligible disputes under the Privacy Shield, the elephant in the room was that there were a statistically negligible number of disputes filed in 2018 overall, and none at all in the case of VeraSafe’s IRM program.
While reasonable minds may disagree over whether the European Commission’s representatives displayed any surprise to learn that EU citizens have apparently not taken issue with how their personal data are processed after being sent to the U.S., at VeraSafe we have found the general dearth of complaints to be surprising and an issue worth exploring. VeraSafe preemptively sought to explain this unexpected result during our initial presentation to the delegation.
First, VeraSafe argued that most U.S. organizations participating in the Privacy Shield appear strongly dedicated to compliance and value the opportunity to do business in Europe. In many cases, our experience has been that the appeal of the European market is so great that U.S. businesses will do anything they are reasonably asked to do in order to maintain their European market share. These organizations view the Privacy Shield as an opportunity rather than a burden, which is a viewpoint VeraSafe encourages.
Second, many businesses participating in the Privacy Shield are data processors, rather than data controllers. These U.S.-based service providers (e.g., software-as-a-service companies) are merely handling personal data per the instructions of European businesses that bear the primary responsibility for deciding why and how personal data gets used. Controllers like those European businesses naturally have a much closer relationship with the data subjects, thus these individuals will tend to address their grievances directly with such European business. Since data controllers aren’t typically required to identify their processors by name (identifying the categories of such service providers to whom they transfer data is sufficient for both the Privacy Shield and the GDPR), it’s possible and in fact likely that a data subject would not even be aware of the existence of a specific processor providing services to a European data controller.
Finally, VeraSafe argued that the mere existence of an independent oversight body – in this case the IRM – provides a strong incentive for participating organizations to do a good job of internally resolving privacy disputes with data subjects. The Privacy Shield requires that the IRMs impose sanctions on non-compliant Privacy Shield participants, sufficiently rigorous to deter such non-compliance. That’s something no business wants to experience firsthand. In this regard, the basic foundations of the Privacy Shield are successfully motivating organizations to comply with their commitments under the Shield.
What VeraSafe didn’t mention was that the nuances of the Privacy Shield Frameworks – such as the right to lodge a dispute with a third-party mediator – might be beyond the grasp of a casual internet user. While some industry insiders might view the Privacy Shield as an elegantly simplified version of the EU's hefty GDPR, it seems unlikely that awareness of individual rights under the Privacy Shield Frameworks is widespread among everyday consumers in the EU.
Should the member states play a more active role in educating individuals about their privacy rights, such as those provided by the Privacy Shield? If so, would it be the responsibility of the overburdened, and occasionally understaffed DPAs across Europe to take on this challenge?
We’ll leave it up to you to decide. Please respectfully let us know your thoughts in the comments section below.
If you want to comment on this post, you need to login.