Quick Resources:
Signup for the VeraSafe Independent Recourse Mechanism (dispute resolution service) for the Privacy Shield: https://verasafe.com/privacy-services/dispute-resolution/enroll/.
Pay your Privacy Shield AAA-ICDR fee: https://go.adr.org/privacyshieldfund.html.
Update: On Monday, October 30, 2017, the International Trade Administration released a notice to Privacy Shield participants containing further guidance on the new arbitration fee as well as announcing an extended deadline for payment of the fee.
In this notice, the ITA clarified that the new fee is a separate requirement from Privacy Shield organizations’ obligation to provide an independent recourse mechanism (IRM), and that the new fee applies to all certified organizations regardless of whether they have selected a third party from the private sector or data protection authorities as their IRM.
The deadline to pay the new arbitration fee has been extended to December 1, 2017.
Recent Changes to the Privacy Shield
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) have had a busy autumn. In addition to the first annual joint review of the Privacy Shield conducted by U.S. and EU authorities, the International Trade Administration of the Department of Commerce (ITA) announced in early October that the American Arbitration Association’s International Centre for Dispute Resolution (ICDR-AAA) would serve as the administrator of both the Privacy Shield Arbitral Fund and as the official provider of arbitration services under Annex I of Privacy Shield.
What’s the New Fee for Privacy Shield Participants?
Along with this announcement, ITA also revealed that organizations on the Privacy Shield list would now be responsible for making required contributions to the Arbitral Fund, according to the following revenue-based fee schedule.
Image Source: https://go.adr.org/privacyshieldfund.html
How to Pay The Fee
Privacy Shield participants can pay this new fee online by following the links at this address: https://go.adr.org/privacyshieldfund.html.
It is important to be sure to keep proof of payment, such as an email confirmation or a screenshot, since recent experience has indicated that the ITA may not be immediately informed of the fact that your organization has completed this requirement. Keeping evidence of your payment will be helpful, if the ITA raises any doubts about your contribution.
Why the New Privacy Shield Fee?
Under Annex I of the Privacy Shield, EU individuals may invoke binding arbitration to settle residual claims related to the processing of their personal data. You can read more about the binding arbitration provisions of Privacy Shield here: https://www.privacyshield.gov/article?id=ANNEX-I-introduction. The Arbitral Fund is intended, among other things, to cover the costs of arbitrator fees.
The required contributions are intended to provide an initial source of funding for the Arbitral Fund. The ICDR-AAA expects that this initial funding should “provide sufficient revenue for the fund to operate for several years, based on expected case filings and projected administrative and program management expenses.”1
New Privacy Shield self-certifications will not be approved by the Department of Commerce until the required contributions have been paid through the ICDR-AAA website (https://go.adr.org/privacyshieldfund.html), which means the cost for your organization to self-certify has just gone up. The ICDR-AAA planned to begin collecting this fee from existing Privacy Shield participants on October 3, 2017. These current participants have been asked to pay the fee by December 1, 2017.
A One-Time Fee – For Now
For the time being, the required contributions appear to be a one-time fee. While the Department of Commerce has not announced any intention to make the fee recurring on any periodic basis, the ICDR-AAA will periodically review the operation of the fund and the need to adjust the fee structure. According to the ICDR-AAA website, “[i]f the Arbitral Fund balance needs to be replenished in the future, additional contributions may be required from participating Privacy Shield organizations.”2
Privacy Shield Independent Recourse Mechanisms and Required Contributions to ICDR-AAA: Why You Need Both
It’s important to note that the new AAA required contributions are in addition to the existing requirement that Privacy Shield participants register with an independent recourse mechanism (IRM).
Privacy Shield takes an escalating approach to dispute resolution. When an affected data subject has a complaint arising out of the processing of their personal data, Privacy Shield requires them to, first, raise the issue with the organization (typically a U.S. business) that processed the data and offer that organization the opportunity to resolve the issue before, second, making use of an IRM.
IRMs are independent third parties that attempt to resolve data subjects’ disputes, in accordance with the Privacy Shield Principles, at no cost to the data subject. Privacy Shield participants are required to register with an approved IRM under the Supplemental Principle of Dispute Resolution and Enforcement.
If an IRM fails to resolve the issue, the data subject must take a third and final preliminary step of contacting the Department of Commerce through the European Data Protection Authorities (DPAs) and affording the Department of Commerce the opportunity to resolve the complaint. Only then may a data subject invoke the binding arbitration provisions of Annex I to the Privacy Shield. As such, choosing a good IRM remains a required and important step in establishing a strong dispute resolution infrastructure for your organization.
VeraSafe is a recognized provider of IRM services for the Privacy Shield Frameworks. If you’re looking for a quick and easy way to satisfy the Privacy Shield requirement for third-party dispute resolution, you can enroll online by using our secure signup form: https://verasafe.com/privacy-services/dispute-resolution/enroll/
