Alert to Privacy Shield Participants: You Could Lose Your Privacy Certification If You Ignore This Warning

Burns & Levinson LLP
Contact

Does this look familiar?

Recently, Privacy Shield participants started receiving these troubling alerts, purportedly from the International Trade Administration, warning that the recipient organization owes a new fee, and threatening to cancel that participant’s Privacy Shield certification if payment is not remitted by February 16, 2018. These alerts have all the classic markings of a phishing scam—appearing very official but containing a generic salutation, demanding payment for some otherwise unheard of fee, threatening dire consequences for failure to remit payment—so some of these alerts have undoubtedly gone ignored.

Unfortunately, this is not another blog post about a new fraud alert. Rather, this post is an alert that, if you participate in the Privacy Shield program, you may need to take action before February 16, 2018, to maintain your certification.

Alternative Dispute Resolution Under Privacy Shield Prior to September 13, 2017

The EU-U.S. Privacy Shield is a self-certification program run through the Department of Commerce that provides a safe harbor for U.S. companies that process or transfer heavily regulated personal data of EU citizens in the U.S. Because the U.S. has comparatively lax laws on privacy and data security, to comply with EU regulations, its businesses must voluntarily agree to hold themselves to higher standards at the organization level in order to essentially be considered “part of the EU” for the purposes of lawfully processing the personal data of EU citizens. One of the requirements of the EU-U.S. Privacy Shield is that organizations must designate an arbitrator to receive and process complaints about the organization’s alleged non-compliance with the Shield’s principles.

Prior to September 13, 2017, organizations had some choices regarding who to designate as their arbitration provider. The two most popular choices were the American Arbitration Association and Judicial Arbitration and Mediation Services.

Current State of Alternative Dispute Resolution Under Privacy Shield

As of September 13, 2017, the Department of Commerce has designated the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) as the sole arbitration services provider for Privacy Shield disputes. Organizations self-certifying after this date were required to designate ICDR-AAA upon self-certification. Organizations that had certified prior to September 13, 2017, were given until November 3 of the same year to switch their arbitration provider to ICDR-AAA and pay a fee into an arbitration fund. More info can be found here.

It is unclear how Privacy Shield participants were alerted as to the new requirements at the time this policy was adopted. However, it now appears that the Department of Commerce is proactively reaching out to Privacy Shield participants and threatening to cancel their certification if they do not re-designate ICDR-AAA and pay into the ICDR-AAA fund. These alerts should not be ignored, and participants should update their Privacy Shield notices to designate ICDR-AAA as their arbitrator and pay into the ICDR-AAA Privacy Shield Arbitral Fund or risk losing certification.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Burns & Levinson LLP

Written by:

Burns & Levinson LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Burns & Levinson LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide