The first installment in our month-long series dissecting the new “Privacy Shield” framework for transferring data from the EU to the United States discussed the history and implementation of the Privacy Shield. The second, third and fourth installments provided side-by-side comparisons of the Privacy Shield against the former EU-US Safe Harbor Framework, the current Controller-Processor Model Clauses and the current Controller-Controller Model Clauses (Set 2). The remainder of our series will focus on addressing the top questions that we have received concerning how the Privacy Shield will function in practice.
One of the most common areas of confusion surrounding the Privacy Shield is the way in which people are permitted to raise complaints with participating companies concerning the collection and use of their personal data. It’s easy to understand the source of confusion. The Privacy Shield contains seven different ways to raise complaints, but each method is not open to every person (in EU parlance, every “data subject”) in every situation. For example, some methods are guaranteed only to employees in the context of HR data transfers (e.g., use of an informal panel of European Union Data Protection Authorities to adjudicate claims); other methods require that a data subject first exhaust other methods of resolution (e.g., binding arbitration before a Privacy Shield Panel to be established by the Department of Commerce and the European Commission).
Depending on the personal data at issue, there are various mechanisms by which a participating organization may receive a complaint either from a consumer or an employee. In this fifth installment, we provide a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved. Our next installment will provide a similar roadmap for the ways in which an employee might file a complaint against an employer.
Click here to view a roadmap for the different ways in which a consumer may file a complaint against a certifying organization where non-HR data is involved.