Does this look familiar?
Recently, Privacy Shield participants started receiving these troubling alerts, purportedly from the International Trade Administration, warning that the recipient organization owes a new fee, and threatening to cancel that participant’s Privacy Shield certification if payment is not remitted by February 16, 2018. These alerts have all the classic markings of a phishing scam—appearing very official but containing a generic salutation, demanding payment for some otherwise unheard of fee, threatening dire consequences for failure to remit payment—so some of these alerts have undoubtedly gone ignored.
Unfortunately, this is not another blog post about a new fraud alert. Rather, this post is an alert that, if you participate in the Privacy Shield program, you may need to take action before February 16, 2018, to maintain your certification.
ALTERNATIVE DISPUTE RESOLUTION UNDER PRIVACY SHIELD PRIOR TO SEPTEMBER 13, 2017
The EU-U.S. Privacy Shield is a self-certification program run through the Department of Commerce that provides a safe harbor for U.S. companies that process or transfer heavily regulated personal data of EU citizens in the U.S. Because the U.S. has comparatively lax laws on privacy and data security, to comply with EU regulations, its businesses must voluntarily agree to hold themselves to higher standards at the organization level in order to essentially be considered “part of the EU” for the purposes of lawfully processing the personal data of EU citizens. One of the requirements of the EU-U.S. Privacy Shield is that organizations must designate an arbitrator to receive and process complaints about the organization’s alleged non-compliance with the Shield’s principles.
Prior to September 13, 2017, organizations had some choices regarding who to designate as their arbitration provider. The two most popular choices were the American Arbitration Association and Judicial Arbitration and Mediation Services.
CURRENT STATE OF ALTERNATIVE DISPUTE RESOLUTION UNDER PRIVACY SHIELD
As of September 13, 2017, the Department of Commerce has designated the International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA) as the sole arbitration services provider for Privacy Shield disputes. Organizations self-certifying after this date were required to designate ICDR-AAA upon self-certification. Organizations that had certified prior to September 13, 2017, were given until November 3 of the same year to switch their arbitration provider to ICDR-AAA and pay a fee into an arbitration fund. More info can be found here.
It is unclear how Privacy Shield participants were alerted as to the new requirements at the time this policy was adopted. However, it now appears that the Department of Commerce is proactively reaching out to Privacy Shield participants and threatening to cancel their certification if they do not re-designate ICDR-AAA and pay into the ICDR-AAA fund. These alerts should not be ignored, and participants should update their Privacy Shield notices to designate ICDR-AAA as their arbitrator and pay into the ICDR-AAA Privacy Shield Arbitral Fund or risk losing certification.