The decision by a U.S.-based organization to join the Data Privacy Framework (DPF) Program is entirely voluntary. However, once an eligible U.S.-based organization self-certifies to the U.S. Department of Commerce’s International Trade Administration (ITA) and publicly declares its commitment to adhere to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) Principles and/or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles that commitment is enforceable under U.S. law by the relevant enforcement authority (i.e., by the Federal Trade Commission (FTC), the U.S. Department of Transportation (DOT), or other relevant government body).
To be entitled to the benefits of participating in the DPF Program, an organization must initially self-certify and then annually re-certify to the ITA that it adheres to the DPF Principles, including the Supplemental Principles that collectively consist of a detailed set of requirements based on privacy principles. To initially self-certify or subsequently re-certify for the relevant part(s) of the DPF Program, an organization must on each occasion provide to the ITA a submission made via the DPF Program website (https://www.dataprivacyframework.gov), which describes all of the DPF program requirements.
In order to ensure compliance with the Data Privacy Framework Program (the EU-U.S. DPF and, as applicable the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF) organizations must have in place an appropriate Independent Recourse Mechanism for each type of personal data covered by Its self-certification. Under the Recourse, Enforcement and Liability Principle, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints brought under the DPF Principles and provide appropriate recourse free of charge to the affected individual.
To meet this requirement, an organization can choose an ADR provider such as the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR-AAA) to resolve its disputes.
All organizations interested in self-certifying their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF should review the requirements in their entirety. To assist in that effort, the ITA’s DPF team has compiled relevant resources, including those describing, the scope of the DPF Program, relevant implementation dates, and answers to frequently asked questions and made those resources available on the DPF Program website.
For additional program information on how to designate the ICDR-AAA as your independent recourse mechanism for the DPF Program, please review the ICDR-AAA DPF IRM Service information document.
Organizations: if you are looking for the Annex I Arbitral Fund contributions page, click HERE.
ICDR Dispute Resolution Procedures (click on the appropriate language)
ICDR-AAA DPF IRM Service Information
ICDR-AAA DPF IRM Service Organization Registration Form
ICDR-AAA DPF IRM Service Administrative Procedures
ICDR-AAA DPF IRM Service Fees
ICDR-AAA DPF IRM Service List of Organizations
ICDR-AAA EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework IRM Program Report
ICDR-AAA arbitrators and mediators are drawn from a pool of professionals with privacy expertise and language
capabilities from many different countries.
Disputes will be determined pursuant to the ICDR International Arbitration Rules, based on documents only and as modified by the procedures and fee schedule for the ICDR-AAA DPF IRM Service.
In-person hearings will not be provided for these cases unless they are requested and agreed to by the parties.
Arbitrations will be conducted on an expedited basis.