On July 16, 2020 the United States Department of Commerce International Trade Administration has announced the following important development regarding the EU-U.S. Privacy Shield Framework:
“On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.
The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.”
This update is available on the Privacy Shield News and Events page at: https://www.privacyshield.gov/NewsEvents
In addition, U.S. Secretary of Commerce Wilbur Ross’ statement regarding this development is available at: https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and
In light of this update provided by the U.S. Department of Commerce the AAA-ICDR will continue to administer the Privacy Shield program.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.
On July 12, 2016, the European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law. On January 12, 2017, the Swiss Government announced the approval of the Swiss-U.S. Privacy Shield Framework as a valid legal mechanism to comply with Swiss requirements when transferring personal data from Switzerland to the United States.
For information on the adequacy determinations or to see the statements from the Swiss Federal Council and Swiss Federal Data Protection and Information Commissioner visit the Department of Commerce’s website at https://www.privacyshield.gov/Program-Overview where the related links are highlighted.
The U.S.-EU and U.S.-Swiss Safe Harbor Frameworks are no longer legally recognized as adequate under EU and Swiss law for transferring personal data from the European Union and Switzerland to the United States.
The Privacy Shield program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables U.S.-based organizations to join the Privacy Shield Framework in order to benefit from the adequacy determination. To join either Privacy Shield Framework, a U.S.-based organization will be required to self-certify to the Department of Commerce (via the DOC’s website at https://www.privacyshield.gov/Program-Overview) and publicly commit to comply with the Framework’s requirements. While joining the Privacy Shield Framework is voluntary, once an eligible organization makes the public commitment to comply with the Framework’s requirements, the commitment will become enforceable under U.S. law. All organizations interested in self-certifying to the EU-U.S. Privacy Shield Framework or Swiss-U.S. Privacy Shield Framework should review the requirements in their entirety. The full details of the program can be found on the Department of Commerce’s website at https://www.privacyshield.gov.
In order to ensure compliance with the Privacy Shield programs, there must be readily available independent recourse mechanisms, so that each individual's complaints and disputes (e.g., complaints and disputes of residents of the EU and Switzerland) can be investigated and expeditiously resolved at no cost to the individual.
To meet this requirement, a company can choose an ADR provider such as the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR-AAASM) to resolve its disputes.
For additional program information on how to designate the ICDR-AAA as your independent recourse mechanism and on the EU-U.S. and Swiss-U.S. Privacy Shield program please review the program information document.
Organizations: if you are looking for the Annex I Arbitral Fund contributions page, click HERE.
ICDR Dispute Resolution Procedures (click on the appropriate language)
Program Information for the
Administrative Procedures for the
Privacy Shield Programs
EU-U.S. and Swiss-U.S. Privacy Shield Programs List of Companies
ICDR-AAA EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield IRM Program Report 2019-2020
ICDR-AAA arbitrators and mediators are drawn from a pool of professionals with privacy expertise and language capabilities from many different countries.
Disputes will be determined pursuant to the ICDR International Arbitration Rules, based on documents only and as modified by the Privacy Shield procedures and fee schedule for this program.
In-person hearings will not be provided for these cases unless they are requested and agreed to by the parties.
Arbitrations will be conducted on an expedited basis.