EU-U.S. Privacy Shield Annex I
Binding Arbitration Mechanism  

Privacy Shield Update

On July 16, 2020 the United States Department of Commerce International Trade Administration has announced the following important development regarding the EU-U.S. Privacy Shield Framework:

“On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. This decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

The U.S. Department of Commerce will continue to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.”

This update is available on the Privacy Shield News and Events page at: https://www.privacyshield.gov/NewsEvents

In addition, U.S. Secretary of Commerce Wilbur Ross’ statement regarding this development is available at: https://www.commerce.gov/news/press-releases/2020/07/us-secretary-commerce-wilbur-ross-statement-schrems-ii-ruling-and

In light of this update provided by the U.S. Department of Commerce the AAA-ICDR will continue to administer the Privacy Shield program.

The International Centre for Dispute Resolution (ICDR), the international division of the American Arbitration Association (AAA), has been selected by the U.S. Department of Commerce to manage the Privacy Shield Annex I Arbitration Mechanism and Arbitral Fund. This is the website and information for the Annex I Binding Arbitration Mechanism. The ICDR’s primary functions in this regard are to administer arbitrations that may arise under Annex I, and to establish and manage an Arbitral Fund to cover the arbitral costs.

EU individuals: for more information on how to file an Annex I Binding Arbitration, click HERE.

Organizations: to go directly to the Arbitral Fund contribution/fee page, click HERE. 

Background

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. The full details of the program can be found on the Department of Commerce’s website at https://www.privacyshield.gov/welcome.

The Privacy Shield Framework provides the option for an EU individual to invoke binding arbitration to determine whether a Privacy Shield organization has violated its obligations under the Privacy Shield Principles as to that individual and whether any such violation remains fully or partially unremedied ("residual claims"). Organizations voluntarily self-certify to the Privacy Shield Principles and, upon certification, the commitments become legally enforceable under U.S. law. Organizations that self-certify to the Privacy Shield Framework are required to arbitrate claims pursuant to the Recourse, Enforcement and Liability Principle.

In Annex I, the Department of Commerce committed to facilitating the establishment of a fund into which Privacy Shield organizations will be required to pay contributions to cover the arbitral cost, including arbitrator fees, up to maximum amounts, in consultation with the European Commission. The purpose of the fund is solely to provide Privacy Shield organizations with a consolidated mechanism to fund arbitrations. The fund will be managed by ICDR-AAA.

As the Arbitral Administrator and Fund Manager, ICDR-AAA will facilitate the collection and administration of contributions from Privacy Shield participants. The required contributions are based on organizations’ annual revenue, using revenue bands that mirror those used to determine Privacy Shield administration fees collected by the Department of Commerce’s International Trade Administration (ITA).

The fee structure for the arbitral fund is available HERE. ICDR-AAA expects these initial fees to provide sufficient revenue for the fund to operate for several years, based on expected case filings and projected administrative and program management expenses. ICDR-AAA shall periodically review any need to adjust the fee structure, and the Department of Commerce and the European Commission will review the operation of the fund during the annual review of the Privacy Shield.

Organizations self-certifying to the EU-U.S. Privacy Shield for the first time on or after
September 12, 2017 will be required to pay this fee to ICDR-AAA before ITA will finalize their certification. ICDR-AAA will begin collecting this fee from existing participants in the
EU-U.S. Privacy Shield program on October 3, 2017 and existing participants will be required to pay the fee within 30 days. The ICDR-AAA will provide the Department of Commerce with information on an ongoing basis regarding the status of contributions made by Privacy Shield participants into the arbitral fund.