EU-US Privacy Shield and Binding Arbitration featured image

EU-US Privacy Shield and Binding Arbitration

by John DiGiacomo

Partner

Business Law E-Commerce Lawyer Internet Lawyer Revision Legal

Ever since a European court invalidated the old Safe Harbor laws in 2015, the United States and European Union (“EU”) have been working to create a new system that would offer adequate protection for the collection, storage and use of EU citizens’ private information. It has been no easy battle, as both parties have their own approach and expectations when it comes to privacy.

However, the light at the end of the tunnel may finally be in sight. On February 29 of this year the European Commission released the EU-US Privacy Shield Framework. The new Privacy Shield agreement is design to enhance the protection of personal information in a multitude of ways; a handful of which include:

  • Requiring more information be provided to users in relation to “Notice” – this includes a declaration by the corporation that they are participating in the Privacy Shield agreement and identification of an independent dispute resolution body that will handle relevant issues;
  • Increasing protection of personal data transferred from a Privacy Shield co-operating organization to a third party. This includes a requirement that the organization take reasonable steps to ensure the third party processes and uses the personal information in a way that’s consistent with Privacy Shield;
  • Privacy Shield organizations may only collect information that is specifically relevant to its intended use;
  • Annual certification with the Department of Transportation or FTC (Federal Trade Commission) that the organization will continue to apply Privacy Shield principles to information collected if it leaves Privacy Shield and keeps the personal data;
  • Requiring organizations respond as quickly as possible to complaints in regards to compliance with Privacy Shield principles; and
  • Requiring Privacy Shield associated organizations to make public any compliance or assessment reports submitted to the FTC, which become subject to court orders based on non-compliance.

Annex I of Privacy Shield addresses arbitration claims. Under Privacy Shield, organizations are obligated to arbitrate claims against them in regards to the recourse, enforcement and liability principles. A complete list of the principles and what they entail can be found in Annex II of Privacy Shield.

EU citizens can pursue legal remedies through private means in the US court system. However, Privacy Shield participants must commit to binding arbitration at the request of any individual to address complaints not resolved by other recourse and enforcement mechanism made available under Privacy Shield. This is done so that all EU citizens have access to recourse mechanisms, as not everyone can afford to pursue challenges privately within the courts.

The binding arbitration option will apply to specific “residual” claims, and allow individuals to determine whether a Privacy Shield organization has violated obligations owed to them under the agreement and whether any of these violations continue to be completely, or partially un-remedied. Binding arbitration will not be available where there are exceptions to the principles or in regards to allegations of the adequacy of Privacy Shield itself.

Both the EU and the US are committed to making this new agreement work. If an individual submits a complaint to the data protection authorities (“DPA”) in the EU, the Department of Commerce is devoted to receiving, reviewing and undertaking every available effort to enable resolution of the complaint and respond to the DPA on the issue within 90 days of receiving it.

In mid-April the EU announced the completion of new local privacy laws. There is speculation that these new laws will cause increased challenges in implementing the newly agreed to Privacy Shield, particularly because the new EU policies impose incredibly strict and weighty judgments if a foreign corporation doesn’t comply. However, given the novelty of both of these policies it is too early to tell what the long-term ramifications will be.

There are many components to the EU-US Privacy Shield; here we provided a brief overview of the agreement with a focus on the arbitration elements. For more information on what Privacy Shield entails and what you need to do to prepare your organization for the EU market contact Revision Legal’s Internet Privacy attorneys through the form on this page or call 855-473-8474.

Extra, Extra!
Recent Posts

Worrying About SaaS Agreements and Cross-Border Data Transfers

Worrying About SaaS Agreements and Cross-Border Data Transfers

Internet Law

When your business is contemplating a software-as-a-service (“SaaS”) agreement, there are a large number of considerations. An SaaS agreement is, of course, a subscription service where a software package is centrally hosted and accessed by a SaaS company’s customers. Issues to be aware of include: As important as the foregoing issues are, one often overlooked […]

Read more about Worrying About SaaS Agreements and Cross-Border Data Transfers

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Internet Law

If you are serious about your career as a social media influencer, blogger, and/or online content creator, you ARE going to need legal services at some point. Online creation is big business now, and big business means the need for legal services. The Internet and Social Media Attorneys at Revision Legal are here to help. […]

Read more about FAQs About Legal Services for Social Media Influencers, Bloggers, and Online Content Creators

Take it Down Act: Ban on “Revenge Porn” Goes National

Take it Down Act: Ban on “Revenge Porn” Goes National

Internet Law

Congress recently passed the Take It Down Act (“TIDA”), and the law was signed by the President in mid-May 2025. See AP media report here. Interestingly enough, “Take It Down” is an acronym for “Tools to Address Known Exploitation by Immobilizing Technological Deepfakes on Websites and Networks Act.” TIDA prohibits what is commonly called “revenge […]

Read more about Take it Down Act: Ban on “Revenge Porn” Goes National

Put Revision Legal on your side

Let's Discuss Your Case