Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

Jun 18, 2024 by Divya Sridhar, Ph.D., Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs

ICYMI, the EU General Data Protection Regulation (GDPR) just celebrated its 6th anniversary, as of May 2024. And, on the heels of this anniversary, a new development that was mentioned by EU regulators at the IAPP Global Summit has now come to fruition: a procedural rule change to update the GDPR has been agreed upon by the European Parliament and will go live in the coming months.

The objectives of the rule change are to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases. 

With this change now implemented, it is timely to compare EU privacy compliance with that of the U.S. One key point of contrast: while the EU has not traditionally leaned on a “coregulatory” model hinging on the presence of an independent accountability agent in helping to enforce rules and energize compliance, the U.S. has a longstanding history of streamlined, strong dispute resolution practices working with safe harbors, coregulation, and self-regulation models. 

 

The Merits of Dispute Resolution

For nearly 40 years, BBB National Programs has demonstrated success in neutral, impartial mediation and arbitration. The dispute resolution process typically takes the following steps:

  • A Case is Filed: Based on program rules and eligibility requirements, via a secure online portal, a business or consumer files a complaint.
  • Mediation as a First Step: As the first step in an arbitration process, mediation is a facilitated communication where, without imposing a solution, the parties are able to understand and reach a mutually agreeable resolution.
  • Arbitration Services: In arbitration, a trained arbitrator hears the dispute and makes a binding decision. Customized arbitration programs are developed to set parameters around eligibility, available remedies, and regulatory requirements.

 

The dispute resolution process is customized based on the individual data privacy program and surrounding requirements.

For example, BBB National Programs is the longest-running independent recourse mechanism for the EU-U.S. Data Privacy Framework (DPF), managing consumer complaints for program participants. The dispute resolution process for the Data Privacy Framework Services program differs slightly from how BBB AUTO LINE, one of the largest and longest-running dispute resolution programs, manages manufacturer vehicle warranty and lemon law complaints.  

The co-regulatory model that the DPF Services program uses allows BBB National Programs to work hand-in-hand with U.S. regulators throughout the dispute resolution process. This is a relationship that can also be seen in BBB National Programs’ Cross Border Privacy Rules (CBPR) program as well as the Children’s Advertising Review Unit (CARU) COPPA Safe Harbor program, the first such program under COPPA approved by the Federal Trade Commission in the United States. 

No matter the model, one of the things that sets BBB National Programs’ dispute resolution process apart is a robust conciliation process in mediation. In conciliation, the complainant is given a second chance to resolve the issue before being sent to arbitration, which could result in a binding decision. This allows impartial administration of complaints between both parties to reach an appropriate solution for all involved.

 

Prioritizing Quality, Streamlined Dispute Resolution

As the world undergoes a procedural rule update to GDPR, which has long been a marker and the guiding light on privacy, the broader context here demonstrates a need for further alignment across privacy regimes. To achieve such alignment, understanding of distinctions between regimes is a key first step.

The presence of robust dispute resolution continues to grow in importance year over year, around the world but also in the U.S. That is because the U.S. state patchwork of privacy laws continues to grow and federal privacy legislation continues to be heavily debated. Allowing for soft law enforcement and dispute resolution helps shoulder some of the additional burdens on state and federal regulators who are scrutinizing compliance with newly enacted laws in the data privacy space. 

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more