Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

Jun 18, 2024 by Divya Sridhar, Ph.D., Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs

ICYMI, the EU General Data Protection Regulation (GDPR) just celebrated its 6th anniversary, as of May 2024. And, on the heels of this anniversary, a new development that was mentioned by EU regulators at the IAPP Global Summit has now come to fruition: a procedural rule change to update the GDPR has been agreed upon by the European Parliament and will go live in the coming months.

The objectives of the rule change are to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases. 

With this change now implemented, it is timely to compare EU privacy compliance with that of the U.S. One key point of contrast: while the EU has not traditionally leaned on a “coregulatory” model hinging on the presence of an independent accountability agent in helping to enforce rules and energize compliance, the U.S. has a longstanding history of streamlined, strong dispute resolution practices working with safe harbors, coregulation, and self-regulation models. 


The Merits of Dispute Resolution

For nearly 40 years, BBB National Programs has demonstrated success in neutral, impartial mediation and arbitration. The dispute resolution process typically takes the following steps:

  • A Case is Filed: Based on program rules and eligibility requirements, via a secure online portal, a business or consumer files a complaint.
  • Mediation as a First Step: As the first step in an arbitration process, mediation is a facilitated communication where, without imposing a solution, the parties are able to understand and reach a mutually agreeable resolution.
  • Arbitration Services: In arbitration, a trained arbitrator hears the dispute and makes a binding decision. Customized arbitration programs are developed to set parameters around eligibility, available remedies, and regulatory requirements.


The dispute resolution process is customized based on the individual data privacy program and surrounding requirements.

For example, BBB National Programs is the longest-running independent recourse mechanism for the EU-U.S. Data Privacy Framework (DPF), managing consumer complaints for program participants. The dispute resolution process for the Data Privacy Framework Services program differs slightly from how BBB AUTO LINE, one of the largest and longest-running dispute resolution programs, manages manufacturer vehicle warranty and lemon law complaints.  

The co-regulatory model that the DPF Services program uses allows BBB National Programs to work hand-in-hand with U.S. regulators throughout the dispute resolution process. This is a relationship that can also be seen in BBB National Programs’ Cross Border Privacy Rules (CBPR) program as well as the Children’s Advertising Review Unit (CARU) COPPA Safe Harbor program, the first such program under COPPA approved by the Federal Trade Commission in the United States. 

No matter the model, one of the things that sets BBB National Programs’ dispute resolution process apart is a robust conciliation process in mediation. In conciliation, the complainant is given a second chance to resolve the issue before being sent to arbitration, which could result in a binding decision. This allows impartial administration of complaints between both parties to reach an appropriate solution for all involved.


Prioritizing Quality, Streamlined Dispute Resolution

As the world undergoes a procedural rule update to GDPR, which has long been a marker and the guiding light on privacy, the broader context here demonstrates a need for further alignment across privacy regimes. To achieve such alignment, understanding of distinctions between regimes is a key first step.

The presence of robust dispute resolution continues to grow in importance year over year, around the world but also in the U.S. That is because the U.S. state patchwork of privacy laws continues to grow and federal privacy legislation continues to be heavily debated. Allowing for soft law enforcement and dispute resolution helps shoulder some of the additional burdens on state and federal regulators who are scrutinizing compliance with newly enacted laws in the data privacy space. 

Suggested Articles


Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more

Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

ICYMI, a procedural rule change to update the GDPR has been agreed upon by the European Parliament to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases.
Read more

How Will Customers Know They Can Trust Your Business?

When customers trust you, they are more likely to do business with you. It is well past time for business leaders to “galvanize around trust and transparency.” When it comes to enhancing consumer trust, responsible business and nonprofit organizations can – and must – lead the way.
Read more