FAQs for Consumers
What are the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?
The U.S. Department of Commerce and the European Commission developed the “EU-U.S. Privacy Shield” Framework, enabling U.S. businesses to receive and process personal data from the EU, UK, and EAA countries and helping them comply with EU data protection requirements. The EU-U.S. Privacy Shield Framework replaced the U.S.-EU Safe Harbor Framework on July 12, 2016.
On January 12, 2017, the Swiss Government approved the Swiss-U.S. Privacy Shield Framework (replacing the U.S.-Swiss Safe Harbor Framework) as a valid legal mechanism for U.S. companies to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States.
What is personal data?
Under the Privacy Shield Frameworks, personal data (also known as “personal information”) are data about an identified or identifiable individual that are within the scope of the applicable data protection law, received by an organization in the United States from a covered country, and recorded in any form. Additional protections may be provided for certain categories of personal data, such as “sensitive personal data,” which, under the EU-U.S. Privacy Shield Framework includes “personal information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and information specifying the sex life of the individual.” (Note that additional categories of personal information are considered personal under the Swiss-U.S. Privacy Shield Framework.)
What are my rights under Privacy Shield?
If your personal data is collected in the EU, UK, or Switzerland and is transferred to the United States for processing pursuant to the Privacy Shield Frameworks, the participating U.S. business must provide you with certain information and options regarding your data. These rights are listed on the U.S. Department of Commerce official Privacy Shield website.
What is the role of BBB EU Privacy Shield?
Many companies participating in the Privacy Shield Frameworks have chosen BBB EU Privacy Shield to help resolve privacy disputes that arise with individuals in the EU, UK, or Switzerland whose data the company received in the United States pursuant to Privacy Shield. We refer to these companies as “Participating Businesses.”
The Privacy Shield Frameworks require that Independent Recourse Mechanisms like BBB EU Privacy Shield be impartial, readily available and offered at no cost to EU and Swiss individuals, and that they ensure compliance with the data protection protections of the Privacy Shield. BBB EU Privacy Shield's obligations as an independent recourse mechanism are listed in Section 11 of the Privacy Shield Framework.
The BBB EU Privacy Shield dispute resolution procedure:
- Has always been offered free of charge to individuals
- Provides a speedy and fair resolution option through the staff conciliation process
- When conciliation fails, provides impartial and enforceable resolution by means of an independent Panelist’s Data Privacy Review and determination of the issues in the dispute.
All participating businesses in BBB EU Privacy Shield sign an agreement requiring them to participate in the dispute resolution process, and to abide by final determinations by BBB National Programs or the Panelist, including any sanctions or corrective action.
Participating businesses also agree that if they fail to take corrective action required by a final determination, the matter may be referred to the Federal Trade Commission, and the fact of the referral may be made public by BBB National Programs. Such a referral will also be notified to the Department of Commerce, which may remove the company from the Privacy Shield List for noncompliance.
BBB National Programs publishes an annual
BBB EU Privacy Shield Procedure Report
that summarizes the number and nature of privacy complaints and the actions taken by BBB National Programs (and any Data Privacy Review Panelist); as well as the number and nature of complaints deemed ineligible for processing. If a participating
business fails to comply with a final determination of the program and is referred to the Federal Trade Commission for noncompliance, a Case Report will be published in the Procedure Report summarizing the case and its outcome, identifying
the company and the fact of noncompliance.
How will BBB EU Privacy Shield help resolve my privacy complaint?
The BBB EU Privacy Shield complaints process works as follows:
1. When you submit a complaint, BBB National Programs staff will first verify that the complaint is eligible for resolution under our Procedure Rules, and that you have provided enough information to proceed. If you should require translation or interpretation services at any time during the dispute resolution procedure, they will be provided for you at no cost. All other costs of administering the complaint procedure will be the responsibility of either BBB National Programs or the participating business. The complaint handling service is provided free of charge to individual complainants.
2. Staff will verify with you that you have made a good faith effort to resolve the complaint with the participating business. Note that the business is required to respond to your complaint within 45 days.
3. Once you have provided sufficient information to verify your complaint, BBB EU Privacy Shield will pass your complaint to the Participating Business and will try to help you and the business resolve the complaint through an exchange of information. This process is called conciliation. Staff will try to help you reach a resolution, or settlement, of your complaint.
If the complaint is resolved through this process, staff will send you and the business a settlement letter and will close out the case.
4. If conciliation does not resolve the dispute, you will be able to seek a Data Privacy Review, a form of non-binding arbitration conducted by an independent decision maker (a Panelist), selected in an impartial manner to avoid conflicts of interest. BBB National Programs staff will administer this process, obtaining written statements of your respective positions from you and the participating business. Staff will assemble these documents into the Case Record, which they will present to the Panelist for review.
5. The Panelist will be asked to make best efforts to issue a Decision within 10 business days of receiving the Case Record. During this time, he or she may request additional information from you or the business and may ask you and the business to take part in a telephone hearing if he or she thinks it necessary to resolve the matter.
6. If the Panelist finds that a violation of the Principles occurred, he or she may require the participating business to implement corrective action, including (1) access to, correction, or suppression of data; or (2) processing of data consistent with the Privacy Shield Principles.
7. The Panelist’s finding is not binding on the individual complainant and does not preclude the individual from seeking additional remedies under the Privacy Shield Frameworks if he or she is dissatisfied with the outcome of the BBB EU Privacy Shield dispute resolution procedure. These redress options are described in Annex I of the Privacy Shield Framework.
It is the objective of the BBB EU Privacy Shield Procedure to resolve complaints in a transparent, fair and timely manner. Our goal is to resolve conciliated complaints within 15 days, and if a Data Privacy Review is initiated, to conclude that process in no longer than 60 days.
See our Procedure Rules for more details.
How do I submit my Privacy Shield complaint?
Please use our online complaint form to submit your complaint. You may also submit your complaint by postal mail at the following address:
BBB National Programs, Inc.
ATTN: BBB EU Privacy Shield
1676 International Drive, Suite 550
McLean, VA 22102