BBB EU Privacy Shield
For EU and Swiss Consumers: BBB Dispute Resolution Process
What is BBB EU Privacy Shield?
The program is an independent dispute resolution mechanism operated by BBB National Programs, Inc, a non-profit organization based in the United States. We help EU and Swiss individuals resolve privacy complaints under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks.
BBB EU Privacy Shield is a successor program to BBB EU Safe Harbor, one of two original independent dispute resolution mechanisms supporting the U.S.-EU Safe Harbor Framework when it came into effect in 2000.
What are the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks?
The U.S. Department of Commerce and the European Commission developed the “EU-US Privacy Shield” Framework, enabling U.S. businesses to receive and process personal data from the EU and EAA countries and helping them comply with EU data protection requirements. The EU-U.S. Privacy Shield Framework replaced the U.S.-EU Safe Harbor Framework on July 12, 2016.
On January 12, 2017, the Swiss Government approved the Swiss-U.S. Privacy Shield Framework (replacing the U.S.-Swiss Safe Harbor Framework) as a valid legal mechanism for U.S. companies to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States.
What are my rights under Privacy Shield?
If your personal data is collected in the EU or Switzerland and is transferred to the United States for processing pursuant to the Privacy Shield Frameworks, the participating U.S. business must provide you with certain information and options regarding your data. These rights are listed on the U.S. Commerce Department website at https://www.privacyshield.gov/article?id=My-Rights-under-Privacy-Shield.
What is the role of BBB EU Privacy Shield?
Many companies participating in the Privacy Shield Frameworks have chosen BBB EU Privacy Shield to help resolve privacy disputes that arise with EU or Swiss individuals including any individual, wherever located, whose data is collected in the EU or Switzerland and transferred to the United States pursuant to Privacy Shield. We refer to these companies as “participating businesses.”
The Privacy Shield Frameworks require that independent dispute resolution mechanisms be impartial, readily available and offered at no cost to EU and Swiss individuals, and that they ensure compliance with the Privacy Shield privacy protections. BBB's obligations as an independent recourse mechanism are listed in Section 11 of the Privacy Shield Framework.
The BBB EU Privacy Shield dispute resolution procedure, like its trusted predecessor, the BBB EU Safe Harbor program:
- Is also visible and accessible on the BBB.org website, as part of the main BBB online complaints system
- Has always been offered free of charge to individuals
- Provides a speedy and fair resolution option through the staff conciliation process
- When conciliation fails, provides impartial and enforceable resolution by means of an independent Panelist’s Data Privacy Review and determination of the issues in the dispute
All participating businesses in BBB EU Privacy Shield sign an agreement requiring them to participate in the dispute resolution process, and to abide by final determinations by BBB National Programs or the Panelist, including any sanctions or corrective action.
Participating businesses also agree that if they fail to take corrective action required by a final determination, the matter may be referred to the Federal Trade Commission, and the fact of the referral may be made public by BBB National Programs. Such a referral will also be notified to the Department of Commerce, which may remove the company from the Privacy Shield List for noncompliance.
BBB National Programs publishes an annual BBB EU Privacy Shield Procedure Report that summarizes the number and nature of privacy complaints and inquiries from the public and the actions taken by the BBB National Programs and Panelist; as well as the number and nature of complaints deemed ineligible for processing. If a participating business fails to comply with a final determination of the program and is referred to the Federal Trade Commission for noncompliance, a Case Report will be published in the Procedure Report summarizing case and its outcome, identifying the company and the fact of noncompliance.
How will BBB help resolve my privacy complaint?
The BBB EU Privacy Shield complaints process works as follows:
1. When you submit a complaint, BBB National Programs staff will first verify that the complaint is eligible for resolution under our Procedure Rules, and that they have enough information to move forward. To be eligible, you must be the subject of Personal Data collected in the European Union, Iceland, Liechtenstein, Norway or where applicable, Switzerland, and the complaint must be against a Participating Business. They may ask you for additional information before proceeding.
2. Staff will verify with you that you have made a good faith effort to resolve the complaint with the participating business. Note that the business is required to respond to your complaint within 45 days.
3. Staff will pass on your complaint to the participating business and will try to help you and the business resolve the complaint through an exchange of information. This process is called conciliation. Staff will try to help you reach a resolution, or settlement, of your complaint within 15 business days. If the complaint is resolved through this process, staff will send you and the business a settlement letter and will close out the case.
4. If conciliation does not resolve the dispute, you will be able to seek a Data Privacy Review, a form of non-binding arbitration conducted by an independent decision maker (a Panelist), selected in an impartial manner to avoid conflicts of interest, from BBB National Programs' Data Privacy Board of privacy experts. BBB National Programs Staff will administer this process, obtaining written statements of your respective positions from you and the participating business. Staff will assemble these documents into the Case Record, which they will present to the Panelist for review.
5. The Panelist will be asked to make best efforts to issue a Decision within 10 business days of receiving the Case Record. During this time, he or she may request additional information from you or the business and may ask you and the business to take part in a telephone hearing if he or she thinks it necessary to resolve the matter.
6. If the Panelist finds that a violation of the Principles occurred, he or she may require the participating business to implement corrective action, including (1) access to, correction, or suppression of data; or (2) processing of data consistent with the Privacy Shield Principles.
7. The Panelist’s finding is not binding on the individual complainant and does not preclude the individual from seeking additional remedies under the Privacy Shield Frameworks if he or she is dissatisfied with the outcome of the BBB EU Privacy Shield dispute resolution procedure. These redress options are described in Annex I of the Privacy Shield Framework.
8. If you should require translation or interpretation services at any time during the dispute resolution procedure, they will be provided for you at no cost.
9. All other costs of administering the complaint procedure will be the responsibility of either BBB National Programs or the participating business. The complaint handling service is provided free of charge to individual complainants.
It is the objective of the BBB EU Privacy Shield Procedure to resolve complaints in a transparent, fair and timely manner. Our goal is to resolve conciliated complaints within 15 days, and if a Data Privacy Review is initiated, to conclude that process in no longer than 60 days.
See our Procedure Rules for more details.
Check here to make sure your complaint is eligible for BBB EU Privacy Shield resolution, and to file your complaint.