Follow ACC Docket Online:  

Globalization Continues to Create Increased Obligations for US Companies

This special supplement for ACC Docket's December 2018 was graciously sponsored by JAMS.

C ompanies doing business globally have a variety of complex issues to deal with, not the least of which is the security of personal data collected from their customers.

In the 1990s, the European Union issued directives concerning the protection of individuals with regard to the processing and transfer of personal data. Thereafter, the US Department of Commerce (DOC), in consultation with the European Union, developed what was called the US-EU Safe Harbor Framework.

This, along with the US-Swiss Safe Harbor Framework, created a streamlined process for US companies to comply with EU data protection directives. These frameworks enabled US organizations to transfer personal data from the European Union to the United States, provided the US company certified with the DOC that it adhered to the International Safe Harbor Privacy Principles, because the European Union does not regard the United States as a country that meets its own strict data privacy guidelines.

[Related: 4 Ways to Improve Your Rating Factors for E&O and Cybersecurity Insurance]

Those principles required a high degree of transparency about the purpose behind data collection and how data would be used, an opportunity to control how the information was stored and transmitted (through opt-in and opt-out policies), the right to access the personal information that was gathered and the right to modify or remove inaccurate information. The frameworks also required an enforcement mechanism with accompanying sanctions for noncompliance.

Later revisions to the frameworks required companies using the safe harbor process to self-certify compliance with the data privacy directives to publicly disclose their privacy policies and include a link on their websites to the DOC's list of currently certified members of the safe harbor, making it easier to verify whether a company's certification is current.

Recognizing that arbitration and mediation are effective means of resolving disputes between consumers and companies, the frameworks required companies to create a readily available and affordable mechanism for dealing with individual complaints, including a system of alternative dispute resolution (ADR) administered by an independent third party, and required the DOC to systematically review the transparency, accessibility, and procedures of the ADR providers, including how they follow up on complaints by consumers.

In 2016, the European Parliament approved and adopted the General Data Protection Regulation (GDPR). Unlike the previous directives, this regulation did not require legislation to be passed by any EU member government. It took effect on May 25, 2018, after a two-year transition period.

The GDPR applies to organizations within the European Union and also those outside of the European Union if they offer goods or services to, or monitor the behavior of, EU data subjects. No matter where a company is located, if it processes and holds personal data of persons residing within the European Union, that company must comply with the GDPR.

[Related: The Eye of the GDPR Storm]

According to the headline on the homepage of eugdpr.org, "The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years. The regulation will fundamentally reshape the way in which data is handled across every sector, from healthcare to banking and beyond."

Around the same time as the adoption of the GDPR, the US government and the European Commission developed the EU-US Privacy Shield, which was closely modeled on the safe harbor frameworks. Its final version was published and ratified in July 2016.

Under this framework, companies must have an official process for handling complaints, including requirements for effective enforcement, such as follow-up procedures for verifying that their stated privacy practices and policies are true, obligations to remedy problems arising out of compliance failures, and resources to the individual for breaches of the policies.

US businesses that wish to use the privacy shield frameworks administered by the DOC must self-certify to the DOC and publicly commit to comply with the respective frameworks' requirements.

While joining either of these DOC-administered programs is voluntary, once an eligible organization makes the public commitment to comply, the commitment will become enforceable under US law. Any organization interested in joining one or both of the DOC-administered programs should review those requirements thoroughly. The DOC's Privacy Shield website provides useful information regarding the benefits and requirements of these programs.

[Related: EU Data Regulators Review EU-US Privacy Shield]


There are a variety of companies that serve as Privacy Shield ADR providers, including the EU Data Protection Panel, the Better Business Bureau, TRUSTe, and traditional ADR providers such as the American Arbitration Association (AAA) and JAMS.

Processes and charges for this service vary, with some companies requiring an annual fee on a sliding-scale basis depending on annual sales and others charging a fee per case. Some ADR providers assess those costs against the companies rather than the individuals bringing privacy complaints.

European privacy regulation has represented the leading edge in improved security for consumer data. Regulation regarding the privacy of consumer data worldwide will continue to expand as a growing number of countries consider how consumer data is both collected and used by companies.

Companies would be well advised to ensure that their data use and control policies not only comply with minimum regulated standards, but exceed them to meet the expectations of their customers and to avoid the potential legal and business consequences of improperly handling consumer data.

Protecting the privacy of personal data is a serious concern for all companies, but those who are doing business on a global scale from within the United States must be particularly mindful of the GDPR and the Privacy Shield.

About the Author

Kimberly TaylorKimberly Taylor is the senior vice president and chief legal and operating officer at JAMS. She oversees JAMS operations in the United States and abroad. Working directly with the president and CEO, and leading a team that spans more than 25 Resolution Centers across North America, Taylor is responsible for the company's day-to-day operating activities. She also provides operational and strategic leadership for JAMS International, headquartered in London.


The information in any resource collected in this virtual library should not be construed as legal advice or legal opinion on specific facts and should not be considered representative of the views of its authors, its sponsors, and/or ACC. These resources are not intended as a definitive statement on the subject addressed. Rather, they are intended to serve as a tool providing practical advice and references for the busy in-house practitioner and other readers.