Robust Dispute Resolution: A Quiet Enforcer for Privacy Compliance

Jun 18, 2024 by Divya Sridhar, Ph.D., Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs

ICYMI, the EU General Data Protection Regulation (GDPR) just celebrated its 6th anniversary, as of May 2024. And, on the heels of this anniversary, a new development that was mentioned by EU regulators at the IAPP Global Summit has now come to fruition: a procedural rule change to update the GDPR has been agreed upon by the European Parliament and will go live in the coming months.

The objectives of the rule change are to provide EU citizens with greater legal certainty regarding enforcement of GDPR, improve the dispute resolution process, and streamline the handling of cross-border cases. 

With this change now implemented, it is timely to compare EU privacy compliance with that of the U.S. One key point of contrast: while the EU has not traditionally leaned on a “coregulatory” model hinging on the presence of an independent accountability agent in helping to enforce rules and energize compliance, the U.S. has a longstanding history of streamlined, strong dispute resolution practices working with safe harbors, coregulation, and self-regulation models. 

 

The Merits of Dispute Resolution

For nearly 40 years, BBB National Programs has demonstrated success in neutral, impartial mediation and arbitration. The dispute resolution process typically takes the following steps:

  • A Case is Filed: Based on program rules and eligibility requirements, via a secure online portal, a business or consumer files a complaint.
  • Mediation as a First Step: As the first step in an arbitration process, mediation is a facilitated communication where, without imposing a solution, the parties are able to understand and reach a mutually agreeable resolution.
  • Arbitration Services: In arbitration, a trained arbitrator hears the dispute and makes a binding decision. Customized arbitration programs are developed to set parameters around eligibility, available remedies, and regulatory requirements.

 

The dispute resolution process is customized based on the individual data privacy program and surrounding requirements.

For example, BBB National Programs is the longest-running independent recourse mechanism for the EU-U.S. Data Privacy Framework (DPF), managing consumer complaints for program participants. The dispute resolution process for the Data Privacy Framework Services program differs slightly from how BBB AUTO LINE, one of the largest and longest-running dispute resolution programs, manages manufacturer vehicle warranty and lemon law complaints.  

The co-regulatory model that the DPF Services program uses allows BBB National Programs to work hand-in-hand with U.S. regulators throughout the dispute resolution process. This is a relationship that can also be seen in BBB National Programs’ Cross Border Privacy Rules (CBPR) program as well as the Children’s Advertising Review Unit (CARU) COPPA Safe Harbor program, the first such program under COPPA approved by the Federal Trade Commission in the United States. 

No matter the model, one of the things that sets BBB National Programs’ dispute resolution process apart is a robust conciliation process in mediation. In conciliation, the complainant is given a second chance to resolve the issue before being sent to arbitration, which could result in a binding decision. This allows impartial administration of complaints between both parties to reach an appropriate solution for all involved.

 

Prioritizing Quality, Streamlined Dispute Resolution

As the world undergoes a procedural rule update to GDPR, which has long been a marker and the guiding light on privacy, the broader context here demonstrates a need for further alignment across privacy regimes. To achieve such alignment, understanding of distinctions between regimes is a key first step.

The presence of robust dispute resolution continues to grow in importance year over year, around the world but also in the U.S. That is because the U.S. state patchwork of privacy laws continues to grow and federal privacy legislation continues to be heavily debated. Allowing for soft law enforcement and dispute resolution helps shoulder some of the additional burdens on state and federal regulators who are scrutinizing compliance with newly enacted laws in the data privacy space. 

Suggested Articles

Blog

Washing Away Deceptive Business Practices

Environmentalist Jay Westerveld first popularized the term “greenwashing” in 1986. As the term has morphed over time, it has spawned derivatives ranging from “AI washing” to “carewashing” to “healthwashing.” These terms serve to expose deceptive practices and encourage responsible behavior.
Read more
Blog

California’s “Nouveau” Approach to Privacy

As privacy becomes a key pillar for business growth domestically and internationally, California is aiming to ease the burden of U.S. state vs global regulations, working directly with foreign regulators to harmonize approaches to new technologies and data privacy.
Read more
Blog

What Is a Lemon? Understanding Defective Vehicles

A lemon is a vehicle with defects that impair its safety, use, or value. Although manufacturers have made significant efforts over the years to make cars more reliable, no car is entirely problem-free. Knowing your rights and options is important if you ever find yourself with a lemon.
Read more
Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more