a.    The Recourse, Enforcement and Liability Principle sets out the requirements for Privacy Shield enforcement.  How to meet the requirements of point (a)(ii) of the Principle is set out in the Supplemental Principle on Verification.  This Supplemental Principle addresses points (a)(i) and (a)(iii), both of which require independent recourse mechanisms.  These mechanisms may take different forms, but they must meet the Recourse, Enforcement and Liability Principle’s requirements.  Organizations satisfy the requirements through the following: (i) compliance with private sector developed privacy programs that incorporate the Privacy Shield Principles into their rules and that include effective enforcement mechanisms of the type described in the Recourse, Enforcement and Liability Principle; (ii) compliance with legal or regulatory supervisory authorities that provide for handling of individual complaints and dispute resolution; or (iii) commitment to cooperate with data protection authorities located in the European Union or their authorized representatives.  

b.    This list is intended to be illustrative and not limiting.  The private sector may design additional mechanisms to provide enforcement, so long as they meet the requirements of the Recourse, Enforcement and Liability Principle and the Supplemental Principles.  Please note that the Recourse, Enforcement and Liability Principle’s requirements are additional to the requirement that self-regulatory efforts must be enforceable under Section 5 of the Federal Trade Commission Act, which prohibits unfair and deceptive acts, or another law or regulation prohibiting such acts.

c.    In order to help ensure compliance with their Privacy Shield commitments and to support the administration of the program, organizations, as well as their independent recourse mechanisms, must provide information relating to the Privacy Shield when requested by the Department.  In addition, organizations must respond expeditiously to complaints regarding their compliance with the Principles referred through the Department by DPAs.  The response should address whether the complaint has merit and, if so, how the organization will rectify the problem.  The Department will protect the confidentiality of information it receives in accordance with U.S. law.


*****


11. Dispute Resolution and Enforcement (a) - (c)
11. Dispute Resolution and Enforcement (d) - (e)
11. Dispute Resolution and Enforcement (f) - (g)