How To Select An Independent Recourse Mechanism

September 27, 2016

Demystifying the Privacy Shield

The EU US Privacy Shield requires that companies select an independent recourse mechanism to assist EU citizens in reconciling any complaints about privacy. This article reviews just what an independent recourse mechanism is, and the key considerations around how to select the RIGHT one for your organization.

If you don’t know what an independent recourse mechanism is, then you should start by learning more about Privacy Shield here.


What is an Independent Recourse Mechanism?

Under the text of the Privacy Shield framework, U.S. organizations receiving personal data from the EU must commit to providing:

This is where an independent recourse mechanism comes in to play. Independent recourse mechanisms are really just processes that are designed to enable compliance with the requirements listed above. These independent recourse mechanisms are really just processes that are administered by data protection authorities (DPAs), which are also sometimes referred to as recourse providers or independent recourse providers. It is necessary to select and independent recourse mechanism provider to comply with Privacy Shield.


Needing to comply with GDPR as well? Learn more about how Whistic can help:

Whistic and GDPR: Classify Data with Each Vendor Security Review

How You Can Use Whistic to Satisfy GDPR Requirements

An Introduction to GDPR: Why Third Party Security Will Be Critical


The two types of independent recourse mechanism providers

There are two basic types of independent recourse providers:

  1. US based private recourse providers
  2. EU Data Protection Authorities (DPAs)

Companies seeking to comply with the Privacy Shield can select either, or both — so which should you choose? There are some VERY important legal ramifications to consider when choosing, as well as costs that are involved in either case. Additionally, in some cases, companies are actually obligated to utilize EU DPAs as their independent recourse mechanisms.

There are some VERY important legal ramifications to consider when choosing

US based private recourse providers

You may select a US based recourse provider for anything that is NOT related to human resources data (HR data includes any personal data you collect as an employer about your employees or contractors). These recourse providers are US based businesses that have decided to provide their independent recourse mechanisms as paid services. It is important to note that there is NOT a certification or approval process for becoming a recourse provider — a company can simply declare themselves as such and begin providing the service.

there is NOT a certification or approval process for becoming a recourse provider — a company can simply declare themselves as such.

It is also important to note that there are some differences in the ways that various recourse mechanisms provide their services. This variety exists because Privacy Shield has only loosely defined the activities that need to be performed, leaving a substantial amount of room for interpretation. This has led to some independent recourse mechanisms providing more services than are necessary and charging a substantial amount for those unnecessary services, preying upon the lack of understanding that is pervasive about this complicated piece of legislation. Be careful not to overpay for those unnecessary services.

Perhaps the most important consideration is that choosing a US based independent recourse mechanism means that you will be held to US legal standards in the event of legal action. Once you have selected your US based recourse provider, you must register with them and link to their complaint form from within your online privacy policy before you complete your self-certification.

EU Data Protection Authorities

There is a good reason to NOT choose the US based recourse providers, and it is that you MUST select the EU DPAs for human resources data being transferred to the US (remember, human resources data specifically deals with your companies own employees or contractors). If your company is processing both HR and Non-HR data, however, you only have to use the EU DPAs for the HR data, meaning you can still select a US based independent recourse mechanism for your non-HR data.

you can still select a US based independent recourse mechanism for your non-HR data

Registration with the EU DPAs does not need to take place before you register for the Privacy Shield, because it is built into the self-certification form. While US based independent recourse mechanisms have all selected different pricing models, there is a flat $50 fee for selecting the EU DPAs (payable here). The important consideration here is that if you select an EU DPA, then you will be held to EU legal standards in the event of legal action.


I’ve selected a recourse mechanism, now what?

Now that you have (i) registered with an independent recourse mechanism, (ii) linked to their complaint form from within your privacy policy, and (iii) paid your relevant fees, you simply need to provide good customer service, and “expeditiously” resolve any complaints brought against you by EU citizens under Privacy Shield. “Expeditiously,” in this context, is defined as reaching a resolution in less than 45 days.

If your customer’s complaints are not resolved within 45 days, and the customer elects to complain via the link in your privacy policy, then the independent recourse mechanism should come into the picture to do the following:

  1. The independent recourse mechanism passes judgement as to whether the citizen’s complaint actually violates the Privacy Shield principles.
  2. If it is determined that there is a violation, and the company will not resolve the complaint (a VERY serious matter), then the independent recourse mechanism will inform the International Trade Administration, as well as the Federal Trade Commission or Department of Transportation, (depending on who has jurisdiction) and an investigation will be started.

About Whistic

Located in the heart of the Silicon Slopes in Utah, Whistic is a leading vendor assessment platform built for companies focused on protecting data and proactively managing security reviews. Whistic enhances evaluation of third-party vendor networks while improving the process of gathering, sending, receiving, and storing assessment information; thereby promoting mature vendor risk management programs. Whistic’s automated, streamlined platform also reduces the manual, time consuming effort that is typically synonymous with performing and responding to security reviews.

Whistic is designed for an intuitive, collaborative user experience from initial vendor onboarding to ongoing assessment, and harnesses the wisdom of hundreds of security professionals to consistently deliver risk insights through its patent-pending CrowdConfidence scoring algorithm. For more information visit http://www.whistic.com, read the latest on the Whistic blog or follow Whistic on Twitter @Whistic_Inc.

gdpr privacy shield european union standards saas

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close