DataGrail recently interviewed Bryant Fry — IAPP Fellow of Information Privacy and Deputy Director — Privacy Shield at BBB National Programs to bring you insights from a leading legal professional in the field of data privacy.
DG: With growing privacy awareness from consumers, how might companies build trust with users regarding their privacy practices?
BF: We live in a time where customer data offers a growing source of competitive advantage. With this in mind, providing clear information about business actions and positions on data privacy as well as proactively updating consumers on privacy practices is paramount. Companies that are transparent about how they collect and process data and give customers some level of control of their personal data builds trust and confidence in an organization.
To successfully provide transparency, organizations should first focus on their own website and privacy notices, which present a great initial view of the value they place on maintaining the privacy of their customers. Instead of lengthy, opaque privacy notices full of legalese, companies should use approachable, concise language to ensure that consumers can understand how their data is collected, processed, stored, and potentially shared with other parties.
In short, tell your customers who you are, why you need the information collected, and how it’s used. Also, it's important to communicate what protocols are in place to protect that information.
Another way that businesses can earn consumer’s trust is to sign up with third-party accountability mechanisms that provide independent verification, compliance monitoring, or dispute resolution services. Demonstrating that you will go beyond your own promises is a powerful gesture to earn consumer trust.
DG: What role does privacy self-regulation (and co-regulation) play in protecting consumers?
BF: Industry self-regulation provides businesses with a flexible framework to keep up with evolving technology, legislation, and social norms. One of its benefits is that it functions absent from a regulatory regime. But the core features of effective self-regulation are also vital to and complement any government-driven approach.
Any successful data privacy regime should have external means of accountability to substantiate claims, pre-screen operations against best practices, and/or respond to complaints. It should include clear and transparent means for consumers to be heard and feel vindicated when promises and expectations are not met. Further, it should include support for recognizable trust markers to aid in understanding a company’s privacy practices.
For consumers, the benefits of self-regulation include the obvious — a direct industry response to quickly stop practices, like misleading advertising or the unauthorized collection of personal data — and the less obvious, the promotion of a more trustworthy overall marketplace. Properly structured, self-regulation can provide independent verification and/or enforcement of business promises.
Trusted intermediaries, such as the BBB, can also provide consumers with a secure platform for addressing concerns, whether as the impetus for self-regulatory enforcement or through formal dispute resolution programs.
A co-regulatory accountability model combines both legislation and self-regulatory instruments in support of the regulation. This means that government and industry share responsibility for drafting and enforcing regulation. For instance, the Asia-Pacific region, through the Asia-Pacific Economic Cooperative (APEC), continues to build its privacy framework based, in part, on co-regulatory concepts.
Another example of a co-regulatory model is the Privacy Shield Framework. To bridge the gap between different approaches to privacy, the EU and the US established an agreement that enables American businesses to process EU personal data in the US as long as they meet certain requirements.
Privacy Shield operates as a self-certification mechanism, which means US businesses must take the initiative to sign up for their activities to be covered. This is achieved by making a formal, public self-certification with the US Commerce Department.
The certification states that they will follow certain privacy principles — called the Privacy Shield Principles — when handling personal information received from the EU. Some of the principles that companies follow relate to things like a company’s internal data handling practices, how they enter data sharing agreements with others, and mindfulness surrounding what personal data is collected and its use.
Other Principles require companies to extend to EU consumers some of the privacy rights that they enjoy in the EU, even when their personal information is being processed in the US. One example is the right to access the personal information that a US company holds about them. These commitments, once made, become enforceable by the Federal Trade Commission.
DG: It’s been a few years since the Department of Commerce and the European Commission announced the launch of Privacy Shield. Can you give us an assessment of how effective the Framework has been?
BF: The EU-US Privacy Shield was first launched in 2016, and then the companion Swiss-US Privacy Shield followed early in 2017. Both Frameworks saw steady growth from the outset — over 2000 companies self-certified in the first year of operation. Then in 2018, the General Data Protection Regulation (GDPR) began to substantially impact Privacy Shield awareness.
Because Privacy Shield is a preferred mechanism for transferring personal data from the EU to the US in compliance with GDPR, we saw a big spike in Privacy Shield growth, starting in May 2018, when GDPR took effect; so today enrollment has almost doubled from its initial year. As of July 2019, the Department of Commerce has approved almost 5,000 Privacy Shield self-certifications for US organizations, with more applications rolling in every day.
DG: Can you tell us more about what running an Independent Recourse Mechanism (IRM) program entails, and how it contributes to the protection of personal data?
BF: Having an independent dispute resolution mechanism is an essential part of creating an accountable data protection regime.
Privacy Shield requires self-certified US companies to have an IRM in place to handle unresolved privacy complaints from EU individuals. The BBB EU Privacy Shield program is one of a handful of recognized IRMs that handle consumer privacy complaints against Privacy Shield self-certified companies. We provide an accessible, responsive third-party service to address privacy inquiries, complaints, and data access requests.
My day-to-day involves a few major tasks. My team and I work with new businesses applying with the program to ensure that they understand the Privacy Shield rules and procedures and that their privacy policies are up to snuff. We also work with existing Participating Business to ensure that they stay compliant and meet their annual recertification. Also, we process complaints from data subjects in the EU as they seek to exercise their rights under Privacy Shield, and of course, handling the full dispute resolution process when we receive a valid complaint.
The businesses that choose BBB are often customer service oriented, so they appreciate that conciliation is a key element of our dispute resolution process — giving the two parties a chance to work through a problem and come up with a mutually agreeable solution. In many cases, they can learn from a consumer’s experience and use the feedback to further improve their own compliance and user experience.
The program shows that transparency and consumer access/correction rights can be secured by providing businesses with guidance through the self-certification process and a fully-fledged dispute resolution mechanism.
DG: What kind of companies are ideal participants for BBB EU Privacy Shield? Can you give us more details about how the program supports US businesses?
BF: We currently have over 1,100 organizations in our program from numerous business sectors with a variety of business models.
Any US business receiving personal data from the EU or Switzerland is eligible for the program. Our participants range from very small businesses to multinationals. Some provide goods or services directly to EU or Swiss individuals, while others may store or process data on behalf of EU or Swiss entities.
In addition to our dispute resolution services, we offer various forms of compliance assistance. Our staff works with companies on their — a process that can be daunting for businesses to navigate on their own — especially if they have a small privacy staff. In this case, we help them update their privacy policies to ensure that they meet all Privacy Shield requirements.
Throughout the year, we also provide compliance monitoring as well as reminders and guidance for companies who are preparing for their annual re-certifications.
In response to demand for more general guidance on EU and US privacy law, we’ve developed a blog, a periodic newsletter, and other online resources covering Privacy Shield compliance issues and current privacy topics, such as the GDPR.
Enjoy this interview? Check out our previous Interview Series with Tara Taubman Bassirian, Data Protection and IP Consultant at Data Rainbow!