File an EU-U.S. privacy shield or  Safe Harbor Claim

If (1) your personal data was collected in a European Union (EU) / European Economic Area (EEA) member country and/or Switzerland, and (2) you believe you have a claim concerning the collection, use, and retention of your personal data by a company in the United States that has chosen JAMS to be its Alternative Dispute Resolution (ADR) provider for disputes under the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce, then you may contact JAMS to begin the process of opening a Safe Harbor case.

Your case must address an alleged breach of one or more of the Safe Harbor Privacy Principles (available in full on the U.S. Department of Commerce’s Safe Harbor website).

EU - U.S. Privacy Shield Principles

The Privacy Shield Principles include seven Privacy Principles, agreed to by the U.S. Department of Commerce and the European Commission, regarding the processing of personal data of EU citizens and residents under the EU-U.S. Privacy Shield Framework. These principles are contained in the document titled “ANNEXES to the Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield".

Seven Promises to Protect Individual Privacy

If your organisation processes any personal data received from European Union and EEA countries, participating organizations in the United States must first self-certify that they comply with the seven Privacy Shield Principles:

  • Notice - Individuals must be informed that their data is being collected and about how it will be used.
  • Choice - Individuals must have the option to opt out of the collection and onward transfer of the data to third parties.
  • Onward Transfer - Transfers of data to third parties may only occur to other entities that follow adequate data protection principles.
  • Security - Reasonable efforts must be made to prevent the loss or unauthorized access, disclosure, alteration or destruction of collected information.
  • Data Integrity - Data must be relevant and reliable for the purpose(s) for which it was collected.
  • Access - Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
  • Enforcement - There must be effective means of assuring compliance with the Safe Harbor Privacy Principles, including recourse for the individuals affected by non-compliance.

These seven principles, as well as the Supplemental Principles are detailed by the U.S. Department of Commerce.

Individual Recourse
Organisations may subscribe to “readily available and affordable independent recourse mechanisms”— conciliation and / or arbitration services offered at no cost to the individual —to resolve complaints from EU individuals that the parties were unable to resolve on their own.

Privacy Shield organizations and their independent dispute resolution body must respond promptly to inquiries and requests by the Department of Commerce, which is obligated to pass along complaints referred by EU DPAs. EU residents have the option of filing complaints directly with their local DPA, which will work with the Department of Commerce and the Federal Trade Commission (FTC) to investigate and resolve complaints.

As a last resort, for complaints left unresolved by all other available mechanisms, individuals may invoke binding arbitration before a newly constituted Privacy Shield Panel, consisting of a pool of 20 arbitrators designated by the Department of Commerce and the European Commission, from which the parties will be able to select either one or three arbitrators.

Consequences for Non-Compliance
In addition to enforcement by the FTC or Department of Transportation for its own privacy violations , an organisation also remains liable for its agents’ or service providers’ failure to comply with the Principles unless the organisation can show it was not responsible for the event giving rise to the violation. 

Compliance Verification 
Organizations must verify their compliance with Privacy Shield, either through a documented internal self-assessment process or by engaging a third party verifier.  Organisations must keep records of the implementation of their Privacy Shield privacy practices and make them available to enforcement agencies in the course of an investigation.

So long as an organisation retains Privacy Shield data, it must affirm its compliance to the Department of Commerce on an annual basis, even if it withdraws from the framework. Alternatively, the organization must either return or delete the information, or affirm that it will provide adequate protection for the Privacy Shield data by another authorized means such as the EU standard contractual clauses.

Before submitting a claim, please ensure your case meets all of the requirements explained below. If JAMS determines you do not meet these requirements, your case will not be accepted.


1. You must be eligible to file.
a. You are the subject of personal data collected in the European Union / European Economic Area, and/or Switzerland; or
b. You are the parent or legal guardian of that data subject in the case of personal data collected from a child under the age of 13.
Please note, if JAMS cannot verify your identity, JAMS may choose not to open a case.
2. To be accepted your complaint must:
a. Be filed by an eligible Complainant (either the subject of the alleged data protection breach, or the parent/legal guardian of a child under the age of 13 who is of the subject of the alleged data protection breach).
b. Be made against an entity in the United States that (1) has self-certified its compliance with the U.S.-EU Safe Harbor Framework and/or U.S.-Swiss Safe Harbor Framework to the U.S. Department of Commerce, and (2) has designated JAMS as its ADR provider for disputes under the Safe Harbor Framework(s).
c. Allege that the Respondent failed to comply with the Safe Harbor Privacy Principles in relation to the Complainant's covered personal data.
d. Include credible documentation to support the Complainant’s allegations.
e. Provide evidence that you have completed a good faith effort to resolve the Complaint in accordance with the Safe Harbor Framework(s).
f. Have not been previously resolved by negotiation, court action, arbitration, or any other form of dispute settlement; and
g. Unless agreed by both Parties to the case, not be the subject of current litigation or any other adjudicatory process (including claims submitted for resolution through binding arbitration).
3. Information submitted with your claim:
Information submitted by a Complainant must be sufficiently complete to permit both JAMS and the Respondent to evaluate and understand the Complaint adequately, and to enable the Respondent to respond to the Complaint.

JAMS has sole authority to determine whether the information submitted is sufficiently complete to open a case.

As with all Safe Harbor cases, the Claimant does not have to pay to bring an ADR case. All ADR costs will be paid by the Respondent organisation. Standard JAMS rates apply to all Safe Harbor cases. Rates vary by location and neutral agreed upon by the Claimant and the Respondent. (Please note this fee arrangement is unique to Safe Harbor cases.)

All Safe Harbor cases that are accepted will be conducted using the JAMS International Mediation Rules, unless other rules have been specified in the privacy policy of the company in this case.

If your complaint meets all of the requirements and you are ready to open a request to submit a claim please click here.

Download eBook - Mediation Rules CTA
Download eBook - Mediation Rules CTA