Privacy Shield 2.0 is Coming – But is the new EU-US data transfer mechanism here to stay?
The Whitehouse and EU Commission announced the impending arrival of Privacy Shield 2.0 on 25 March 2022. Find out what that means – & if it’s here to stay:
Background: Schrems II Invalidates the Original Privacy Shield
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the long-negotiated Privacy Shield. This mechanism facilitated the legal transfer of personal data between the EU and the US. However, following this decision, Privacy Shield was deemed invalid because it didn’t meet the EU’s privacy standards for appropriate protection of individuals from US surveillance, nor did it provide adequate legal means for Europeans to challenge it.
EU-US Transfers Post Schrems II
In giving their judgement (known as Schrems II), the CJEU ruled that the Standard Contractual Clauses (SCCs) relied on by other third countries were a valid mechanism for the transfer. However, they also noted that controllers relying on SCCS for their data transfers outside the EEA are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection for the personal data transferred that is essentially equivalent to that guaranteed in the EEA.
As a result, the European Commission published the new Draft Standard Contractual Clauses in November 2020, alongside the guidance on supplementary measures for non-EU transfers. The new SCCs build upon the changes made in the draft SCCs and are a more permanent mechanism to facilitate data flow from the EU to third countries.
As you can imagine, this resulted in significant legal uncertainty for businesses undertaking EU-US data transfers.
The New EU-US Data Privacy Framework
On March 25, 2022, the US and EU announced that they have agreed in principle to a new Trans-Atlantic Data Privacy Framework, referred to as Privacy Shield 2.0. The new agreement comes after almost two years of negotiations between the EU and the US.
In the announcement, the White House stated that the US has committed to implementing additional safeguards to ensure intelligence activities are necessary and proportionate and creating a new two-level independent mechanism for EU individuals to seek redress. The White House describes the reforms on the US side as ‘unprecedented’.
The EU’s announcement of the deal in principle highlighted the benefits of the deal, namely:
- Adequate protection of Europeans’ data transferred to the US, addressing the ruling of the European Court of Justice (Schrems II);
- Safe and secure data flows;
- Durable and reliable legal basis;
- Competitive digital economy and economic cooperation; and
- Continued data flows underpinning €900 billion in cross-border commerce every year.
Next Steps for Privacy Shield 2.0
The in-principle agreement will next need to be ‘translated’ into legal documents. This is a process that will likely take several months.
The legal text will likely be brought into effect as an executive decision by the European Commission. As a result, it will need to be reviewed by the European Data Protection Board (EDPB). The EDPB will provide an adequacy decision based on the legal text presented. This, too, will take several months.
Privacy Shield 2.0: Issues with the new EU-US data transfer mechanism
Privacy experts and advocates are signalling issues even before the publication of the legal text.
noyb, for instance, has indicated that it feels the US cannot pass the test by the CJEU without changing its surveillance laws. Meanwhile, Margrethe Vestager (the European Commission’s Executive Vice-President for A Europe Fit for the Digital Age and Competition) has foreshadowed that increased segregation and federalisation of data within the EU is likely if the US doesn’t change its surveillance laws.
In any event, the Privacy Shield 2.0 cannot be relied upon for EU-US data transfers until the agreement is formally passed. Assuming it passes, organisations will then be permitted to rely on the transfer mechanism. However, it appears that the uncertainty will not be over at this point.
Lawyer and privacy advocate Max Schrems (the lead litigant behind the Schrems II decision) has signalled that he will again move against the EU-US Privacy Shield 2.0 if it does not offer adequate protection to EU individuals, as required by EU law.
“The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.” – Max Schrems