The Whitehouse and EU Commission announced the impending arrival of Privacy Shield 2.0 on 25 March 2022. Find out what that means – & if it’s here to stay:
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the long-negotiated Privacy Shield. This mechanism facilitated the legal transfer of personal data between the EU and the US. However, following this decision, Privacy Shield was deemed invalid because it didn’t meet the EU’s privacy standards for appropriate protection of individuals from US surveillance, nor did it provide adequate legal means for Europeans to challenge it.
In giving their judgement (known as Schrems II), the CJEU ruled that the Standard Contractual Clauses (SCCs) relied on by other third countries were a valid mechanism for the transfer. However, they also noted that controllers relying on SCCS for their data transfers outside the EEA are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection for the personal data transferred that is essentially equivalent to that guaranteed in the EEA.
As a result, the European Commission published the new Draft Standard Contractual Clauses in November 2020, alongside the guidance on supplementary measures for non-EU transfers. The new SCCs build upon the changes made in the draft SCCs and are a more permanent mechanism to facilitate data flow from the EU to third countries.
See more about the new SCCs and GDPR-compliant third-party data transfers.
As you can imagine, this resulted in significant legal uncertainty for businesses undertaking EU-US data transfers.
On March 25, 2022, the US and EU announced that they have agreed in principle to a new Trans-Atlantic Data Privacy Framework, referred to as Privacy Shield 2.0. The new agreement comes after almost two years of negotiations between the EU and the US.
In the announcement, the White House stated that the US has committed to implementing additional safeguards to ensure intelligence activities are necessary and proportionate and creating a new two-level independent mechanism for EU individuals to seek redress. The White House describes the reforms on the US side as ‘unprecedented’.
The EU’s announcement of the deal in principle highlighted the benefits of the deal, namely:
The in-principle agreement will next need to be ‘translated’ into legal documents. This is a process that will likely take several months.
The legal text will likely be brought into effect as an executive decision by the European Commission. As a result, it will need to be reviewed by the European Data Protection Board (EDPB). The EDPB will provide an adequacy decision based on the legal text presented. This, too, will take several months.
Privacy experts and advocates are signalling issues even before the publication of the legal text.
noyb, for instance, has indicated that it feels the US cannot pass the test by the CJEU without changing its surveillance laws. Meanwhile, Margrethe Vestager (the European Commission’s Executive Vice-President for A Europe Fit for the Digital Age and Competition) has foreshadowed that increased segregation and federalisation of data within the EU is likely if the US doesn’t change its surveillance laws.
In any event, the Privacy Shield 2.0 cannot be relied upon for EU-US data transfers until the agreement is formally passed. Assuming it passes, organisations will then be permitted to rely on the transfer mechanism. However, it appears that the uncertainty will not be over at this point.
Lawyer and privacy advocate Max Schrems (the lead litigant behind the Schrems II decision) has signalled that he will again move against the EU-US Privacy Shield 2.0 if it does not offer adequate protection to EU individuals, as required by EU law.
“The final text will need more time, once this arrives we will analyse it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.” – Max Schrems
"*" indicates required fields
"*" indicates required fields
Privacy 108 collects your name and email to send you our newsletter. If you do not provide this information, we will be unable to send it to you. We may use third-party service providers (such as email marketing platforms) to distribute our communications. Some providers may store information overseas, including in the United States. For more information about how we handle your personal information, including how to access or correct it or make a complaint, please see our Privacy Policy or contact us at hello@privacy108.com.au. You can unsubscribe at any time using the link in our emails or by contacting hello@privacy108.com.au.
