Privacy Shield 2.0: one step closer to implementation

Trans-Atlantic Data Privacy Framework: agreement in principle reached 

The US and EU have reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework. The Framework will facilitate trans-Atlantic data flows and addresses the concerns raised by the European Court of Justice in the Schrems II decision.

Background

Until the successful Schrems II challenge, using the Privacy Shield enabled personal data to be transferred seamlessly from the EU to the US. In July 2020, the European Court of Justice ruled the Privacy Shield invalid. Since then, data transfers to the US have become more onerous, with checks and assessments required for each data transfer. Data transfers from the EU to the US have required the use of alternative safeguards, such as Standard Contract Clauses (SCCs), and, where necessary, “appropriate supplementary measures”. In practice, the Schrems II decision restricted the volume of data transfers to the US from the EU.

A way forward? A return to Pre-Schrems II?

At the end of March 2022, the European Commission and US announced that they have reached an agreement in principle on a new Trans-Atlantic Data Privacy Framework (TADPF), also known as Privacy Shield 2.0. Under the Framework, the US agrees to put new privacy safeguards in place. 

Although it is hoped that data transfer processes will be streamlined in light of this agreement, it is not a complete return to a pre-Schrems II model. Privacy Shield 2.0 will act in a similar fashion and “will foster trans-Atlantic data flows” by “reestablish[ing] an important legal mechanism for transfers of EU personal data to the United States.”

As noted in a White House press release, the new TADPF is intended to introduce greater protection for data from surveillance and a new method for individuals seeking redress following data protection breaches.

Legal challenge ahead?

In response to news, the privacy campaigners None Of Your Business (NOYB), the organisation of which lawyer and privacy activist Max Schrems (who brought the Schrems I and Schrems II legal challenges) is Honorary President, issued an open letter to the EU and US. According to the letter, predictably NOYB considers that the new framework overly resembles the voided Privacy Shield and so is unlikely to withstand legal challenge.

In particular, the letter expresses concerns around the legislative instruments used to update privacy laws in the US, stating that, “we understand that the envisioned deal will largely rely on US Executive Orders. Having worked on this matter with US surveillance experts and lawyers, such Executive Orders seem to be structurally insufficient to meet the requirements of the CJEU”.

Data transfers from EU to US: What now?

For the time being, this is simply an agreement in principle between the US and EU. It “does not constitute a legal framework on which data exporters can base their data transfers to the United States” according the European Data Protection Board (EDPB). Therefore, as it stands, data transfers from the EU to the US still require the use of SCCs and, where necessary, supplementary measures.

The agreement represents the two parties setting out the boundaries for a new framework. The European Commission and US Government must now work to translate the agreement into law.

It is unlikely that Privacy Shield 2.0 will be in place soon, and the EDPB has warned that once the Framework is in place, it will scrutinise the reforms to determine whether they are compatible with CJEU case law and the GDPR.

It is likely that before the European Commission prepares a draft ‘adequacy decision’, it will consult the EDPB on whether the agreement meets data protection requirements.  An EDPB opinion is not binding, but the Commission would be unlikely to ignore the EDPB’s concerns before asking the Member States to approve new arrangements.

As it stands, Schrems II still persists and the old Privacy Shield remains an invalid method of administering data transfers to the US.

Impact on UK-US transfers

It is understood that the TADPF will not apply to transfers from the UK. The UK government has focused on reaching an adequacy agreement with the US, and this may possibly be finalised before the TADPF is put in place. This could prove problematic if the European Commission does not recognise the US as providing adequate protection for EU data, as any UK-US agreement, in the absence of a US adequacy finding by the European Commission, could jeopardise the continuation of the EU-UK adequacy agreement.  For the time being, UK businesses transferring EU and UK data subjects’ data to the US should continue to use the new international data transfer agreement or the addendum to the EC standard contractual clauses, as applicable.

Please contact our data privacy team if you need any assistance in making overseas transfers of personal data and implementing the safeguards that need to be put in place.