Out-Law News 1 min. read

Privacy Shield 2.0: MEPs advise against adoption


An influential committee of MEPs is proposing to recommend against the adoption of ‘Privacy Shield 2.0’, a proposed new framework to help businesses transfer personal data from the EU to the US in line with the requirements of EU data protection law.

In December last year, the European Commission published a draft ‘adequacy’ decision endorsing the framework – formally known as the EU-U.S. Data Privacy Framework. That action came after EU and US officials had, earlier in 2022, agreed a deal in principle and US president Joe Biden then signed an executive order giving effect to the commitments made on the US side.

The European Commission is empowered under the EU GDPR to issue adequacy decisions, which effectively declare that a jurisdiction outside of the European Economic Area (EEA) provides an adequate level of protection for personal data.

An adequacy decision is an important determination because the GDPR restricts data transfers outside of the EEA unless the data continues to benefit from an equivalent standard of protection in the jurisdictions to which the data is exported. Where a jurisdiction benefits from an adequacy decision, organisations can transfer data to these places without the need for additional safeguards to be applied.

However, as well as considering the non-binding opinion of the European Data Protection Board (EDPB) and accepting the binding decision of a committee made up of representatives from EU member states, the European Commission must consider the views of the European Parliament on matters of adequacy.

In a recent draft motion for resolution before the Parliament, the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) proposed to call on the Commission “not to adopt the adequacy finding”.

286788_Sentalis Assets_Pull out image 700x420px

Pinsent Masons can help you manage your Schrems II business needs.

The LIBE Committee has provisionally said that Privacy Shield 2.0 “fails to create actual equivalence in the level of protection” and plans to call on the Commission to “continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter [of Fundamental Rights of the European Union] as interpreted by the CJEU”.

In 2020, the Court of Justice of the EU (CJEU), in the so-called ‘Schrems II’ ruling, invalidated the Commission’s adequacy decision in respect of the original EU-US Privacy Shield after it identified issues associated with the scope US public authorities had to access and use the data transferred to the US from the EU under the framework.

The Schrems II ruling has had major implications for data transfers outside of the EU in general, not just to the US. Privacy Shield 2.0 is, however, a solution EU and US negotiators have subsequently explored for easing compliance burdens in respect of EU-US data transfers.

Data protection law expert Andre Walter of Pinsent Masons previously said there were significant hurdles to be overcome with regard to Privacy Shield 2.0 before the framework could be finalised. He has advised businesses to continue to conduct data transfer impact assessments before transferring personal data outside of the EEA, in line with their post-Schrems II legal obligations.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.