'Privacy Shield 2.0' nearer for EU-US data transfers after Biden order

Data protection law expert Jonathan Kirsop of Pinsent Masons said initial details published about the new framework, dubbed ‘Privacy Shield 2.0’, suggest that “genuine attempts” have been made to address shortcomings found with the original EU-US Privacy Shield by the EU’s highest court.

In an effort to reduce the compliance burden for businesses in the specific context of EU-US data transfers, EU and US officials have been working on replacing the Privacy Shield with a new data transfers framework. In March, the European Commission and White House jointly announced that a new transatlantic data privacy framework had been agreed in principle. Details of the framework have subsequently been fleshed out, culminating in US president Joe Biden signing an executive order on Friday last week. The European Commission has said that the executive order and accompanying regulations “implement the commitments” agreed back in March.

Kirsop said that the initial details announced about Privacy Shield 2.0 suggest that the framework has a chance of standing up to the scrutiny of the CJEU.

“There is still some way to go – the European Commission will need to issue an adequacy decision which will then be scrutinised and reviewed by the European institutions before ratification,” Kirsop said. “This could take approximately six months. Nevertheless, there does seem to be a genuine attempt to address the shortcomings highlighted in the Schrems II case and some positive indications that this may successfully do so.”

Adequacy decisions recognise that other jurisdictions to which personal data may be transferred meet data protection standards essentially equivalent to those that apply in the jurisdiction from which the data is being exported. The European Commission has issued a number of adequacy decisions that facilitate the free flow of personal data from the EU to other countries and territories. This includes the UK.

Where personal data is transferred to a jurisdiction that benefits from an adequacy decision, additional contractual protections such as standard contractual clauses (SCCs) are not required, and organisations need not carry out their own assessment of the jurisdiction’s laws and whether supplementary measures are required. This reduces the burdens organisations can otherwise face when seeking to send data overseas – as is common in the context of global business.

Frankfurt-based Ruth Maria Bousonville of Pinsent Masons said the prospect of Privacy Shield 2.0 being put in place could cause businesses to rethink any plans they may have had to move away from US-based technology providers in favour of EU-based alternatives. She said, however, that Privacy Shield 2.0 will not be in force before a looming compliance deadline that businesses should not be distracted away from.

She said: "There is a pending deadline of 27 December 2022 for replacing legacy SCCs in the EU. Exporters should not hesitate to get their paperwork done by then."

In finding the original Privacy Shield framework invalid, the CJEU determined that the protections provided for in the framework, which included an independent ombudsman mechanism for the handling of complaints relating to the accessing of EU citizens' personal data by US authorities, are not sufficient to address "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States". 

The executive order that will form the basis of the Privacy Shield 2.0 framework contains measures aimed at addressing the issues that the CJEU identified.

“There seems to have been measures adopted to ensure surveillance is limited to that which is necessary and proportionate – a key criticism of the existing Foreign Intelligence Surveillance Act in the US,” said Kirsop.

“Provisions are also adopted to give individuals’ rights of redress, regardless of nationality. A problem found with the previous Privacy Shield was shortcomings in enforceability of remedies by non-US nationals,” he said.

“The new framework also introduces more comprehensive and binding oversight methods than the previous ombudsman regime. This includes the establishment of a Data Protection Review Court,” Kirsop said.

For Privacy Shield 2.0 to take effect, the European Commission must first issue a so-called adequacy decision that recognises the new framework as providing essentially equivalent data protection standards for data transfers in scope of the new framework as for personal data processed under EU data protection law.

The Commission said it would prepare a draft adequacy decision and obtain an opinion on it from the European Data Protection Board (EDPB), an umbrella body for national data protection authorities from across EU member states. The EDPB’s opinion is non-binding but influential. The draft adequacy decision will also be scrutinised by MEPs and a committee made up of representatives from EU member states. Only once the adequacy decision has been finalised and adopted by the Commission will the new data transfers framework take effect.

The Commission has said it does not believe the CJEU would “strike down” the proposed new Privacy Shield 2.0. It said it believes the safeguards included in Biden’s executive order “provide a durable and reliable legal basis for transatlantic data flows”. However, prominent privacy campaigners noyb.eu have outlined why they think the executive order is “unlikely to satisfy EU law”. Chair of noyb.eu is Max Schrems who led the legal challenge that invalidated the original Privacy Shield as well as its predecessor – the EU-US Safe Harbor scheme.

In a separate announcement, the UK and US governments said they had made “significant progress” towards finalising a new UK-US data adequacy agreement – which has been identified as a post-Brexit priority by the UK government. They are aiming to conclude the adequacy work “in the weeks ahead” and the UK government is intending to lay regulations providing for the new framework before parliament in “early 2023”. The UK’s data protection authority, the Information Commissioner’s Office (ICO), is to be consulted for an opinion on the proposed framework before then.

Data protection law expert Rosie Nance of Pinsent Masons said businesses would welcome the latest developments but warned that existing compliance burdens in relation to international data transfers from either the UK or EU remain applicable.

Nance said: “The Schrems II decision and the EDPB recommendations confirm that a data transfer impact assessment is required when using standard contractual clauses and other appropriate safeguards to transfer data to ‘third’ countries outside of the European Economic Area. A data transfer impact assessment is currently, and would still, be required for transfers to other third countries, like India and China.” 

“The new Privacy Shield decision would remove the requirement for using standard contractual clauses and carrying out a data transfer impact assessment for transfers to organisations under the new framework. It is likely the new Privacy Shield will not be available for all transfers for the US, so standard contractual clauses and a data transfer impact assessment will still be required in those circumstances. However, the Commission has said that all the safeguards it has agreed with the US government in the area of national security will be available for all transfers to the US, which will likely streamline the process of carrying out data transfer impact assessments for transfers to the US,” she said.

“Existing restrictions around transfers to the US continue to apply while the decision is being ratified,” she said.

“If the UK’s US adequacy decision is broader in scope than the Commission’s new Privacy Shield, that could affect the UK’s chances of maintaining its adequacy status with the EU when the decision is reviewed in 2025 – or even prompt an earlier challenge to the UK’s EU adequacy status,” Nance said.

The UK government is in the process of reforming data protection law in a move that is likely to mean divergence from the requirements of EU data protection law. Last week, new digital, culture, media and sport secretary Michelle Donelan said the government would deliver a simplified “business and consumer-friendly, British data protection system”.