Frankfurt-based Ruth Maria Bousonville of Pinsent Masons said the prospect of Privacy Shield 2.0 being put in place could cause businesses to rethink any plans they may have had to move away from US-based technology providers in favour of EU-based alternatives. She said, however, that Privacy Shield 2.0 will not be in force before a looming compliance deadline that businesses should not be distracted away from.
She said: "There is a pending deadline of 27 December 2022 for replacing legacy SCCs in the EU. Exporters should not hesitate to get their paperwork done by then."
In finding the original Privacy Shield framework invalid, the CJEU determined that the protections provided for in the framework, which included an independent ombudsman mechanism for the handling of complaints relating to the accessing of EU citizens' personal data by US authorities, are not sufficient to address "the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to the United States".
The executive order that will form the basis of the Privacy Shield 2.0 framework contains measures aimed at addressing the issues that the CJEU identified.
“There seems to have been measures adopted to ensure surveillance is limited to that which is necessary and proportionate – a key criticism of the existing Foreign Intelligence Surveillance Act in the US,” said Kirsop.
“Provisions are also adopted to give individuals’ rights of redress, regardless of nationality. A problem found with the previous Privacy Shield was shortcomings in enforceability of remedies by non-US nationals,” he said.
“The new framework also introduces more comprehensive and binding oversight methods than the previous ombudsman regime. This includes the establishment of a Data Protection Review Court,” Kirsop said.
For Privacy Shield 2.0 to take effect, the European Commission must first issue a so-called adequacy decision that recognises the new framework as providing essentially equivalent data protection standards for data transfers in scope of the new framework as for personal data processed under EU data protection law.
The Commission said it would prepare a draft adequacy decision and obtain an opinion on it from the European Data Protection Board (EDPB), an umbrella body for national data protection authorities from across EU member states. The EDPB’s opinion is non-binding but influential. The draft adequacy decision will also be scrutinised by MEPs and a committee made up of representatives from EU member states. Only once the adequacy decision has been finalised and adopted by the Commission will the new data transfers framework take effect.
The Commission has said it does not believe the CJEU would “strike down” the proposed new Privacy Shield 2.0. It said it believes the safeguards included in Biden’s executive order “provide a durable and reliable legal basis for transatlantic data flows”. However, prominent privacy campaigners noyb.eu have outlined why they think the executive order is “unlikely to satisfy EU law”. Chair of noyb.eu is Max Schrems who led the legal challenge that invalidated the original Privacy Shield as well as its predecessor – the EU-US Safe Harbor scheme.