The European Commission has published a draft decision endorsing the new Privacy Shield 2.0 framework, which will allow the transfer of personal data from the EU to the US, potentially coming into effect by summer 2023. The framework will reduce the burden of transferring personal data from the EU to the US, and was created after the invalidation of the previous EU-US Privacy Shield in the Schrems II ruling. Although the timeframe is ambitious, experts have warned that businesses must not be distracted from the existing requirement to remediate current data transfer contracts based on legacy standard contractual clauses (SCCs) by 27 December 2022.
Under the EU GDPR and its UK equivalent, strict conditions are imposed on the transfer of personal data internationally, outside of the European Economic Area (EEA). These conditions are designed to ensure that personal data that benefits from the protections under the GDPR continues to benefit from an equivalent standard of protection in the jurisdictions to which the data is exported. There are different mechanisms provided for under the GDPR that businesses can rely on for ensuring EU, or UK, data protection standards continue to apply to personal data when exported. Adequacy decisions are one such mechanism.
The European Commission can issue adequacy decisions, which effectively declare that a jurisdiction outside of the EEA provides an adequate level of protection for personal data. Organizations can transfer data to these countries without the need for additional safeguards to be applied – like standard contractual clauses (SCCs), one of the other legal tools the GDPR provides for that facilitate international data transfers. Currently, there is no adequacy decision in place applicable to EU-US data transfers.
The Schrems II ruling had a wider impact than just on the EU-US Privacy Shield. It emphasised the robust due diligence businesses must undertake before transferring personal data anywhere outside of the EEA – not just the US. The ruling also spurred EU data protection authorities to impose a deadline on organizations of 27 December 2022, for updating legacy contracts that feature SCCs the Commission published in either 2001, 2004, or 2010, pre-GDPR. In 2021, the Commission issued updated SCCs that organizations can use instead.
The new Privacy Shield 2.0 framework is a positive step towards reducing the burden of transferring personal data from the EU to the US. The European Commission has published a draft adequacy decision, which is a promising sign, but there are significant hurdles to overcome before this new framework can be finalised. These hurdles could delay the process. EU and US officials have been working on replacing the Privacy Shield since the Schrems II ruling.
A framework agreement was reached in principle in March 2021, and in October 2021, US President Joe Biden signed an executive order giving effect to the commitments made on the US side. These commitments include limiting US authorities’ access to data exported from the EU to what is necessary and proportionate under surveillance legislation, providing individuals with rights of redress relating to how their data is handled under the framework regardless of their nationality, and establishing a Data Protection Review Court for determining the outcome of complaints.
The timeframe for Privacy Shield 2.0 depends on action both sides of the Atlantic. The European Commission is obliged to obtain an opinion on the draft adequacy decision from the European Data Protection Board (EDPB), an umbrella body for national data protection authorities from across EU member states. The EDPB’s opinion is non-binding but influential. The body previously set out where its ‘red lines’ lie in respect of Privacy Shield 2.0.
The draft adequacy decision will also be scrutinized by MEPs and a committee made up of representatives from EU member states before a final adequacy decision is issued.
If Privacy Shield 2.0 is finalized and becomes effective by summer 2023, it would bring a sense of relief to businesses that have struggled with the increased complexities of data transfers between the EU and the US since the Schrems II ruling. However, it is important to note that businesses should not rely solely on Privacy Shield 2.0 as the ultimate solution for EU-US data transfers.
While Privacy Shield 2.0 may provide a streamlined mechanism for data transfers, it is always essential to conduct a thorough assessment of the jurisdiction to which personal data is being exported. Businesses should ensure that the country in question offers an adequate level of protection that aligns with the standards set by the EU GDPR or its UK equivalent.
Additionally, it is crucial that businesses remain vigilant and implement strong data protection measures and policies, including internal controls and due diligence procedures, to ensure compliance with the GDPR and other data protection regulations.
In conclusion, the publication of the draft adequacy decision for Privacy Shield 2.0 marks a positive step towards restoring the ease of EU-US data transfers. However, it is important to recognize that there are still significant hurdles to overcome before the framework can be finalized, and businesses must not rely solely on Privacy Shield 2.0 as the ultimate solution for international data transfers.
Instead, businesses should remain vigilant and implement strong data protection measures and policies, conduct thorough assessments of the jurisdiction to which personal data is being exported, and ensure compliance with GDPR and other data protection regulations. By doing so, businesses can mitigate the risk of legal challenges and data breaches, ultimately protecting themselves and their customers’ privacy.