EU, US agree on Privacy Shield enhancements
Transatlantic data sharing deal confirmed but court challenges ahead, warn lawyers
The US and the EU have reached an agreement to enhance Privacy Shield following almost two years of work since the European Court of Justice struck down the data-sharing arrangement in 2020.
As part of a joint statement with US president Joe Biden, European Commission president Ursula von der Leyen said the two sides had "found an agreement in principle on a new framework for transatlantic data flows."
"This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties," she said. "I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past months to find a balanced and effective solution. This is another step in strengthening our partnership. We manage to balance security and the right to privacy and data protection."
In a speech coinciding with his visit to Brussels this week, Biden said: "Privacy and security are key elements of my digital agenda. Today, we've agreed to unprecedented protections for data privacy and security for our citizens.
"This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States and help companies both small and large compete in the digital economy. Just as we did when we resolved the Boeing Airbus dispute and lifted the steel and aluminum tariffs. United States and the EU are finding creative new approaches to knit our economies and our people closer together, grounded on shared values."
Biden said the framework "underscores our shared commitment to privacy, to data protection and to the rule of law. That's going to allow the European Commission to once again authorize transatlantic data flows that help facilitate $7.1 trillion dollars and economic relationships with the EU."
In the absence of a replacement for Privacy Shield, companies have been forced to fall back on standard contractual clauses, or SCCs, to cover international data sharing between the EU and the US. As well as being time-consuming to implement, SCCs may not be watertight.
In January, a ruling by the Austrian data protection authority found that SCCs are not sufficient to comply with EU law and that so-called technical and organisational measures (TOMs), such as datacenter security and baseline encryption, are also insufficient.
- US, Canada to figure out rules on cops and Feds accessing people's data across borders
- Android's Messages, Dialer apps quietly sent text, call info to Google
- Ireland: Meta fined $18.6m for breaking EU's GDPR
- EU, US close to replacing defunct Privacy Shield II
Scant details have been released concerning the new agreement and the devil is always in the detail. In February, reports suggested the agreement might involve offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information. If adopted, it would give EU citizens more privacy rights in the US than Americans currently enjoy.
Experts warned that whatever the new agreement, it would have to withstand challenges in the courts. Guillaume Couneson, Data Protection Partner at global law firm Linklaters, said: "While a transfer solution will very much be welcomed after almost two years of uncertainty following the CJEU's Schrems II decision, businesses have certainly not forgotten what has happened to its two predecessors.
"To provide a reliable long-term basis for transatlantic data transfers, this new solution will have to withstand the scrutiny of the supervisory authorities and the privacy activists that brought down the two previous ones. Undoubtedly, many companies will be watching for the reaction of these actors as a first indication of the potential for this new transfer mechanism to stick. Once bitten, twice shy." ®
What is Schrems I?
In the first case, arising from a complaint filed with the Irish Data Protection Commissioner in 2011, privacy activist Max Schrems ultimately toppled the biggest EU-US data-sharing deal, Safe Harbor. Schrems had alleged that Facebook violated the so-called Safe Harbor agreement which protects EU citizens' privacy, by transferring its users' data to the US National Security Agency (NSA).
In the Schrems I ruling, in 2015, Europe’s highest court ruled that data sharing between the EU and US under the Safe Harbor framework was invalid.
What is Schrems II?
Schrems, a former law student, brought the latest edition of the long-running case (informally known as Schrems II) in 2015, complaining that Ireland's data protection agency still wasn't preventing Facebook Ireland Ltd (as EU representative of the Zuckerberg empire) from beaming his data to the US under Privacy Shield.
In July 2020, the EU Court of Justice struck down the so-called Privacy Shield data protection arrangements between the political bloc and the US, triggering a fresh wave of legal confusion over the transfer of EU subjects' data to America.