EU-US Privacy Shield 2 survives legal challenge

EU data protection law imposes restrictions on the transfer of personal data internationally, outside of the European Economic Area (EEA). The idea is that personal data that benefits from the protections under the General Data Protection Regulation (GDPR) should continue to benefit from an equivalent standard of protection, even if it is transferred outside the EEA. There are several options this can be achieved in practice – including if so-called ‘adequacy decisions’ are in place.

Adequacy decisions recognise that other jurisdictions to which personal data may be transferred meet data protection standards essentially equivalent to those that apply in the jurisdiction from which the data is being exported. The European Commission has issued a number of adequacy decisions that facilitate the free flow of personal data from the EU to other countries and territories – including the UK.

Where personal data is transferred to a jurisdiction that benefits from an adequacy decision, additional contractual protections such as standard contractual clauses (SCCs) are not required, and organisations need not carry out their own assessment of the jurisdiction’s laws and whether supplementary measures are required. This reduces the burdens organisations can otherwise face when seeking to send data overseas – as is common in the context of global business.

In 2023, the European Commission adopted a new adequacy decision to enable certain EU-US data transfers, after then US president Joe Biden signed an executive order providing for a suite of privacy safeguards and protections.

Dubbed the ‘Privacy Shield 2.0’, the framework replaced the original EU-US Privacy Shield, which was found to contain shortcomings by the Court of Justice of the EU (CJEU), the EU’s highest court, in 2020, in the so-called ‘Schrems II’ case. The original Privacy Shield was itself a replacement framework for the earlier EU-US Safe Harbor agreement, which also facilitated EU-US data transfers, after the CJEU declared it invalid in 2015 in the first ‘Schrems’ case.

In a legal challenge brought before the EU’s General Court, however, French citizen Phillipe Latombe sought annulment of the Commission’s EU-US adequacy decision. He claimed the Privacy Shield 2.0 framework also contains shortcomings.

Specifically, Latombe claimed that the Data Protection Review Court (DPRC) set up by the US to handle complaints from EU citizens over the handling of their data in the US lacks independence from the US administration. In addition, Latombe said the bulk gathering of EU citizens’ data by US intelligence agencies should be subject to the prior authorisation of a court or an independent administrative authority, if the activity is to accord with EU data protection standards.

The General Court rejected the application for annulment, however.

According to the EU court, there are measures in place to ensure independence in the appointment of DPRC judges and that their work is thereafter not improperly hindered or influenced. It further reflected on the fact that if the Commission had concerns in that regard, it has powers to suspend, amend or repeal its adequacy decision or to limit its scope.

The General Court also rejected Latombe’s claims over the oversight of bulk data gathering in the US. It said the CJEU, in its Schrems II judgment, did not require US agencies’ bulk data gathering to be subject to be prior authorisation from an independent authority. Instead, it said, the ruling only requires that there is at least judicial review of the activity after the fact. This, the General Court considered, happens via the DPRC.

Dublin-based data protection law expert Andreas Carney of Pinsent Masons said: “We are getting somewhat used to EU-US frameworks for the transfer of personal data being legally challenged. No doubt this latest decision will be seen positively by businesses relying on Privacy Shield 2.0.”

“The adequate level of protection ensured by the US in respect of transfers of personal data to organisations in that country, as affirmed by the General Court’s judgment, is by reference to the date of adoption of the European Commission’s decision that was challenged. Whether we should read anything into this is uncertain. For now, at least, Privacy Shield 2.0 has held up to judicial scrutiny, which will give comfort to most,” he said.

Max Schrems, the privacy campaigner behind the Schrems I and Schrems II cases, described Latombe’s legal challenge as “rather narrow” and said he believes “a broader review of US law – especially the use of Executive Orders by the Trump administration should yield a different result”. His campaign group, noyb, said it is reviewing its options for bringing its own legal challenge of that nature.

In a statement, noyb said: “The protections under the new deal [Privacy Shield 2.0] are almost 1:1 a copy/paste of the previous deals that the CJEU found to be unlawful in Schrems I and Schrems II. In some elements the protections are even worse than in the older executive order that were not sufficient for the CJEU. It is therefore surprising that the General Court would issue a different decision on the third version of the EU-US deal compared to the previous two versions.”