Out-Law News Lesedauer: 1 Min.
Privacy Shield 2.0: MEPs advise against adoption
23 Feb 2023, 3:43 pm
An influential committee of MEPs is proposing to recommend against the adoption of ‘Privacy Shield 2.0’, a proposed new framework to help businesses transfer personal data from the EU to the US in line with the requirements of EU data protection law.
In December last year, the European Commission published a draft ‘adequacy’ decision endorsing the framework – formally known as the EU-U.S. Data Privacy Framework. That action came after EU and US officials had, earlier in 2022, agreed a deal in principle and US president Joe Biden then signed an executive order giving effect to the commitments made on the US side.
The European Commission is empowered under the EU GDPR to issue adequacy decisions, which effectively declare that a jurisdiction outside of the European Economic Area (EEA) provides an adequate level of protection for personal data.
An adequacy decision is an important determination because the GDPR restricts data transfers outside of the EEA unless the data continues to benefit from an equivalent standard of protection in the jurisdictions to which the data is exported. Where a jurisdiction benefits from an adequacy decision, organisations can transfer data to these places without the need for additional safeguards to be applied.
However, as well as considering the non-binding opinion of the European Data Protection Board (EDPB) and accepting the binding decision of a committee made up of representatives from EU member states, the European Commission must consider the views of the European Parliament on matters of adequacy.
In a recent draft motion for resolution before the Parliament, the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee) proposed to called on the Commission “not to adopt the adequacy finding”.
The LIBE Committee has provisionally said that Privacy Shield 2.0 “fails to create actual equivalence in the level of protection” and plans to call on the Commission to “continue negotiations with its US counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter [of Fundamental Rights of the European Union] as interpreted by the CJEU”.
In 2020, the Court of Justice of the EU (CJEU), in the so-called ‘Schrems II’ ruling, invalidated the Commission’s adequacy decision in respect of the original EU-US Privacy Shield after it identified issues associated with the scope US public authorities had to access and use the data transferred to the US from the EU under the framework.
The Schrems II ruling has had major implications for data transfers outside of the EU in general, not just to the US. Privacy Shield 2.0 is, however, a solution EU and US negotiators have subsequently explored for easing compliance burdens in respect of EU-US data transfers.
Data protection law expert Andre Walter of Pinsent Masons previously said there were significant hurdles to be overcome with regard to Privacy Shield 2.0 before the framework could be finalised. He has advised businesses to continue to conduct data transfer impact assessments before transferring personal data outside of the EEA, in line with their post-Schrems II legal obligations.
Kontaktieren Sie uns
Aktuelle Neuigkeiten
Editor's Pick
Out-Law Guide
06 Dec 2022
