EDPB indicates where ‘red lines’ lie on ‘Privacy Shield 2.0’

Privacy Shield 2.0, more formally known as the transatlantic data privacy framework, is currently under development. It is being designed to facilitate the transfer of personal data from the EU to the US.

EU and US officials recently announced that the transatlantic data privacy framework had been agreed in principle. It is envisaged that the framework will replace the original EU-US Privacy Shield which, like the Safe Harbor scheme – a similar data transfers framework – before it, was invalidated by the EU’s highest court for not meeting the requirements around data transfers in EU data protection law.

Amsterdam-based Andre Walter of Pinsent Masons said, however, that a statement issued by the European Data Protection Board (EDPB) highlights the issues that those finalising the transatlantic data privacy framework must address to not only satisfy the expectations of regulators, but the requirements of case law developed by the Court of Justice of the EU (CJEU) too.

Walter said: “The EDPB has an important role in the possible introduction of the transatlantic data privacy framework. The European Commission will be responsible for preparing a draft ‘adequacy decision’ that would effectively recognise, with legal effect, that data transfers that adhere to the transatlantic data privacy framework are compliant with the EU General Data Protection Regulation (GDPR). However, the Commission is obliged to consult the EDPB for its opinion on the compatibility of the framework with the provisions of the GDPR. The EDPB’s opinion is non-binding, but it is perhaps inconceivable that the Commission would ignore its recommendations before asking EU member states to approve its adoption.”

“The EDPB’s new statement gives clues to what its ‘red lines’ will be. These should come as no surprise to EU or US officials, or businesses that have been following developments in this area closely, since they closely reflect the issues that the CJEU raised in respect the original EU-US Privacy Shield,” he said.

In its statement, the EDPB highlighted the fact that the recent announcement made about the translatlantic data privacy framework “does not constitute a legal framework on which data exporters can base their data transfers to the United States”. It said, for now at least, data exporters must “continue taking the actions required to comply with the case law of the CJEU”.

The EDPB said it is “committed to playing a constructive part in securing a transatlantic transfer of personal data that benefits” individuals and organisations in the European Economic Area (EEA) and said it is “ready to provide the European Commission with support to help it build, together with the US, a new framework that fully complies with EU data protection law”. It outlined specific areas of the proposed new framework it plans to scrutinise.

The EDPB said: “In particular, the EDPB will analyse in detail how these reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate.”

“The EDPB will also examine to what extent the announced independent redress mechanism respects the EEA individuals’ right to an effective remedy and to a fair trial. In particular, the EDPB will look at whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction,” it said.

Andre Walter of Pinsent Masons recently warned businesses not to wait for the transatlantic data privacy framework to ensure their data transfer arrangements are compliant.

He said: “Businesses have a major contract remediation project to engage in in respect of data processing to transition to new standard contractual clauses (SCCs) the European Commission has developed before the end of the year. There is no time to wait for the new ‘Privacy Shield 2.0’ and hope it supersedes the need for SCCs.”