Privacy Shield 2.0: EU-US data transfers decision drafted

The ambitious timeframe should not distract businesses from the existing requirement to remediate current data transfer contracts based on legacy standard contractual clauses (SCCs) by 27 December this year, an expert has said.

Amsterdam-based Andre Walter of Pinsent Masons was commenting after the European Commission issued a draft ‘adequacy decision’ (134-page / 3.3MB PDF) which, once finalised, promises to reduce the burdens businesses face when transferring personal data from the EU to the US.

Both the EU GDPR and its UK equivalent impose on the transfer of personal data internationally, outside of the European Economic Area (EEA). The strict conditions under which data transfers are permitted are designed to ensure that personal data that benefits from the protections under the GDPR continues to benefit from an equivalent standard of protection in the jurisdictions to which the data is exported.

There are different mechanisms provided for under the GDPR that businesses can rely on for ensuring EU, or UK, data protection standards continue to apply to personal data when exported. Adequacy decisions are one such mechanism.

The European Commission is empowered under the EU GDPR to issue adequacy decisions, which effectively declare that a jurisdiction outside of the EEA provides an adequate level of protection for personal data. Organisations can transfer data to these countries without the need for additional safeguards to be applied – like standard contractual clauses (SCCs), one of the other legal tools the GDPR provides for that facilitate international data transfers.

Currently there is no adequacy decision in place applicable to EU-US data transfers. In 2020, the Court of Justice of the EU (CJEU), in the so-called ‘Schrems II’ ruling, invalidated the Commission’s adequacy decision in respect of the EU-US Privacy Shield, which was a framework for EU-US data transfers.

The Schrems II ruling had a wider impact than just on the EU-US Privacy Shield. It emphasised the robust due diligence businesses must undertake before transferring personal data anywhere outside of the EEA – not just the US.

The ruling also spurred EU data protection authorities to impose a deadline on organisations of 27 December 2022 for updating legacy contracts that feature SCCs the Commission published in either 2001, 2004 or 2010 – pre-GDPR. In 2021 the Commission issued updated SCCs that organisations can use instead.

Walter said: “The publication of the draft adequacy decision is a positive step towards ‘Privacy Shield 2.0’, or the EU-U.S. Data Privacy Framework as it is more formally known. EU justice commissioner Didier Reynders has said that he hopes the new framework will be in effect by spring 2023. On the face of it, that timeframe aligns with the time taken by the Commission to finalise other adequacy decisions in the recent past – including the original Privacy Shield, the EU-UK adequacy decision and the EU-Japan adequacy decision. However, there are significant hurdles to overcome before this new framework can be finalised which could delay the process.”

Since the Schrems II ruling, EU and US officials have been working on replacing the Privacy Shield.

In March this year, EU and US officials announced that a framework had been agreed in principle and in October US president Joe Biden signed an executive order giving effect to the commitments made on the US side. These include commitments to limit US authorities’ access to data exported from the EU to what is necessary and proportionate under surveillance legislation, provide individuals with rights of redress relating to how their data is handled under the framework regardless of their nationality, and establish a Data Protection Review Court for determining the outcome of complaints.

“The timeframe for Privacy Shield 2.0 depends on action both sides of the Atlantic,” said Walter.

“On the EU side, the Commission is obliged to obtain an opinion on the draft adequacy decision from the European Data Protection Board (EDPB), an umbrella body for national data protection authorities from across EU member states. The EDPB’s opinion is non-binding but influential – the body previously set out where its ‘red lines’ lie in respect of Privacy Shield 2.0. Further to that, the draft adequacy decision will also be scrutinised by MEPs and a committee made up of representatives from EU member states before a final adequacy decision is issued,” he said.

“With the original EU-US Privacy Shield, the framework came into effect before the US had fully implemented the commitments it had made in relation to the arrangements. This will not happen this time – the European Commission has confirmed that the adequacy decision will not enter into force until all US intelligence agencies update their policies and procedures in line with the executive order and the EU is designated as eligible to benefit from the redress mechanism in the US. Much therefore depends on the Biden administration following through on implementation of the executive order,” he said.

“Privacy Shield 2.0 has to be right, first time. The EDPB, the committee of member state representatives, MEPs and other stakeholders such as the European data protection supervisor will do all they can to mitigate the risk of the framework being struck down in another legal challenge. My expectation is that the European Parliament in particular will take a more prominent role in the process of scrutinising the new framework than it did with the original Privacy Shield,” Walter said.

If, as is expected, Privacy Shield 2.0 is finalised and takes effect, a legal challenge against it seems inevitable.

In a statement, prominent privacy campaigner noyb.eu said it would analyse the draft adequacy decision in detail over the coming days. However, it has already queried whether the proposed new framework conforms to the requirements set out by the CJEU in the Schrems II case.

It said: “The changes in US law seem rather minimal. Certain amendments, such as the introduction of the proportionality principle or the establishment of a court, sound promising – but on closer examination, it becomes obvious that the executive order oversells and underperforms when it comes to the protection of non-US persons. It seems obvious that any EU ‘adequacy decision’ that is based on [the] executive order … will likely not satisfy the CJEU. This would mean that the third deal between the US government and the European Commission may fail.”

Noyb.eu is chaired by Max Schrems, the man who led the legal challenge that invalidated the original Privacy Shield as well as its predecessor the EU-US Safe Harbor scheme. He said: “I can't see how this would survive a challenge before the Court of Justice. It seems that the European Commission just issues similar decisions over and over again – in flagrant breach of our fundamental rights."

Like the original EU-US Privacy Shield, Privacy Shield 2.0 would not be open to every US-based data importer to rely upon. Initially at least, only businesses regulated by the Federal Trade Commission (the FTC) or the US Department of Transportation (DoT) would be eligible to benefit – and only then if they self-certify their compliance to a set of principles governing the handling of the exported data. Many US-based banks and insurers are among the businesses that could not rely on the proposed new framework.

London-based Rosie Nance of Pinsent Masons said that the UK is also in the process of agreeing its own adequacy decision in respect of EU-US data transfers, having recently published its first adequacy decision for South Korea under the UK GDPR.

Nance said: “At a recent techUK event, Joe Jones of the Department for Digital, Culture, Media and Sport emphasised that South Korea decision was not simply a copy and paste of the Commission’s decision in respect of South Korea from last year – DCMS undertook its own review of South Korea’s laws and practices and took a view on whether they provided an adequate level of protection. The scope is broader than the Commission’s decision and covers the Personal Information Protection Act in South Korea with no exemptions. Unlike the EU adequacy decision, the UK decision applies to companies subject to the Act on the use and protection of credit information.” 

“In the context of the UK’s US adequacy decision, adopting a broader scope than the EU decision could be risky. It could result in challenges to the US adequacy decision itself, in the UK, through judicial review. It could also result in a challenge to the UK’s own EU adequacy status, by noyb or another group. It would also impact on the Commission’s decision when it comes to review the UK’s adequacy decision in 2025,” she said.

“That said, the UK government has emphasised a commitment to maintaining the UK’s EU adequacy. A business-friendly approach to adequacy decisions is generally likely to be welcomed by UK companies – but for the UK-US adequacy decision in particular, it will be important to balance that against the risks that a broadly-scoped adequacy decision could bring,” Nance said.