Privacy Shield replacement on track, though hurdles remain

Fortunately, momentum is gathering toward a new standard.

The July 2020 ruling by the Court of Justice of the European Union (CJEU) to invalidate the Privacy Shield placed companies at increased risk of violating the EU’s General Data Protection Regulation (GDPR) when transferring data between the two regions. This is because U.S. surveillance laws allow excessive access to EU citizens’ personal data for national security reasons.

In the aftermath of the ruling, standard contractual clauses (SCCs) and binding corporate rules (BCRs) gained popularity as alternatives for enabling transatlantic data flows. But neither mechanism provides the cover of the Privacy Shield, meaning businesses have viewed a new agreement between the European Union and United States as necessary.

Hope came in March 2022 when the two regions reached an agreement in principle on a new data transfer framework. Under the framework, the United States must put in place safeguards to ensure surveillance activities by U.S. intelligence services are “necessary and proportionate” to achieve defined national security objectives.

It must also enhance oversight of intelligence activities to ensure compliance with limitations on surveillance activities and establish a two-level independent redress mechanism—along with remedial measures—so EU citizens can lodge a complaint about the way U.S. intelligence services might be using their data and be given the opportunity to appeal any decision made.

In October, U.S. President Joe Biden signed an executive order outlining how the country plans to implement its commitments under the framework. In response, the European Commission issued its draft adequacy decision in December, which is now going through its adoption procedure. This requires obtaining an opinion from the European Data Protection Board (EDPB), European Parliament, and sign-off from representatives on a committee composed of EU member states.

The European Parliament Committee on Civil Liberties, Justice, and Home Affairs indicated in its draft opinion on Feb. 14 it does not think the commission should extend an adequacy decision to the United States because the framework still does not offer an equivalent level of data protection as afforded in the European Union. The EDPB shared a similar stance Feb. 28, asking the European Commission to clarify certain aspects of the framework and suggesting the implementation of reviews on elements including enforcement and redress.

The ramifications of these opinions remain to be seen.

If a decision is reached, European companies would be able to transfer data freely to the United States as before, while U.S. companies would be able to join the framework by committing to comply with a detailed set of yet-unspecified privacy obligations, following certification through the U.S. Department of Commerce.

The functioning of the framework would be subject to periodic reviews, overseen by the European Commission, EU data protection authorities, and U.S. authorities. The first review would take place within a year of the adequacy decision to check whether the United States has implemented the required safeguarding measures.

Data experts have broadly welcomed the progress.

“If the new adequacy decision were to be struck down again by the CJEU, organizations may lose faith in the feasibility of a successful EU-U.S. data transfer framework and turn to SCCs as their sole and permanent solution to legitimize data transfers to the United States.”

Sarah Pearce, Partner, Hunton Andrews Kurth

Andrew Northage, partner in the regulatory and compliance team at law firm Walker Morris, said once the framework is ratified, it will “provide businesses with a much simpler and more predictable mechanism for the transatlantic transfer of personal data.” SCCs and BCRs “typically increased the cost and administrative burden of GDPR compliance by requiring transfer impact assessments to be completed before transfers could take place (if at all) and introduced considerable uncertainty,” he said.

Northage added, “If the framework is adopted, U.K. companies can expect this to act as a catalyst for agreement on a U.K./U.S. data transfer framework —if movement hasn’t already happened by then.”

Legal experts are also hopeful the safeguards agreed to by the United States can address the concerns that prompted the CJEU to pull the plug on the Privacy Shield, though privacy campaigner Max Schrems—the man responsible for the scrapping of that framework and its predecessor, Safe Harbor—is unlikely to be appeased.

Consequently, some observers expect the data transfer framework to face further legal challenges.

Such a prospect, said James Castro-Edwards, privacy, cybersecurity, and data strategy counsel at law firm Arnold and Porter, “leaves companies with the dilemma of whether or not to invest resources in certifying to a [framework] that risks being invalidated in a Schrems III decision or continuing with the SCCs.”

Sarah Pearce, partner at law firm Hunton Andrews Kurth, said, “People have somewhat lost patience with the issue, and organizations are looking for legal certainty and reassurance that they can rely on the decision once confirmed.

“If the new adequacy decision were to be struck down again by the CJEU, organizations may lose faith in the feasibility of a successful EU-U.S. data transfer framework and turn to SCCs as their sole and permanent solution to legitimize data transfers to the United States.”

To prepare for that scenario, companies should analyze their international data flows—particularly those outside of the United Kingdom/European Union to the United States—and review existing international data transfer mechanisms currently in place, said Pearce. This includes both internal (intragroup transfers) and external (such as to vendors).

Where appropriate, companies should enhance or put in place data transfer mechanisms to comply with U.K./EU data transfer restrictions, she added.

Northage also believes some companies might choose to continue as they are until the data privacy framework is guaranteed as being legally “bulletproof.”

“Despite the framework presenting as a more straightforward alternative to the other available transfer mechanisms, companies may prefer to hedge their bets and make sure they have back-up plans in place should the framework be successfully challenged and invalidated,” he said.