Privacy Shield 2.0: An Overview
Ever since the “Schrems II” decision invalidated the Privacy Shield transfer mechanism for EU-US data flows, there has been constant talk about how the issues raised in the CJEU’s decision can be addressed to allow data flows to resume.
After an announcement of an agreement in principle between the US and EU Commission, on 7 October 2022, US President Biden signed an Executive Order (EO) that would implement Privacy Shield 2.0, the newly named European Union-US Data Privacy Framework (EU-US DPF).
While still a self-certify regime, as was Privacy Shield, the EU-US DPF seeks to address the two main points of the “Schrems II” decision:
- The necessity and proportionality of access to data by US intelligence agencies; and
- The lack of proper redress mechanism for “EU consumers”.
Necessity and Proportionality
The new EO mandates that US intelligence agencies must only access data when it is “necessary to advance a validated intelligence priority” and “only to the extent and in a manner that is proportionate to the validated intelligence priority for which they have been authorised”.
This is akin to the data minimisation principle under the EU GDPR and forms a crucial part of the test for EU adequacy that Privacy Shield failed. Notably, the EO also states that they must balance the interests of the intelligence activity against the impact on individuals, “regardless of their nationality or wherever they might reside”.
The EO also creates a new two-layer mechanism for individuals.
Firstly, they will be able to complain to the Civil Liberties Protection Officer (CLPO), who will investigate the claims and determine the appropriate remediating action if a legal violation is identified.
Secondly, suppose the individual disagrees with the finding of the CLPO. In that case, they can apply for a review of the decision to a newly formed Data Protection Review Court, which can overturn the CLPO’s decision and issue its remedial measures that the intelligence agency must comply with.
Why an Executive Order and Not a Law?
This is largely down to how the political process works in the US. It is also about the differences between the Democrat and Republication parties.
A draft federal law was proposed that had an agreement on both sides. However, after Nancy Pelosi stated they would not accept a national law that “pre-empts” Californian state law, this effectively put that to a stop.
An Executive Order is much easier to pass as it is a decision for the current sitting President alone. Therefore, President Biden has taken it upon himself to issue the Executive Order to address the issues raised by the CJEU and resume data flows between the EU and US.
While Executive Orders carry the force of law and cannot simply be overturned by the US Congress, they can be overturned by a sitting President. So, suppose President Biden was to lose the next US Presidential election. In that case, his replacement could remove or amend this Executive Order, which would have a knock on any agreement between the EU and US on international data transfers.
So, What’s Next for Data Transfers Between the US and the EU?
Right now, there are no immediate changes to the rules on transfers between the US and EU. While President Biden has signed the Executive Order for companies to utilise the new framework, the European Commission still need to provide a decision of adequacy officially.
This generally follows the following process:
- European Commission Draft Decision
The Commission will draft its decision of adequacy and share it with the European Data Protection Board (EDPB).
- EDPB Opinion
The EDPB revises the Commission’s decision and presents its non-binding opinion: This means the Commission can ignore it, though this is unlikely. At this point, the Commission can make amendments to its decision.
- European Parliament Opinion
The European Parliament can adopt an opinion on the matter, though they have no formal role in the process.
- Member State Approval
Arguably the most crucial stage in the process, the Commission will seek approval from the representatives of all EU Member States. The Commission need a majority approval which is determined as 55% of the states representing at least 65% of the total EU population.
- European Adequacy Decision
If approval has been granted, the Commission’s decision will be formally adopted and will take effect once it is published in the EU Official Journal.
This process will likely take approximately six months, so we should not expect an adopted decision before March 2023. Also, as with the UK’s own adequacy decision, we can expect that if it is adopted, it will be conditional on the US maintaining the legal protections provided under the EO.
EU will also need to be named as a “qualifying state” under the EU-US DPF by the US Attorney General, even though this is seen to be a formality.
What Does This Mean for the UK?
This is good news for the UK.
Ever since Brexit, it has been clear that the UK Government wants to move in a different direction from the EU, and closer ties with the US appear to be key. The fact that an EU decision on adequacy seems to be inching closer means that the UK can “piggyback” off this without impact on their own decision of adequacy from the EU.
Regardless of the EU’s position, the UK has previously included the US in a list of countries they prioritise for adequacy assessments. After the publication of the EO, a joint announcement from the UK and US stated that it “paved the way for a new data adequacy agreement in the coming weeks”. Therefore, given the complexity of the adequacy process under the EU GDPR, the UK may grant the US adequacy before the EU has reached their decision.
While an adequacy decision for the US under the UK GDPR would be welcomed, it would not cover any transfers that are also subject to the EU GDPR. Also, if the EU does not get approval of the Member States and so does not grant adequacy to the US, this may jeopardise the UK’s own adequacy ruling from the EU by allowing “onward transfers” of data, weakening the rights of people in the EU.
Due to the context that the last two adequacy decisions were thrown out, it is sensible to treate this development cautiously. Positive steps have been made, but the UK would be mindful to pay close attention to how the EU responds. So, for the time being, companies in the UK will continue to need the appropriate safeguards for any transfer to the US outside of an adequacy decision, which will include conducting Transfer Risk Assessments.
If the UK grants an adequacy decision for the US, I would not expect to see this before the EU Commission has drafted its decision, possibly not until after the EDPB has published their opinion. This is because the UK will want to have added confidence that the UK’s own adequacy is not put under threat.
At DataGuard, we continue to support you and ensure you have the appropriate safeguard in place for your international transfers. With teams in the UK, Germany and Austria, we provide expert advice on matters covering both the UK and EU GDPR.
Get in touch with our experts today to find out how we can help.