The EU US Privacy Shield Revival

Introduction   

On July 10th, 2023, the European Commission announced that it would enter into a new agreement with the United States of America to Transfer Personal Data across the Atlantic. This agreement marks an essential step in the EU-US Personal Data Transfers. The Transfer of Data across the Atlantic has been a primary concern for the European Union and the US. There were many speculations about the involvement of US intelligence services and other threats and infringements towards the Privacy of European Citizens. This move comes after two significant events regarding the EU-US Personal Data Transfers, i.e., the Invalidation of the EU US Privacy Shield and the recent Meta Fine.    

Many critics and stakeholders consider this new framework as the Revival of the EU-US Privacy Shield, with new binding safeguards limiting the US Intelligence Services’ involvement to only what is necessary and proportionate. US President Joe Biden and EU Justice Chief Didier Reynders have welcomed this move, as it would enable companies to conduct their business with confidence and contribute to the growth of the EU and US economies. This blog will uncover the History of the EU US Privacy Shield, its invalidation, the recent Meta Fine, and the new EU US Privacy Framework.   

EU US Privacy Shield   

In 2016, the European Commission approved the EU-US Privacy Shield, a legal framework aimed at regulating the transatlantic transfer of Personal Data between the US and the EU. This agreement only materialized after the Court of Justice of the European Union Ruling in the Schrems Case on October 6th, 2015.    

Many hail this case as one of the most significant Privacy Cases involving Facebook and an Austrian Advocate named Max Schrems. The case addressed the issue of EU-US data transfers and whether there was adequate protection for Personal Data in the US. The European Commission, in July 2000, declared that the US does indeed have adequate protection principles based on the Safe Harbor Framework. This meant that the protection of user data relied on Assessments by Private Companies. However, the Court of Justice ruled the Commission’s decision on the Safe Harbor Framework invalid, thereby ensuring higher standards of Data Protection in Cross Border Data Transfers.

As a result of this, the EU-US Privacy Shield was born, which provided for more substantial obligations on US Companies to Protect the Personal Data of Europeans, promoted increased cooperation between the US Department of Commerce, US Federal Trade Commission, and EU Data Protection Authorities, and limited the access of Personal Data by US Authorities, thereby preventing generalized access.   

However, the Court of Justice in the Schrems II Case invalidated the EU-US Privacy Shield stating that the framework no longer provides adequate safeguards for EU Data in the US. The Court found that the US’s prioritization of National Security interfered with the rights of Data principles, resulting in invalidating the EU-US Privacy Shield.   

The Recent Meta Fine   

The new EU-US Privacy Framework was announced just shortly after the €1.2 billion fine on Meta. The major concern of Ireland’s Data Protection Commission was the insufficient protection of European Users Data from US Intelligence Authorities, thereby violating the General Data Protection Regulation (GDPR). The invalidation of the US Privacy Shield followed this fine, leading to a conflict that Meta and other businesses alone could not resolve. While Meta claimed that using Standard Contractual Clauses would remain valid, authorities fined Meta for the unlawful processing and storage of Data in the US. This recent development in the EU-US Data Transfers led to several concerns amongst businesses and stakeholders, calling for a clearly outlined agreement for data transfer between the EU and the US. Following this, the European Commission announced it would enter a new Data Transfer Agreement with the US that revives the invalidated Privacy Shield Framework with more adequate safeguards.   

The New EU-US Privacy Framework  

Adopting an adequate judgment for the EU-U.S. Data Privacy Framework, the European Commission has confirmed that the United States offers a degree of data protection comparable to that of the European Union. This judgment enables the secure transfer of personal data from the EU to US businesses participating in the framework without additional data protection measures. The updated framework adds legally mandated protections intended to allay the concerns voiced by the European Court of Justice. These protections include limiting US intelligence services’ access to EU data and creating a Data Protection Review Court that gives EU citizens access to an impartial complaint mechanism.  

The EU-U.S. Data Privacy Framework significantly improves upon the prior Privacy Shield framework. The recently created Data Protection Review Court has the power to order the destruction of data if it determines that the data was gathered without following the safeguards. US businesses wishing to be part of the framework must agree to a comprehensive list of privacy requirements, including erasing personal data when no longer required and maintaining data protection during exchanges with third parties.

When US corporations improperly treat their data, EU citizens have a number of legal options available to them for recourse. These options include a panel of arbitrators and uncharged impartial conflict settlement processes. Additionally, safeguards are included in the US legislative framework governing public bodies’ access to data, particularly for the purposes of criminal law enforcement and national security. To protect national security, only a minimal amount of access to send data is permitted. The measures put in place by the US help transatlantic data flows generally, as well as the EU-U.S. Data Privacy Framework. These protections also apply to other data transfer methods, such as standardized contract language and legally binding company policies.  

Implementation   

The Data Privacy Framework is in effective operation and has been fully implemented. Authorities will conduct a first review within a year of the adequacy decision’s implementation to confirm that the relevant provisions of the US legal framework are fully in place and functioning adequately.

This comprehensive framework strives to respect shared values while ensuring the secure and legal data flow between the EU and the US, strengthening economic connections and increasing citizen trust.  

The European Commission has adopted an adequacy judgement for the EU-US Data Privacy Framework, asserting that the US offers an appropriate degree of data protection. This permits secure data transfers from the EU to US businesses without extra security measures.

The safeguards facilitate Transatlantic data flow, and the framework will undergo periodic reviews.

Reviving the EU-US Privacy Shield framework is a step in the right direction towards protecting cross-border data flows and advancing data privacy in the digital era. This framework offers a strong foundation for safe and legal data flows between the EU and the US by addressing the concerns identified by the European Court of Justice and introducing new protections. It is essential for companies and people to keep up with these developments and maintain compliance with the most recent privacy laws.

In addition to bolstering the economic relations between the EU and the US, the new EU-US Privacy Framework also upholds the fundamental rights of data subjects and fosters trust in the online environment. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today.