European Commission President Ursula von der Leyen and U.S. President Joe Biden announced that the U.S. and EU have reached an agreement in principle for a new framework for trans-Atlantic data flow which will replace the original Privacy Shield Framework that was invalidated under the Schrems II decision in July 2020.
New Privacy Shield is supposed to provide a solution for transfers of personal data from the European Economic Area (EEA) to the U.S. As it is well known under the General Data Protection Regulation (GDPR) personal data of the individuals in the EEA can not be transferred outside the EEA without the appropriate safeguards in place.
Interestingly, there are more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion U.S.- EU economic relationship, which makes data flows between the two countries critical to their economic relationship.
Privacy Shield 2.0
New Privacy Shield is set to address the concerns raised by the Court of Justice of the European Union in 2020.
In addition to adopting several parts of the old Privacy Shield, the 2.0 version will take new measures to limit intelligence collection to “advance legitimate national security objectives” and install additional oversight for US intelligence agencies to protect privacy and civil liberties.
The White House stated that the US is “committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives, which will ensure the privacy of EU personal data and to create a new mechanism for EU individuals to seek redress if they believe they are unlawfully targeted by signals intelligence activities.”
However, it seems for now that the new Privacy Shield remains a political announcement since the full details of Privacy Shield 2.0 are still unknown, and the “agreement in principle” phrase suggests the final text and solution are yet to be drafted.
Max Schrem’s comment on the new Privacy Shield
In his first reaction to the announcement, Max Schrems, Honorary Chairman of noyb and lead litigant in the “Schrems I” and “Schrems II” cases commented:
“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”
“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”
What is the Privacy Shield
Privacy Shield is an agreement created by the U.S. Department of Commerce and the European Commission, that outlines standards and provides data protection mechanisms for companies, and governs the transfer of personal data from the European Union to the United States.
According to the GDPR;
“Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law.”
FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework
“Privacy Shield 2.0”? – First Reaction by Max Schrems
National Law Review: Privacy Shield 2.0 On The Horizon
DPM Blog: The EU Court of Justice invalidates EU-US Privacy Shield