The European Union and United States have been without an adequacy decision for privacy protections for international data transfers for commercial purposes since the “Schrems II” case in July 2020. In that decision, the European Court of Justice declared the EU–US Privacy Shield invalid. Even earlier, the long-standing Safe Harbor predecessor agreement was invalidated by the European Court of Justice in 2015 over the same issues of US laws and EU privacy rights.
Issues caused by invalidation of the EU-US Privacy Shield
The 2020 ruling created widespread concerns, given that a number of the world’s largest tech companies, including conglomerates like Alphabet (parent company of Google), which are widely used around the world, are US-based. The EU and US have a US $7.1 trillion economic relationship, so ensuring transatlantic data privacy and data sharing has been of considerable importance.
However, the legal uncertainty has been an influence on European data protection authorities, and there have been several rulings in 2022 against tools like Google Analytics, which transfer data outside of the EU and have not been found to provide adequate privacy protections or limitations on data transfer. Indeed, Meta (formerly Facebook, also parent company of Instagram) warned of a possible shutdown of EU access and operations without a replacement to the Privacy Shield.
In March 2022, the EU and US reached a Privacy Shield agreement in principle on the new Trans-Atlantic Data Privacy Framework. At the time, European Commission President Ursula von der Leyen commented, “This will enable predictable, trustworthy data flows between the EU and the U.S., safeguarding privacy and civil liberties.”
What is included in the “Privacy Shield” Executive Order?
President Biden signed an Executive Order to Implement the European Union-U.S. Data Privacy Framework on October 7th. This does not automatically replace the Privacy Shield, nor will the Framework go into effect immediately. Rather, it outlines the steps that the United States will take to implement it, per their stated commitments.
Some of the major functions of the Executive Order include:
Additional safeguards for US signals intelligence activities, including limiting activities to only when necessary and within parameters proportionate to priority (relating to national security) and in consideration of all persons’ privacy and civil liberties, regardless of nationality/country of residence.
Mandated handling requirements for personal information collected through signals intelligence, and extending responsibilities of relevant officials to ensure appropriate actions are taken in cases of noncompliance.
Updates to policies and procedures of the US intelligence community to reflect new privacy and civil liberties safeguards.
Creation of a multi-layer mechanism for individuals from qualifying states and organizations to obtain independent, binding review and redress of claims of violation of applicable US law regarding collection or handling of personal information.
Privacy and Civil Liberties Oversight Board called on to review intelligence community policies and procedures to ensure consistency with the Executive Order and conduct annual review of the redress process.
Implementing these steps will enable a new adequacy determination by the European Commission, restoring critical and functional transatlantic data transfer mechanisms under EU law. For companies using Standard Contractual Clauses or Binding Corporate Rules to transfer EU data to the US, it will also provide a greater degree of legal certainty.
However, it is also important to note that the final decision on any new agreement rests with the European Court of Justice. It is also possible that such a proposed agreement could be challenged in court if critics do not feel it is adequately in line with EU law or provides sufficient safeguards.
If you have questions about GDPR compliance, international data transfers, or any of the US privacy laws, get in touch. We have answers.