Status Update on Privacy Shield Replacement

On March 25, the European Commissioner for Justice Didier Reynders, and U.S. Secretary of Commerce Gina Raimondo issued a joint statement announcing a preliminary replacement for the Privacy Shield framework. The Trans-Atlantic Data Privacy Framework will allow data transfers between the EU and the U.S., which have been on shaky legal legs or on hold since Privacy Shield was struck down by the Court of Justice of the European Union in August 2020.

The decision to invalidate Privacy Shield came from a lawsuit initiated by Austrian lawyer and privacy activist Max Schrems in 2013 (Case C-311/18). In that case, Schrems challenged Facebook Ireland’s reliance on the framework’s Standard Contractual Clauses (“SCCs”) as a legal justification for transferring personal data to Facebook Inc.’s United States servers. Based on this reliance, the court invalidated the framework, despite upholding the legal validity of SCCs. Now, the EU and U.S. say they have reached an initial agreement on a replacement framework, though significant negotiations are still needed to finalize most details.

Framework Specifics

In a statement released by the White House, the United States vowed to “implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities.” The White House further asserted that the new safeguards will act to “ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives[.]”

Though the EU and U.S. clarified the intention for the updated framework, neither provided many specifics as to what the actual framework would look like. In fact, during the press conference held to discuss the joint efforts, the President of the European Commission, Ursula Von der Leyen, stated both sides “found an agreement in principle” as to what the new framework will look like.

Despite this non-committal language, the White House did commit to an Executive Order mandating the following, according to Axios:

• “Efforts to ‘strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities,’ with new oversight procedures;

• Limited signals intelligence collection to be ‘undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;

• And the ability for Europeans to contest cases where they feel their data was improperly obtained.”

In addition, an emailed statement from Dona Fraser—Senior Vice President of Privacy Initiatives for privacy nonprofit BBB National Programs—indicated that United States organizations seeking a “smooth transition to an enhanced Privacy Shield” should consider achieving compliance with the BBB National Programs’ BBB EU Privacy Shield program. The program overview can be found here.

Implications

After the invalidation of Privacy Shield, many organizations have been forced to rely upon SCCs and stock legal contracts as a basis for data transfers, while others elected to localize their data and suspend transfers until further guidance was extended.

Meanwhile, large companies have been concerned over a potential “fragmenting” of the internet, meaning, for example, that tech platforms would only be able to show certain information to users based on their country’s laws. That concern may be assuaged by EU and US negotiations: As the Meta/Facebook head of global affairs Nick Clegg recently tweeted, the pending agreement “will help keep people connected and services running,” and “provide invaluable certainty for American & European companies of all sizes, including Meta, who rely on transferring data quickly and safely.” And Google’s president of global affairs, Kent Walker, said in an emailed statement to CNBC that google “[c]ommend[s] the work done by the European Commission and U.S. government to agree on a new EU-U.S. framework and safeguard transatlantic data transfers.”

Although these corporations seem to feel positive about the new framework, data privacy professionals appear to be more hesitant about the developments. According to reported statements by Mandar Shinde, a data privacy expert and CEO of Blotout, the lack of clarity on crucial details, coupled with the “opposing philosophies” of the EU and U.S. in regards to surveillance may lead to another invalidation by the European Court of Justice.

This sentiment is shared by other privacy pros. According to a statement by Caitlin Fennessy, vice president, and chief knowledge officer for the International Association of Privacy Professionals, after the framework is established and released, it “will be tested by individuals and scrutinized by regulators, courts and the public at large almost immediately.” In fact, a statement released by Max Schrems, notes that if the framework is not “in line with EU law,” his activist organization, or another group, “will likely challenge it.”

Next Steps

As of now, there are no new or changing requirements that have been placed on organizations operating in the EU or U.S. However, the tone of the joint statement indicates that regulatory guidance is imminent. Given the Biden administration’s commitment to privacy protections, it’s safe to assume its commitments have weight behind them. As such, organizations should continue to rely on SCCs, monitor the Trans-Atlantic Data Privacy Framework’s progress, and work towards compliance with BBB’s framework and the EU’s GDPR, as most emerging U.S. privacy laws have been modeled after the flagship regulation.

* * * * *

To read our coverage on Sri Lanka’s Personal Data Protection Act, click here.

For our weekly news updates discussing: a Russian lawsuits highlight flaws in the UK Data Privacy Law; EHI releases guidance for protecting health data; hackers employing “Vishing” in Morgan Stanley Breach; and EU’s ban on anonymous crypto transaction, click here.