In a joint press conference on March 25, 2022, U.S. President Joseph Biden and European Commission President Ursula von der Leyen announced an agreement “in principle” on a framework, called the Trans-Atlantic Data Privacy Framework (“Privacy Shield 2.0”), to replace the U.S.-EU Privacy Shield. The EU General Data Protection Regulation (“GDPR”) places restrictions on personal data transfers to countries outside of the European Economic Area (“EEA”). Privacy Shield 2.0 is designed to replace the original Privacy Shield which allowed companies that had self-certified to lawfully transfer personal data from the EEA to the U.S. However, the Court of Justice of the European Union (“CJEU”) in the so called Schrems II decision in 2020 invalidated the original Privacy Shield as a mechanism for such lawful transfers.
Privacy Shield 2.0 would potentially revive the Privacy Shield and allow EEA to US data flows for compliant companies. Few details have emerged on the terms of the agreement or how different its terms would be from the original Privacy Shield (an overview of the compliance features of the original Privacy Shield can be found here).
In the Schrems II decision, the CJEU was concerned about under U.S. law the alleged lack of proportionality with respect to U.S. government’s rights to access EEA-originating personal data, and the absence of effective remedies to challenge any unlawful access. Some European commentators are skeptical of Privacy Shield 2.0 as few details have emerged about how U.S. law and government practice would change in order to have the regime survive scrutiny in EU courts and a possible Schrems III scenario. What is clear is that the success or failure of the forthcoming Privacy Shield 2.0, will have important consequences for businesses transferring personal data across the Atlantic.
While we wait to see the detail, businesses transferring personal data across the Atlantic should rely on other data transfer mechanism allowed under the GDPR such as the so-called “standard contractual clauses.” It will also be interesting to see how the UK respond in the post-Brexit era now that the UK can make its own adequacy decisions about countries outside of the UK.
We will continue tracking the developments here.