16 July 2020 is a very significant date in the world of privacy and data protection. The reason for this is that on this date, the Court of Justice of the European Union (CJEU) handed down the judgment[1] invalidating the Privacy Shield framework. This ruling has become known as the Schrems II ruling.
The Privacy Shield framework provided the possibility to lawfully transfer personal data from the European Union (EU) to the United States of America (US), while ensuring a strong set of protection requirements and safeguards. This framework enabled businesses located in the European Economic Area (EEA) to legally transfer personal data to businesses, which were certified as being Privacy Shield compliant. Participation in the Privacy Shield list is voluntary.
The Schrems II ruling is in line with the CJEU’s persistent strengthening of the level of protection in recent years. This is evident from the annulment of the Passenger Name Record (PNR) Agreement between the EU and US and the invalidation of the Safe Harbour Decision in the Schrems I judgment of 2015.
The Privacy Shield was introduced as a replacement for the Safe Harbour principles. Although the Privacy Shield framework addressed many of the defects of the Safe Harbour principles, many privacy lacunae remained. These privacy lacunae were repeatedly criticized, including in 2018 when the European Parliament and European Data Protection Board (EDPB) issued a resolution concerning this. Despite this, the European Commission reaffirmed the Privacy Shield mechanism by stating that the level of data protection offered by the US was adequate.
The invalidation of the Privacy Shield left numerous businesses wondering which mechanism can be used to transfer personal data. Businesses that had concluded Standard Contractual Clauses (SCCs) to transfer the personal data could continue to rely on this mechanism for the transfer but had to ensure that ‘additional safeguards’ were provided for. What exactly these additional safeguards entailed, was not defined. In addition, a transfer impact assessment must be conducted prior to the transfer of personal data.
In June 2021, the new, modernized SCCs were published with the caveat that all previously concluded SCCs would need to be updated to reflect the new, modernized SCCs by December 2022. Since the invalidation of the Privacy Shield, businesses are faced with more and more obligations when transferring personal data and uncertainties. One of these uncertainties is the replacement of the Privacy Shield and when it will be introduced.
On 25 March 2022, the European Commission and the US reached an agreement in principle for a new Trans-Atlantic Data Privacy Framework. A positive first step is that the highest US authorities have committed to establishing unprecedented measures to protect the privacy and personal data of individuals in the EEA (EEA) when their personal data are transferred to the US.
It is said that the new Trans-Atlantic Data Privacy Framework aims to have numerous key principles which will include:
It has also been said that this deal will contain various benefits, which include:
The EDPB has welcomed the announcement of this political agreement regarding the new Trans-Atlantic Data Privacy Framework. The EDPB also views the commitment of the highest authorities in the US to establish unprecedented measures to protect the privacy and personal data of individuals in the EU when their personal data are transferred to the US as a step in the right direction. The EDPB will examine how this political agreement translates into concrete legal proposals in addressing the concerns raised by the CJEU in the Schrems II ruling.
In compliance with the GDPR, the EDPB will provide its opinions on the new Privacy Framework before it can be adopted by the European Commission. The EDPB said in a statement that it will analyse in detail the following aspects of the new Framework:
It is not clear when the EDPB will provide its opinions on the new Trans-Atlantic Data Privacy Framework or when the European Commission and the US will agree upon a new Privacy Framework. Unfortunately, this can mean months of further uncertainty for businesses while updating SCCs and conducting transfer impact assessments.
If the past is anything to go by the saying, “the more things change, the more they stay the same” is very fitting in this instance. If a ‘Privacy Shield 3’ is introduced, it must be ensured that it does not contain any privacy lacunae like its predecessor, or the privacy and data protection world will be facing Schrems III ruling.
Does your organization have questions about international data transfers to the US? Contact us at info@dpoconsultancy.nl, for any questions regarding international data transfers.
[1] Case C-311/18 – Data Protection Commissioner v Facebook Ireland and M. Schrems: https://bit.ly/3ux11oH