In a joint press conference, U.S. President Joe Biden and European Commission President Ursula von der Leyen announced an agreement “in principle” on a framework, called the Trans-Atlantic Data Privacy Framework (“Privacy Shield 2.0”), to replace the US-EU Privacy Shield. The EU General Data Protection Regulation (“GDPR”) places restrictions on personal data transfers to countries outside of the European Economic Area. Privacy Shield 2.0 is designed to replace the original Privacy Shield which had made EU to US data transfers legal but was invalidated by the European Court of Justice in 2020 in the so-called Schrems II decision.
Privacy Shield 2.0 would potentially revive the Privacy Shield and allow EU to US data flows for compliant companies. Few details have emerged on the terms of the agreement or how different its terms would be from the original Privacy Shield (an overview of the compliance features of the original Privacy Shield can be found here).
The concern of EU Courts has been the extent of the US government’s surveillance of personal data. Many in Europe are wary of any mechanism that allows data transfers to the US because they believe that the transferred data simply will not be protected from the eyes of the US government. Some European commentators are skeptical of Privacy Shield 2.0 as few details have emerged about how U.S. government surveillance would change in order to have the regime survive scrutiny in EU courts and a possible Schrems III scenario. What is clear is that the success or failure of the forthcoming Privacy Shield 2.0, will have serious consequences for businesses of all sizes transferring personal data across the Atlantic.
While we wait to see the detail, businesses transferring personal data across the Atlantic should rely on adequacy safeguards under the GDPR such as the so-called “standard contractual clauses.” It will also be interesting to see how the UK respond in the post-Brexit era now that the UK can make its own adequacy decisions about countries outside of the UK.