Will Privacy Shield II be strong enough?
At the end of March, the European Commission and the Biden administration made a surprising announcement: They had reached an agreement in principle about the resurrection of Privacy Shield. The Privacy Shield mechanism, which enabled the international transfer of personal data from the EU to self-certified companies in the US, had been invalidated in 2020 by the European Court of Justice (ECJ), which found the protection of personal data in the US to be insufficient. The ECJ had previously invalidated Privacy Shield’s predecessor Safe Harbour for similar reasons. Will this third attempt fail where the previous two did not?
Many companies in the EU and in the US have been forced to make significant efforts after the 2020 ruling to comply with the new situation. To this day, it is in some cases unclear whether international transfers to the US can be performed lawfully. According to the joined statement, the US government is now willing to make significant changes to improve the protection of Europeans’ rights. It will be hard for the US, however, to live up to those promises without strong support in Congress and without radical reforms in the way it allows its intelligence services to analyse the data of Europeans.
What makes an international transfer lawful?
The GDPR protects the processing of personal data by parties that have an establishment within the EU (hello Facebook Ireland), regardless of where the process the data. Parties outside of the EU may also have to comply with GDPR, if they target people in the EU for their products or services (hello Facebook), or if they monitor the behaviour of people in the EU on a large scale (I see you, Facebook). When this processing takes place outside the EU, this counts as an international transfer.
The GDPR also applies indirectly in three countries outside of the EU: Norway, Liechtenstein and Iceland. And transfers of data to these countries is not considered to be an international transfer. From the perspective of the GPDR, those countries are in the EU.
Some countries have implemented data protection laws that offer similar levels of protection as the GDPR. The European Commission has recognised several of these countries in adequacy decisions. Transfers of data to these countries are considered international transfers, but the GDPR does not impose any barriers to them. For some of these countries, the European Commission has included specific conditions to the adequacy decision. In Canada, the adequacy decision only applies to commercial organisations, not to governmental ones. Privacy Shield was created as such a partial adequacy decision for US companies. By self-certifying and by simultaneously implementing additional safeguards, US companies could be considered to adequately protect personal data, allowing international transfers to these companies to take place. The ECJ however ruled that Privacy Shield had to be considered invalid, as the legal climate in the US meant that intelligence services had too many ways of unlawfully processing Europeans’ data, while Europeans were largely unable to effectively exercise their data protection rights in the US.
The GDPR provides some solutions for the lack of adequacy in the US, but they come with the cost of more complex administration and accountability. Most commonly used is the adoption of Standard Contractual Clauses (SCCs), as drafted by the European Commission. If a party in the EU enters into SCCs with a party in the US, and as long as it makes sure that the US party is in compliance with the SCC’s terms, a data transfer to that company can be done lawfully.
The US must implement radical reforms
The announcement of the so-called Trans-Atlantic Data Privacy Framework will not change anything for now. It merely states that change may be coming. A final agreement is far away, as is shown by an in-depth analysis by the well known privacy specialists Ian Brown and Douwe Korff. They describe four areas of reform, that are necessary before a new adequacy decision can be reached:
- The US needs to implement a federal general data protection law, that allows companies in the US to adequately protect personal data to a level in essence equivalent to the GDPR.
- The US surveillance agencies must be reined in, so that they will focus only on national security, instead of US interests, and may only process personal data when that is necessary and proportional to the demands of specific investigations.
- The US must end the use of secret laws and regulations, that allow the surveillance agencies to circumvent or ignore legal limitations to their activities.
- European citizens must be granted the ability to effectively exercise their data protection rights in the US, through a completely independent authority, that has the ability to apply effective sanctions.
The US government and the European Commission seem to be aware that the road to adoption of a revived Privacy Shield is going to be long. They project optimism, but the to-do list is significant. While a majority may be found in Congress for the adoption of a federal general data protection statute, it remains to be seen if that would apply to non-US persons. The radical reform of US intelligence agencies seems a bridge too far in the current political climate. Even if the agreement in principle speaks of the limitation of the use of EU data to what is ‘necessary and proportionate’, the Atlantic still seems too wide to allow for a common understanding of what those terms imply.
Little optimism about the durability of a new mechanism
For the foreseeable future, no new adequacy decision exists. Businesses in the EU and US will have to work with the SCCs, or one of the other, much rarer mechanisms for lawful transfer of data to the US. I expect that an actual resurrection of Privacy Shield will be short-lived. The European Commission has demonstrated before that it is eager to embrace any proposal to improve of the US government, no matter how slight, as a fundamental shift. The continued flow of data seems to outweigh a careful consideration of the substance of the change.
This eagerness is hardly a solid basis for trust in a new mechanism. Max Schrems, the privacy activist whose complaints led directly to the invalidation of both Safe Harbour and Privacy Shield, has already announced that he thinks the legal procedures could be much faster this time. Should the European Commission be tempted into the adoption of a weak Privacy Shield II, the ECJ may invalidate or suspend such a decision within months, rather than years.
The prospect of an agreement that may be rejected within months, is not at all attractive to organisations in the EU, who want to transfer data to the US lawfully. They would do well to avoid the new scheme and instead take measures to limit data transfers, or to provide adequate safeguards themselves.