Download GRC Insight – EU-US Privacy Shield 2.0
Is the solution for safe transatlantic transfers here?
Similar to when the GDPR was implemented in 2018 and data protection was on everyone’s mind, the Schrems ll ruling and the dismantling of Privacy Shield alone has become a whirlwind that businesses have had a difficult time taming. In almost all businesses that process personal data, some kind of transfer of personal data to the US takes place, and after Schrems II, it has been required in all organizations to have a thorough overview and documentation of their third country transfers to the US. Many have been waiting for further information about how the development will take place – will there be a new Privacy Shield 2.0 operation in place, or will one have to accept the inherent risk that third country transfers to the US entail? Or in the case of many situations – do we need to look for other systems where third country transfers do not take place and the personal information stays within the EU?
Privacy Shield 2.0 or Schrems II?
The big talk of the past week has been the Executive Order (EO) that US President Joe Biden signed on October 7th 2022, which will enable the development of a new data sharing agreement between the EU and the US. The data sharing agreement, let’s call it Privacy Shield 2.0 for the sake of simplicity, changes the conditions for US intelligence services to access electronic communications. The EO is an attempt to plug the shortcomings in the American data protection legislation that the EU Court of Justice previously found, by introducing, among other things, individual rights and proportional measures based on this, as well as control and transparency from American courts regarding handling and access to data. Various actors in the US will need to take measures to realize the EO, including through regulations and guidelines and responsibilities over supervision.
Now that the EO is signed, the ball is in the EU’s court. The Commission will review whether the conditions in the EO are sufficient to decide whether it is adequate to resume a legal transfer of data from the EU to the US. An adequacy decision from the Commission means that US data protection legislation is equated with the GDPR and would then lead to the end of the risks that are currently associated with third country data transfer to the US.
Now – it is important to not claim a victory in advance. Before an adequacy decision can be made, several bodies must be consulted, including the European Data Protection Board (EDPB). It is estimated that the process of producing an adequacy decision can take at least 6 months. If and when an adequacy decision is made, then other parties will take action. The organization NOYB may follow up with a report that the adequacy decision does not meet a high enough standard, which in such cases could lead to yet another termination of the agreement and we would then potentially have a Schrems lll situation ahead of us. Another aspect to take into account is that an EO can be torn up at any time if a new US president takes office, making the uncertainty even greater.
Further actions from businesses?
At the moment, nothing has changed regarding how to relate to third country transfers. Nothing is set and ready, and we cannot count on the process of developing a Privacy Shield 2.0 to be smooth and efficient. On the contrary, as mentioned above, various actors are expected to challenge the data sharing agreement on the same grounds that Privacy Shield was challenged and dismantled.
Businesses must still have full control over their third country transfers, ensuring compliance with various parts of European data protection legislation. This is done by having updated register of processing activities (ROPA), clear information to the registered and with various security measures, both technical and organizational, which are in line with practice and the regulatory framework. There are also indications that many businesses are beginning to review their systems and providers, to investigate whether there are equivalent systems and providers within the EU to migrate their data flows to. Documenting the risk of third country transfer is necessary, but also documenting your strategy on how to deal with this issue is much needed in cases where the risk of third country transfers increases and Privacy Shield 2.0 falls through.
