GDPR Update – US and EEA may have agreement for “Privacy Shield 2.0” | Nelson Mullins Riley & Scarborough LLP
On Friday, March 25, 2022, US President Joe Biden and European Commission President Ursula von der Leyen jointly announced that an agreement had been reached to replace the former Privacy Shield Framework governing data transfers from the European Economic Area (“EEA”) to US. As they say, the devil is in the details and, as of today, no text of the agreement is available to provide details on the new framework. However, according to a joint statement, the United States has agreed to implement the following measures:
- put in place new safeguards to ensure that signal monitoring activities are necessary and proportionate to the pursuit of defined national security objectives;
- establish an independent two-tier appeals mechanism with binding power to order remedial action; and
- Improve rigorous, multidimensional monitoring of signals intelligence activities to ensure compliance with surveillance limits.
These new U.S. concessions are intended to address concerns about the potential risk that personal information transferred to the United States may be subject to U.S. government production under the Foreign Intelligence Surveillance Act of 1978 (“FISA”). These concerns have been at the forefront of European privacy law for some time and have been the subject of recent rulings by the Court of Justice of the European Union, notably where the so-called “Schrems II” decision revoked the former Privacy Shield data transfer framework between the US and the EU in 2020 due to the potential risk of data production under FISA. The test will be whether the new safeguards offered by the US are deemed sufficient to mitigate production risk and allay concerns in the EU.
Certainly, the news of this agreement will be very welcomed by many given the uncertainty previously created by Schrem II and his descendants. After the court struck down the former Privacy Shield framework, organizations had to determine for themselves other allegedly lawful means for transatlantic data transfers, such as accepting standard contractual clauses (“SCC “) to protect the data. However, even the use of an SCC has recently come into question. In the past three months, data protection authorities in Austria and France have invalidated the use of Google Analytics after concluding that the data collected by the Google software could be subject to production under FISA. Taken together, these decisions by EEA authorities have caused many people to wonder if there are legal ways to transfer personal information to the United States.
Despite this new deal, it remains unclear whether the US and EU can settle their differences to create an enforceable regulatory regime. The perspective with which EEA authorities view the risk contrasts sharply with the predominant view in the United States. For example, to have standing to sue in the United States, there must be evidence of a concrete risk of harm rather than just an abstract or hypothetical risk. In contrast, EEA authorities have always maintained restrictions based on the type of hypothetical production risk underlying Schrem II. With such opposing views on the measure of exploitable risk, it should be fascinating to watch both sides attempt to reach a satisfactory compromise.
Meanwhile, privacy advocate Max Schrems, whose lawsuit successfully challenged Privacy Shield, has left no doubt that he intends to pursue a Schrems III as he said”[i]In the end, the Court of Justice will decide a third time. We expect that to come back to the Court within months of a final decision.
As these issues and organizations’ needs for cross-border transfers continue to evolve, Nelson Mullins’ Data Privacy and Security team will continue to monitor this issue closely and provide periodic updates on developments. important.