As part of its adequacy decision, the EU Commission has defined how, in its view, the future exchange of data between the European Union and the USA should take place. It is possible that we are now on the home stretch towards the new Privacy Shield.
Is the new Privacy Shield finally coming?
Since the end of the Privacy Shield a few years ago, US tech companies like Meta and Google have been regularly hit with fines from the EU. It is not just competition law that is the focus of the authorities. Rather, it’s about the data analysis of EU citizens on U.S. servers. In order to ensure more uniformity, U.S. President Joe Biden has made a new edition of the Privacy Shield a top priority. In doing so, the two potential contracting parties are relying on communication. They already met in March of this year to discuss in detail the contents of a successor to the data protection agreement.
Now the public is being allowed a first look at the copy that the EU Commission has put together. The commission informed the public about the draft on Dec. 13, 2022. As part of a communication, the body indicated that the renewal is intended not only to promote “secure transatlantic data flows.” On top of that, the content objected to in the so-called “Schrems II ruling” is said to have been revised. The Court of Justice of the European Union (CJEU) ruling was the death knell of the Privacy Shield in its original formulation.
Unanimity with the USA
The EU Commission’s elaboration is on a par with a decree signed by U.S. President Biden in October. Consequently, there now appears to be a common understanding on the level of data protection that should prevail when data is exchanged between the EU and the US. U.S. companies in particular are likely to be pleased about the common denominator. After all, Meta and Google, among others, have been calling for quite some time for a Privacy Shield to finally be brought back into being. An important change to the predecessor is the deletion obligation, which is to find a place in the new version. From now on, personal data is to be deleted if the purpose for which it was collected no longer applies. Furthermore, data protection is to continue even if the data should be passed on to a third party.
Starting shot for adequacy decision
The draft of the EU Commission is also, as it were, the starting signal for the adequacy test within the EU. In the process, the draft first goes to the European Data Protection Committee (EDSA). In parallel, one must include the say of all EU members. These must agree to the drafting of the EU Commission. At the end of the process is the so-called adequacy decision, which in turn represents the compromise between the EU bodies. Once this is in place, it is once again up to the EU Commission to approve it.
This means that the Privacy Shield 2.0 could possibly come into force in 2023. Eco, an association of the IT industry, is also pleased about this. Eco’s statement shows that it is not only Meta and Google that will benefit from a uniform regulation of secure data exchange. Also, “for many small and medium-sized companies in Europe, a legally secure exchange of data on an international level is the basis for their data-driven business models and a successful digital transformation.”
New complaints procedure for EU citizens
One problem that made further application of the first Privacy Shield impossible was the access possibilities of US intelligence agencies. If data from EU citizens was sent to the servers of US companies, it could be used by the Central Intelligence Agency (CIA), for example. However, access is not really ruled out even in the new version. After all, there is a right to data use in the context of mass surveillance.
However, data access must be appropriate and for a justifiable purpose. Furthermore, EU citizens will henceforth be granted a new possibility to lodge a complaint against data collection. The U.S. wants to set up special complaints offices and courts to decide on cases. If data has been wrongfully collected, this will be determined by these bodies in a two-stage procedure.
Is another Schrems ruling looming?
The Schrems II ruling mentioned at the beginning does not bear its name without reason. The name giver is the Austrian lawyer and data protection expert Max Schrems. This and other activists already successfully resisted the original version of the Privacy Shield. In October, Schrems, in his capacity as chairman of the organization Nyob, was already critical of US President Biden’s decree. In his opinion, a new Privacy Shield can only withstand another negative ruling by the ECJ if it is not based on the US decree. We are curious to see whether we can really expect a new Privacy Shield next year. What is certain is that it is time for a reliable and fair regulation on data exchange between the EU and the USA.