The invalidation of the previous frameworks concerning US-EU data transfer caused a lot of confusion among European companies. The repeal of the agreements meant that there are no legal means for the cross-border transfer of personal data from the EU to the US.
The new adequacy agreement, often referred to as Privacy Shield 2.0, seems to be a ray of hope as EU and US authorities have taken some steps to make it easier for companies that use platforms that send data across the Atlantic. However, privacy experts say that the new framework will lead to many controversies and can be quickly challenged by the Court of Justice of the European Union (CJEU), as were the two previous agreements. So, what is the future of transatlantic data transfers?
Let’s first understand what the previous adequacy agreements were all about and what led to their failure. Then, we’ll focus on the so-called Privacy Shield 2.0, which is set to address the concerns raised by the CJEU in 2020.
Finally, we’ll discuss the possible outcomes of the new agreement and the impact it will have on EU and US businesses.
The significant difference in US versus EU legislation is the lack of a comprehensive data privacy law that applies to all types of data and all US companies. Therefore, a regulatory framework that relates to data transfers of EU personal data to the United States is necessary. The Privacy Shield, whose aim was to regulate such data transfers, was created to replace the International Safe Harbor Privacy Principles. The so-called Safe Harbor was invalidated by the CJEU in October 2015.
Safe Harbor was invalidated by a ruling that has come to be known as Schrems I, as the case was brought by the Austrian lawyer Maximillian Schrems. Schrems lodged a complaint in 2013 about personal data being transferred from Facebook Ireland Ltd. to its US parent company and then being accessed by US state security agencies. The activist argued that the framework provided insufficient protection of his fundamental right to privacy in the United States.
The CJEU found that the Safe Harbor program did not adequately protect personal data from “interference” from the US government “founded on national security and public interest requirements.”
The ruling led to the creation of the EU-US Privacy Shield.
Privacy Shield came into effect on July 12, 2016. This data protection agreement was supposed to provide an improved framework for securely transmitting personal data from the European Union to the United States. This updated version of the agreement was created to effectively protect European residents’ rights and ensure an adequate level of security in the processing of their data, as well as to enable seamless data exchange and facilitate commerce between the EU and the US.
However, in 2020, history repeated itself and the CJEU declared the Privacy Shield invalid.
On July 16, 2020, the Court of Justice of the European Union issued a verdict ruling that the EU-US Data Protection Shield was invalidated due to concerns about surveillance by US state and law enforcement agencies. This verdict later came to be colloquially known as Schrems II, as it was again a response to a new complaint lodged by Max Schrem.
The court stated that sending personal data from the EU to the US is unlawful if companies can’t guarantee it will be safe from US intelligence. The ruling seemed to be inevitable since the creation of Privacy Shield, as there were rumors from its beginning that it would be invalidated.
The problem lies in the mismatch between data privacy regulations in the EU and the US. EU courts viewed this gap to be too large to be covered with a general agreement such as Privacy Shield or Safe Harbor. We will discuss this later in the article, as it remains a challenge for the new agreement.
The impact of the Schrems II ruling was immense. It has irreversibly changed how companies and legislators approach data transfers and user privacy.
Privacy Shield covered thousands of companies, including giants such as Facebook and Google. That group insurance policy, so to speak, has disappeared.
Consequently, the Schrems II ruling caused significant legal uncertainty for thousands of European companies. The repeal of the agreement meant that there were no legal means for the cross-border transfer of personal data from the EU to the US based on the fact that the Privacy Shield agreement was not compliant with GDPR. As a result, it became more challenging for companies that relied on data transfers to work with US service providers.
Though Privacy Shield was no longer a valid legal justification for EU-US data transfers, they haven’t been stopped. Large tech companies such as Google still send heaps of data about EU residents to the US.
Without an adequacy agreement in place, some companies, including Google, resorted to standard contractual clauses (SCC) and binding corporate rules (BCR) to safeguard data sent to the US.
Here you can read more about standard contractual clauses (SCC)
Since the Privacy Shield verdict, the privacy watchdog organization NOYB has filed 101 complaints against companies that collect visitor data with Google Analytics and Facebook Connect. The list of sued companies includes businesses from multiple sectors, with a prominent representation of publishers and finance.
There started to appear decisions of EU data protection authorities (DPAs) effectively banning the use of platforms such as Google Analytics in some EU countries:
- On January 12, 2022, Austria’s DSB released its ruling in the case of an unnamed German web publisher. The regulator stated that using Google Analytics to collect data on EU residents is unlawful under GDPR.
- In April 2022, CNIL issued a decision ordering three French websites to stop using Google Analytics.
- In June 2022, Italy’s data protection authority (Garante) ruled that the transfer of personal data to the United States during the use of Google Analytics is unlawful under GDPR.
- In September 2022, the Danish Data Protection Agency Datatilsynet became the fourth national regulator to conclude that Google Analytics does not comply with GDPR’s requirements.
Individual companies were thus at higher risk of legal action from consumers, consumer rights groups, and DPAs.
On October 7, 2022, President Joe Biden signed an executive order (EO) to implement a new EU-US Data Privacy Framework, also known as Privacy Shield 2.0, to protect the privacy of personal data shared between the US and Europe. The EO marks the beginning of work on the new framework. If all goes well, the new agreement will be published in March 2023, ending the long period of uncertainty in the transatlantic digital economy.
The new framework addresses concerns raised in Schrems II. Schrems II struck Privacy Shield down, in part, because EU residents had no rights to petition the US government if they felt their data had been improperly gathered.
Biden’s order tackles those issues by restricting how signals intelligence can be gathered by US spy agencies and placing the collection of info behind several layers of conditions, including ensuring only tightly tailored data is collected. The White House said in a fact sheet that the US had “committed to implement new safeguards to ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives.”
The new framework will allow individuals in the EU to seek redress through an independent Data Protection Review Court made up of members from outside the US government. That body would have full authority to adjudicate claims and direct remedial measures as needed.
The agreement is now subject to review and ratification by the European Commission, which could take up to six months.
Though the executive order introduces a series of additional safeguards and requirements to limit access to EU residents’ data by US surveillance, while it also establishes a redress system to handle complaints, privacy advocates say Biden’s executive order seems destined to fail.
NOYB, Schrems’ privacy rights organization, said in its response to Biden’s EO that the Data Protection Review Court fails to be an actual court as defined by US law. They also criticized the extent of the recourse available to EU residents, saying there was no additional guarantee they would be heard beyond what was offered under the previous frameworks. “At first sight, it seems that the core issues were not solved and it will be back to the CJEU sooner or later,” Schrems summed up.
Learn more about the rise of data regulations in our articles:
The executive order set out fresh rules on how the US and Europe share people’s private personal information, but it may still fall short of the EU’s requirements. NOYB points out that the solution might be flawed due to a few problems:
- The executive order is not a law and can be easily derogated by another executive order. This feeble legal construction will most likely not satisfy the CJEU.
- From the US perspective, Europeans have no privacy rights. The fourth Amendment only grants them to US citizens. All non-US citizens may easily become targets of surveillance.
- US organizations operating in the EU will not be bound by GDPR. According to the EO, they won’t need a legal basis for data collection and must only provide an opt-out mechanism for those not willing to share data. This puts EU businesses that have to comply with GDPR at a serious disadvantage.
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Stefan Brink, commented on the Executive Order of the US President at the end of October 2022. He welcomed the EO, but expressed the following concerns:
- The EO is an internal directive for government and subordinate agencies and is not a law passed by parliament.
- It is unclear how the Executive Order relates to other U.S. regulations, such as the Cloud Act.
- Legal systems in the EU and the US interpret the legal concept of proportionality differently.
- The complaint process for a violation of the EO is complex and cumbersome. The body responsible for making the decision is not an independent court.
The European Commission will now have to decide whether there is an equivalent level of protection of personal data in the U.S. in terms of substance. It is already questionable whether the Commission is even in a position to reassess the level of data protection in the U.S. and issue an adequacy decision on the basis of the Executive Order alone. The large number of open questions that still need to be clarified casts doubt on this.
Stefan Brink, The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg
Let’s go deeper into the controversies and discuss their background and implications in more detail.
The new agreement still might not be able to address the underlying issues with EU-US data transfers, as both parties have a completely different approach to privacy of individuals and distinct legal systems that will be extremely difficult to align with the use of any agreement.
United States legislation allows authorities to monitor and release data that is considered necessary for collection by companies. This does not sufficiently protect European residents’ data on US servers from access by these authorities. The EU sees privacy as a human right that applies to all individuals, while the Fourth Amendment only applies to US citizens or permanent residents. In the view of the US, Europeans have no privacy rights. FISA 702 uses that difference in US law and permits surveillance that is illegal under the Fourth Amendment, as long as no Americans are targeted.
This problem is an old one, as the first Privacy Shield also prioritized United States law, and even listed six cases in which mass monitoring was allowed. This monitoring of data was not limited to instances in which it was absolutely necessary, and European consumers’ ability to legally defend themselves was restricted.
What is striking is that the European Commission still did not request that the so-called Privacy Shield Principles be aligned with GDPR, which has been in force since 2018. The principles are to a large extent the same as the previous Safe Harbor principles, which were drafted in 2000 and will continue to be used in the new framework. This means that US businesses can continue to process European data without complying with GDPR. For example, they don’t need a legal basis for processing, such as consent. Under the Privacy Shield, US companies only have to offer an opt-out option for users. This despite the CJEU highlighting that there need to be “essentially equivalent” protections in the US.
Following the two Schrems rulings, an appraisal by American lawyer Stephen Vladeck published in early 2022 casts doubt on whether American companies and their EU subsidiaries are processing data in accordance with GDPR. It describes the current state of US monitoring laws and whether American companies are capable of adhering to European data protection standards. Vladeck says that processing data on EU servers is not sufficient to prevent access by authorities or intelligence services from outside the EU.
As of today, EU-US data transfers pose compliance risks, especially when you use big tech products that utilize data on a large scale, as is the case with Facebook or Google Analytics.
For example, according to the Danish Data Protection Agency, until the deal is made public, data transfers are still in breach of GDPR. As stated, the US executive order does not mean that Danish companies and authorities can already transfer personal data to the US without a transfer basis and compliance with the requirements arising from the Schrems II decision.
A decision may be reached around March 2023. But we must take into consideration that privacy NGOs will raise complaints about the new agreement and challenge it in court.
NOYB and its partners have already declared that they will analyze the documents in more detail and will issue a detailed legal analysis within the coming weeks. If the European Commission’s decision is not in line with EU law and the relevant CJEU judgments, NOYB says they will probably bring another challenge before the CJEU. For the time being, the US Congress will have to re-authorize FISA 702 in 2023, possibly allowing the US legislature to implement meaningful limitations that would respect the privacy rights of non-US citizens.
Since the Schrems II ruling, which effectively banned EU-US data transfers, many EU organizations have updated their technologies and methods to navigate the new legal landscape. The two most common paths were:
- Transfer limitation/exclusion and data anonymization. US business tech relies heavily on user identification and data transfers. Limiting the transfers or stripping the data of personal information helps overcome this issue, but it comes with a price. For example, when Google Analytics is configured to meet the standards of GDPR (as per French DPA guidelines), it loses most of its capabilities.
- Updating the technology stack with EU alternatives. Schrems II created an opening in the market for EU companies offering business and marketing software with local EU hosting. These alternatives allow organizations to become completely independent of the transatlantic data transfer ordeal.
You should fully control your data. Understand what kind of data you collect, store and transfer. Also, learn how and when it moves from place to place.
You might want to use cloud software services, which are a great solution. You just need to make sure the data is stored locally in the EU and the data center is hosted by an EU vendor. Work with transparent partners that give you maximum flexibility for how you handle data from their services.
It’s a good idea to work with those that support values such as privacy by design and data minimization. Following these values will help you deal with less personal data, minimizing your risk. Keep in mind that the main issue around Privacy Shield and GDPR is personal data.
Read more about different ways to collect data in: 6 ways analytics software collects data online – plus a comparison of 5 popular platforms
Please keep in mind that who processes data and where they do it is also important. You will minimize risk if personal, and especially sensitive, data is processed by partners headquartered in the EU rather than in the US.
The internet used to be an unregulated space, creating a source of legal chaos. That is less true with every passing day. Regulations on everything from ecommerce sales tax to where personal data should be stored are finally becoming more common. As this has happened, various countries have come up with different legal methods of regulating the internet.
Those differences lead to problems like the one currently being hashed out between the EU and the US.
Privacy Shield 2.0 is meant to overcome limitations in EU-US data transfers, but a political announcement without a solid text seems to be generating even more legal uncertainty for the time being. Therefore, keeping to privacy-friendly ways of data collection is the safest solution.
The issues surrounding Privacy Shield 2.0 are evolving dynamically. We’ll keep you informed about any changes to the framework.
If you’d like to discuss challenges related to data residency, personal data collection and GDPR compliance, be sure to get in touch.