Privacy Shield 2.0: a business solution for international personal data transfers

by Javier López-Guzmán - Compliance Consultant
| minute read

To transfer data internationally, it is important to choose the right legal instrument. A major development in the transatlantic framework has emerged recently. Could this be the start of a new Privacy Shield 2.0, and be of business use for these transfers? Let’s investigate!

Data processing is one of the main pillars of the current digital market. Data transfers between different jurisdictions are integrated as part of everyday business in many companies and public entities - either in digital tools used daily or as a business growth model to benefit from economies of scale. Personal data is legally protected in a specific way, which limits digital business.

This sensitive context explains the importance of choosing the right legal instrument to transfer data internationally. Compliance is challenging and necessary. However, it also brings potential improvements in cybersecurity and reliability for entities which implement it by design.

Open transfers of personal data

The topic could not be trendier: last October US President Joe Biden signed an Executive Order (EO) to adapt the existing American legal framework in order to reassure the data flows between the US and the EU. The aim of that legal act is to approximate to the EU legal framework in aspects such as state surveillance, security, and legal remedies for EU citizens.

This alignment should facilitate the creation of a new adequacy decision between the EU and the US: Privacy Shield 2.0. Adequacy decisions, as defined in the General Data Protection Regulation (GDPR), are one of the core legal instruments designed to protect fundamental rights and boost innovation and international trade. They are the legal instrument created in the personal data protection regime of the EU to validate privacy frameworks of other countries and allow automatic transfers of personal data to those countries, without any other specific (and often bureaucratic) legal warranties. By declaring a third country adequate, the European Commission whitelists it, and allows businesses to send the personal data automatically there.

The original Privacy Shield and its predecessor Safe Harbour were struck down by the Court of Justice of the EU in the Schrems’ and ‘Schrems II’ cases respectively. The Court found that Europeans’ data was not sufficiently safe from US surveillance. As a result, these past eight years have been a bumpy road for digital innovators.

The road ahead

President Biden’s new Executive Order, entitled “Enhancing Safeguards for United States Signals Intelligence Activities”, does go some way to close the transatlantic gap between the legal systems. However, experts agree that this document alone does not signal a return to business as usual. The topic is far from closed.

To guarantee that transatlantic data flows will continue, the European Commission must pass a new adequacy decision in the coming weeks (Privacy Shield 2.0, or any other savvy title). There is a firm political agreement at the highest level to land this legal scheme. It originated in the visit of the US government to Brussels last March, with the meeting between Presidents Joe Biden and Ursula von der Leyen, and the political agreement to build a new Trans-Atlantic Data Privacy Framework. Since then, the topic has already been extensively discussed in the EU-US Trade and Technology Council, a bilateral transatlantic governmental forum.

What about the EU Court of Justice?

As with any political agreement on trade (even if digital), this matter is highly controversial. It is also subject to political decisions that impact business development worth billions in international transfers. Pro-business entities advocate that the US has honoured its part of the agreement. Now the ball is on the EU’s side.

However, even if the EU Commission and Member States seem to be willing to return to the status quo as soon as possible, there is another actor in the play: the Court of Justice of the European Union. Most academics and civil society activists do not buy the new rhetoric on the pro-business American side. They do not consider these new legal safeguards sufficient to protect Europeans’ personal data abroad. The agreement is therefore very likely to be challenged before the Court.

Both previous adequacy decisions were annulled by the Court due to fundamental rights concerns. Will it consider sufficient these new safeguards? What will be the tribunal’s take on the new influence of the US government on European secret services and European citizens’ data?

Navigating uncertainty

Meanwhile, as a pressure measure, and to raise its international profile on this specific topic, the US has impulsed its own fora on international data transfers, which could rival the one established in the EU as a business-friendlier approach in the digital era. The United Kingdom, too, wants to propose a similar framework of its own in the post-Brexit period. And transfers to other economic areas, such as China, are also of a high business interest.

How to navigate this uncertainty for digital businesses and public entities? The answer is to stay well informed, up to date, and find the right partnerships.

With our team of experts, we are well-equipped to help you do just that. So don’t hesitate to call on us for (extra) support and assistance.