Privacy Shield history from 2016 to 2.0
The topic is not new, nor has it been created recently, but there are old laws and attempts to bridge the gap between data privacy laws in the United States and the European Union. We are referring here in particular to what is known as the Safe Harbor International Privacy Principles Agreement, a program that was created and developed between 1998 and 2000. Its objectives and principles are very similar to the Privacy Shield, as it aims to provide protection for EU citizens’ data that is shared with US companies for commercial purposes.
On 6 October 2015, the European Court of Justice (ECJ) invalidated the International Safe Harbor Privacy Principles. This is known as Schrems I. After that, a new attempt begins to find a solution or agreement whereby European individuals’ data can be shared with US companies in a way that does not conflict with the General Data Protection Regulation (GDPR). We can therefore say that the Privacy Shield was an extension or an alternative to the international Safe Harbor privacy principles, with an attempt to correct the errors that led to the termination of the agreement.
Here are some of the changes that have been made in an attempt to avoid shutting down the program again:
- Enforcement of stricter laws for participating organisations.
- Individuals have the right to take action, such as complete deletion of data from participating organisations.
- The data may not be used for purposes other than those for which they were collected and for which the citizen must also be aware from the outset of these purposes.
- Privacy Shield participating organisations provide mechanisms to discuss and resolve complaints free of charge.
With all these efforts and changes between the international Safe Harbor privacy principles and the Privacy Shield, the court (which is the same one that stopped the old agreement) stopped the Privacy Shield on July 16, 2020, in what is known as Schrems II.
Why is the Privacy Shield program suspended?
The suspension is due to three main reasons:
- The first reason is the so-called“Adequacy Decision“. It is a law (of conditions set by the Court of Justice of the European Union – CJEU) that there must be laws protecting the privacy of individuals in countries that will deal commercially with EU citizens, laws equivalent or at least close to those in the European Union (GPDR), and while there are some countries that meet this condition, such as Canada, Argentina and many other countries, the United States is not one of those countries.
- The second reason is the US Surveillance Act. It is a law in the US Constitution and it clearly states that US authorities have the right to monitor any data for security purposes, such as discovering any threat to the US military or confronting terrorism or any goal of causing unrest in the country. In Schrems II, the CJEU addressed the validity of the SCCs as well as the European Commission’s finding on the adequacy of Safe Harbour. On the question of whether the US provides an adequate level of protection, the CJEU found that since Section 702 of the US Foreign Intelligence Surveillance Act (FISA) does not limit the power of surveillance programmes to target persons outside the US, The US does not guarantee a level of privacy protection.
- The third reason is that EU citizens cannot file a request for prosecution if US authorities are found to be involved in the misuse of data.
Results of the suspension of the EU-US Privacy Shield:
Such restrictions would reduce digital trade and have negative economic repercussions for businesses on both sides of the Atlantic. The deactivation of the Privacy Shield program makes companies and organisations work with Standard Contractual Clauses (SCC), also called Model Contractual Clauses (MCC), a law used to transfer data between EU and non-EU countries, which also imposes strict restrictions on its use. The problem with SCCs is that we are talking about a contractual obligation that does not bind other governments. Therefore, if national security agencies’ practices for accessing personal data are incompatible with the GDPR, SCCs clearly do not remedy this problem. Also, the use of standard contractual clauses does not make an international data transfer automatically GDPR compliant. The company must assess the laws of the country to which it intends to transfer the data. To use SCCs, you need to document the risks involved in dealing with data recipients outside the European Union and assess whether there are any loopholes or exceptions in the laws of the country to which the data will be transferred. The full integrity of the infrastructure for examining and storing citizens’ data as well as updates from EU authorities on KYC must be ensured.
What happens after the suspension of the Privacy Shield?
Participating companies need to reconsider the terms under which they contract with third party companies for the use of data. Companies that have experienced the problems and challenges facing the EU-US Privacy Shield and have adapted to the CCS are less affected by this suspension. The suspension could cause states to think again about whether to reshape their national privacy laws in line with GDPR legislation.
Here are the recommendations of the European Data Protection Board (EDPB) when using SCC:
- Know your transfers: identify the transfer tools you rely on.
- Adequacy decisions.
- Evaluate transfer factors.
- Evaluate the laws.
- Take further action.
- Take procedural steps if you have identified additional effective measures.
- Reassess at appropriate intervals.
Privacy Shield 2.0
If we look at the number of attempts made to compensate for the absence or cancellation of the EU-US Privacy Shield, we can know the importance and existence of such an agreement, because once this programme is cancelled, we immediately find another attempt to compensate for this cancellation. This allows us to see the scale of the investment between the United States and the European Union, which urgently needs an agreement to bridge the gap between the data privacy laws of the two countries.
Because of the necessity and importance of continuing these investments between the two countries, the two sides have sought a new agreement known as Privacy Shield 2.0. These continuing attempts to reach an agreement that satisfies all parties show the importance of trade between the two countries.
The European Union and the United States have reached an agreement on a new alternative to the Privacy Shield due to a suspension in the Schrems II decision in July 2020, originally known as Privacy Shield 2.0. In fact, the aim of creating such an agreement is not very different from the EU-US Privacy Shield, which has been abolished, as the aim of both parties is to try to exchange data in a way that complies with the GDPR.
On 25 March 2022, the White House announced some initial principles for a new agreement with the European Union to share some citizens’ data.
What changes could be made to the Privacy Shield 2.0 to avoid another denunciation of the agreement by the Court of Justice (CJEU)?
First, let’s agree that the EU-US Privacy Shield 2.0 is only an announcement so far and not an explicit text that can be discussed or considered. There are indications that the United States does not intend to change its surveillance laws, which was a major reason for the cancellation of the old program, and this casts great doubt on whether the CJEU will allow this. So far, there seems to have been no change in the laws governing the use of data in a commercial context. Stricter obligations will apply to participating companies, and this will include the requirement to self-certify their membership to the US Department of Commerce.
Steps to expect for the implementation of the EU-US Privacy Shield 2.0
First, the United States needs to convert the statement it spoke of into an official written text that can be discussed and viewed.
Secondly, it is up to the European Union to issue a written proposal for an adequacy decision. The European Data Protection Board (EDPB) will then review the proposal to discover any problems with it.
Third, all countries representing the EU must agree to the new Privacy Shield 2.0.
Finally, the European Commission reviews the adequacy decision to ensure that it complies with the terms of the General Data Protection Regulation (GDPR).
All these steps will take time. For example, in 2016, just announcing the adequacy decision took about six months.
Will Privacy Shield 2.0 be broken again?
This question is the backbone of the whole issue, because if the international Safe Harbor privacy principles had not been discontinued in Schrems I in 2015 and the EU-US Privacy Shield 1.0 in Schrems II had not been discontinued in 2020, we would not be talking about the EU-US Privacy Shield 2.0 at all now. Because this program is initially an attempt to replace the EU-US Privacy Shield 1.0, as mentioned above.
Looking at the original details of the programme, we cannot find a real and fundamental change that would cause the European Court of Justice (ECJ) not to stop the EU-US Privacy Shield 2.0. This is because we find no change in the main reasons that led to the cancellation of the old programmes, and here I refer specifically to U.S. intelligence agencies, which, as explained above, allow the U.S. to monitor intelligence and data to determine any threat to U.S. armed forces, monitor terrorism and any riots that might occur in the country, according to the U.S. indictment.
Requirements and recommendations that are necessary to avoid suspension again
In drafting the text of the EU-US Privacy Shield 2.0 program, which will be submitted to the European Union for approval, the United States must keep in mind several important and basic points that could lead the CJEU to overturn the agreement again, and the most important of these points are the following:
- The United States should commit in writing that European citizens’ data will not be used by US intelligence agencies.
- The United States must comply with the adequacy decision.
Without compliance with these points, the new programme is likely to be suspended again.