On Friday 25 March, the US Government and the European Commission announced that they have reached an agreement in principle on a new enhanced Privacy Shield 2.0.
In July 2020 the CJEU invalidated the EU-US Privacy Shield, following a challenge brought by privacy campaigner Max Schrems. The Court cited concerns that the level of access to EU personal data by US law enforcement agencies, and a lack of effective oversight, failed to adequately protect the rights of EU data subjects. The CJEU had already quashed the Safe Harbor framework, Privacy Shield's predecessor, in 2015 in response to Mr Schrems' first legal challenge.
Organisations that rely on trans-Atlantic data flows will be hoping it will be third time lucky, and that the Privacy Shield 2.0 can provide a predictable, effective and lasting remedy for what has become an increasingly painful compliance headache. However, it will be crucial to understand not only the substance of the deal but also to what extent the new scheme will address the concerns that were central to the Schrems II case, without any amendments to US surveillance laws.
Although the text of the deal is not yet available and few details have been confirmed, there is inevitable scepticism about whether the deal will truly bridge the gap on the contentious issues surrounding the outreach of US surveillance laws. However there is clearly a political will to overcome the considerable obstacles to data flows on both sides of the pond, particularly given how high the stakes are in the current geopolitical environment. It remains to be seen whether any such EU-US bilateral agreement, and a new EU Commission adequacy finding for Privacy Shield 2.0, could withstand yet another judicial challenge from Mr Schrems.
The final text should certainly be a fascinating read.
This subject will be top of the agenda at our upcoming Data Download Webinar on Tuesday 29 March 2022. Click here for more information and registration options.
The White House press release can be found here.