As winter draws to an end and the sun begins to shine more often we are noticing the new buds of spring beginning to appear. This spring flowers may not be the only thing making their appearance, the European Commission and the U.S. Department of Commerce are back to the table discussing a new EU-U.S. Privacy Shield. Sean Heather, senior vice president of regulatory affairs for the U.S. Chamber of Commerce has stated, “I feel like we have a chance to see something maybe mid-spring, late spring, early summer.” For those whose business relies on transferring personal data across the Atlantic this is very good news.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. When the EU-U.S. Privacy Shield first came about in 2016 companies in the U.S. were able to self-certify and were then held accountable to the rules within the framework. In the summer of 2020 the European Court of Justice struck down the EU-U.S. Privacy Shield as a sufficient mechanism to fulfill Art. 44 GDPR requirements. “While IT companies were initially shocked, U.S. vendors and EU companies have largely ignored the decision. Just like Microsoft, Facebook or Amazon, Google has relied on so-called “standard contractual clauses” to continue data transfers and reassure its European business partners.” (see here)
Some U.S. companies are also still self-certifying to this day, such as Microsoft, Amazon and Google who are all still active according to the Privacy Shield website. The decision by the court does not relieve those who have certified from fulfilling the commitments which they made through their certification, but since the court’s decision, companies have had to figure out new ways to fulfill these requirements, through, for example, the adoption of Standard Contractual Clauses or binding corporate rules.
Better protection in U.S. needed
As data protection authorities in the EU become more and more finicky regarding transfers to the U.S., European companies are going to become more and more weary of transferring personal data there. Max Schrems the Chairman of noyb, an NGO focused on the protection of personal data, stated, “In the long term, we either need adequate data protection in the US, or we will end up with separate products for the U.S. and the EU. Personally, I would prefer better protection in the U.S., but that is up to U.S. legislators.”
On March 4, 2022 the U.S. Supreme Court decided the case FBI v. Fazaga possibly throwing a wrench in the prospects of a EU-U.S. Privacy Shield. In this case the FBI was using a paid informant to obtain information on members of some of the largest mosques in Orange County, California. The reason this case has such a big impact on the likelihood of an agreement is that the European Court of Justice states that data subjects must have a forum in which they can challenge processing of their personal data and receive justice in court. However, the decision could make it easier for the government to shield such information from judges, and therefore harder for most people challenging surveillance to prove their claims and obtain justice in court (see here).
The U.S. and the Biden Administration have made clear that the EU-U.S. Privacy Shield is a high priority. However, since talks began again in the spring of 2021 no agreeable framework has come about. It would seem now that the executive branch cannot achieve the needed changes alone, legislators will, in the long run, have to make changes to the law in order to satisfy the European Court of Justice. Despite all the hurdles we continue to hope that this spring, as the talks continue between the U.S. Department of Commerce and the European Commission, we can hope that a new EU-U.S. Privacy Shield can be negotiated and signed making it easier for companies on both side of the Atlantic to work together when it comes to personal data.