Privacy Shield 2.0 On The Horizon

The European Union (EU) and the United States (US) government have now reached an agreement in principle for a “Privacy Shield 2.0” to replace the original Privacy Shield Framework that was invalidated under the Schrems II decision in July 2020. This is a promising step forward as companies strive for straightforward solutions to permit transfers of personal data from the European Economic Area (EEA) to the United States in line with the requirements of the General Data Protection Regulation (GDPR).

Why Is This Important?

Under the GDPR, personal data of individuals in the EEA may not be transferred outside of the EEA unless appropriate safeguards are in place to protect the information being transferred. The approved safeguards primarily include adequacy decisions, standard contractual clauses, and binding corporate rules. In connection with each of these safeguards, the receiving entity or country must agree to protect and secure the personal data upon arrival to the third country (non-EEA country). While some countries have over-arching privacy laws that have been deemed adequate (e.g. Canada), the US does not. Given this, the US has worked with the EU over the years to develop frameworks that may be adopted by US entities to permit the transfer of personal data between the regions.

In 2000, the Safe Harbor framework (Safe Harbor) was enacted based on an adequacy decision but later invalidated in the 2015 Schrems I case due to concerns of government access to personal data by US governmental entities. In an attempt to address such deficiencies, the European Commission and the US agreed to the original Privacy Shield framework, which allowed companies to sign on and agree to the Privacy Shield Principles for protecting personal data being transferred from the EEA. However, in 2020, Schrems II led to the invalidation of the Privacy Shield, given ongoing concerns with government surveillance. This latest invalidation left companies relying primarily on standard contractual clauses in contracts to permit the transfer of data from the EEA. Now, with Privacy Shield 2.0 on the horizon, US entities may have another option.

Privacy Shield 2.0

On March 25, the White House announced the agreement in principle to establish a Privacy Shield 2.0. According to the White House Fact Sheet, under Privacy Shield 2.0, the US is demonstrating a commitment to implement new safeguards to “ensure that signals intelligence activities are necessary and proportionate in the pursuit of defined national security objectives.” While adopting several portions of Privacy Shield 1.0, the new version will take additional measures to limit intelligence collection to areas where necessary to “advance legitimate national security objectives” and will install additional oversight for US intelligence agencies to protect privacy and civil liberties. The full details of Privacy Shield 2.0 will be worked out in the near future.

Primary Takeaway

Companies transferring personal data from the EEA should be aware of Privacy Shield 2.0. It may serve as an additional safeguard in growing privacy programs as more entities work to contract around increasing numbers of data privacy laws and provisions.

We will continue to monitor developments in this area. If you have any questions about the Framework and its new requirements, please contact Eva Pulliam, Christine Chong, Destiny Planter, or the Arent Fox attorney with whom you normally work.


Continue Reading