HOPE FOR A NEW TRANSATLANTIC TRANSFER SHIELD
After the recent body blows to the transatlantic data transfers, could we see some light at the end of the tunnel?
Last year, US and EU governments established The Trade and Technology Council (TTC) to mend strained transatlantic trade relations as a diplomatic forum. The TTC aims to coordinate technology and trade policy between the United States and European Union and will hold its second meeting in May in France.
One of its many objectives is taking a more unified approach to curbing the power of the Big Tech giants, while another is to set global standards and rules for the 21st century.
In a landmark data privacy verdict issued in July 2020, The Court of Justice of the European Union ruled stated that the EU-US Data Protection Shield, on which many companies relied on to transfer their data between the US and the EU, was invalidated under GDPR, due to concerns with the US’s Foreign Intelligence Surveillance Act, of which FISA 702 permits surveillance of overseas personal data by US state and law enforcement agencies, in some circumstances.
Before Schrems II, over 5,000 US companies relied on the Privacy Shield to conduct trans-Atlantic trade. With the Privacy Shield in place, these companies could easily transfer data in compliance with GDPR.
Schrems II now requires European companies to conduct new individual Transfer Impact Assessments, and implement Standard Contractual Clauses, or other appropriate export mechanism, for each data transfer to any non-EU country without an adequacy agreement, to ensure compliance.
If the rumors are to be believed, a new EU-US data transfer agreement is almost complete, and the TTC meeting could feature an announcement on a deal for a Privacy Shield replacement.
The mood in the US government is buoyant, but there is pressure not to jump the gun and derail the delicate negotiations. Apparently US bureaucrats have mentioned that the replacement would effectively be an Adequacy Agreement, this is likely not to endear Europeans, who can solely make any decisions of Adequacy.
We expect Washington will put forward new proposals sometime this month (March 2022) and make the final announcement at the TTC meeting.
The political stakes are high.US and EU businesses are still wrestling with the necessary SCCs and TIAs, whilst some European regulators have declared Google Analytics illegal. Businesses on both sides of the Atlantic are weary and jumpy.
“The Biden administration considers finalizing an enhanced Privacy Shield the number one priority, and I remain actively engaged in those negotiations,” said Gina Raimondo, the U.S. Commerce Secretary.
Details of any agreement are still scarce. It is unlikely that the changes will be covered in a piece of federal legislation, more likely a range of new federal oversights.
It seems that the solution is sought in allowing EU citizens to directly or indirectly submit complaints to an independent judicial body if they believe U.S. national security agencies have unlawfully handled their personal information.
Bizarrely this could give EU citizens better access to remediation on data transgressions in the US than US citizens themselves.
Any Privacy Shield agreement, especially one that fails to substantively address the issues of FISA 702 raised in Schrems II, will be subject to close scrutiny, by both EU regulators but also privacy activists like Max Schrems. If Privacy Shield 2.0 does emerge, we may well see it tested once more in a Schrems 3 case at Court of Justice of the European Union.