An agreement “in principle” on a new Privacy Shield regulating data transfers between the EEA and the United States might not change much for businesses.
The agreement in principle on a new Privacy Shield on data transfers
On March 25, 2022, the President of the European Commission and the President of the United States announced an agreement in principle on a new Privacy Shield on data transfers between the EEA and the United States.
There is no draft of the agreement, but according to the press release, the principles on which an agreement was reached are the following:
- Data will be able to flow freely and safely between the EU and participating US companies, just as happened in the past with the Safe Harbor and the Privacy Shield;
- There will be a new set of rules and binding safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
- US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards;
- A new two-tier redress system will be in place to investigate and resolve complaints of Europeans on the access to data by US Intelligence authorities, which includes a Data Protection Review Court;
- Strong obligations for companies processing data transferred from the EU, which will continue to include the requirement to self-certify their adherence to the Principles through the US Department of Commerce; and
- Specific monitoring and review mechanisms shall be in place.
The potential pitfalls of the new Privacy Shield
As expected, right after the announcement of the new Privacy Shield, Max Schrems started raising concerns about the legality of a new data transfer arrangement. The sections of the arrangement on which he focused the most concern the limits on access by US surveillance authorities that have to be “necessary and proportionate“, which sound pretty unclear and might be deemed uncertain by the European Court of Justice in a potential dispute.
Indeed, the reference to general principles that, in theory, might be manipulated by authorities might leave room for potential challenges by EU authorities.
In any case, it shall be considered that:
- The agreement is only “in principle,” and an official arrangement might not occur so quickly;
- There will always be the risk of a challenge and an invalidation of the agreement, as already occurred twice with the Safe Harbor and the Privacy Shield. As such, the performance of a transfer impact assessment might always be recommendable to secure data transfers; and
- A transfer impact assessment will continue to be necessary for data transfers to other non-EEA countries. Indeed, several US entities transfer data to (or make data accessible from) other non-EEA countries where employees usually cost is low.
A new agreement on data transfers to the United States shall be welcomed, but companies shall instead invest in the performance of transfer impact assessments since regulators are already issuing the first GDPR fines for unlawful data transfers.
On the topic referred above, the methodology and legal tech tool adopted by DLA Piper for the performance of transfer impact assessments already used by 150+ companies worldwide might be useful, and we discuss it in the article HERE.