Publication

Privacy Shield 2.0 What’s Next for International Data Transfers?

Jan 17, 2023

By Brandon Roper, Tony Caldwell, and Diamond J. Zambrano

During the last 20 years, the state of the law regarding personal data transfers between the U.S. and Europe has undergone many changes and evolutions. Initially, the European Commission and the U.S. Government worked together in the late 1990s to create the U.S.-EU Safe Harbor Framework, also referred to as the International Safe Harbor Privacy Principles or simply the Safe Harbor Privacy Principles (“Safe Harbor”).1 Safe Harbor was a response to the inflation of the dot com bubble and the resulting increase of personal data being transferred to and from the EU and the U.S. From the beginning, Safe Harbor was criticized for several reasons, including concerns that the U.S. had excessive access to EU data and there was a lack of a process for EU citizens to address such concerns. As a result, the European Court of Justice found that Safe Harbor was invalid in a case known informally as Schrems I, which was handed down in October of 2015.2  

Soon after, in July of 2016, the EU-U.S. Privacy Shield (“Privacy Shield”) was implemented to replace Safe Harbor.3 Privacy Shield was similarly based on the same general guiding principles; however, Privacy Shield provided more protections and rights to Europeans whose personal data was transferred to the U.S. Despite the additional rights afforded to Europeans and stricter obligations on U.S. organizations, Privacy Shield was criticized for its inability to protect Europeans’ personal data from U.S. government surveillance and for a lack of access to judicial remedies for breaches of Privacy Shield obligations. As a result, the European Court of Justice found that Privacy Shield was invalid in a case known informally as Schrems II, which was handed down in July of 2020.4  

Following Privacy Shield’s invalidation, organizations that transfer EU personal data to the U.S. have done so primarily by using the Standard Contractual Clauses (“SCCs”) that were preapproved by the European Commission. In the Schrems II decision, the European Court of Justice upheld the validity of the SCCs as a transfer mechanism but added that data transferred under the protection of the SCCs must be done so with a level of protection that is the same as that provided by the General Data Protection Regulation and the EU Charter of Fundamental Rights.5  

Over the last two years, the EU and U.S. have worked toward a new framework for EU-U.S. data transfers. In March 2022, President Biden and European Commission President von der Leyen announced a new Trans-Atlantic Data Privacy Framework (the “DPF”) that was to be negotiated in the coming years. On October 7, 2022, President Biden signed an Executive Order on Enhancing Safeguards for United States Signal Intelligence Activities6 that outlines how the U.S. will address one of the major downfalls of Privacy Shield, strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities. The executive order, and the steps the U.S. will take to safeguard EU personal data, will provide the European Commission with a foundation on which a new data transfer mechanism can be made.

On December 13, 2022, the European Commission issued a draft adequacy decision, kicking-off the formal process to adopt the DPF.7 The draft adequacy decision concludes that the DPF provides an adequate level of protection for personal data transferred from the EU to the U.S. The draft decision, however, must go through additional adoption procedures before it becomes final. As part of the procedures, the European Data Protection Board (“EDPB”) will review and issue a nonbinding opinion regarding the draft decision. The draft decision will then need approval from a committee composed of EU Member State representatives. The European Parliament also has a right to review and comment on the draft decision. Once the procedure is complete, the European Commission can adopt the final adequacy decision.  

Although there is a fair way to go before the DPF is finalized and becomes a functioning data transfer mechanism, the EU and the U.S. are seeking to establish an environment that allows for international business to thrive while also protecting personal data. 

Snell & Wilmer has been monitoring changes to Privacy Shield and will continue to provide updates as this topic develops.

Footnotes

  1. Martin A. Weiss and Kristin Archick, U.S.-EU Data Privacy: From Safe Harbor to Privacy Shield, CONGRESSIONAL RESEARCH SERVICE REPORT, (May 19, 2016), https://sgp.fas.org/crs/misc/R44257.pdf.

  2. Press Release, Court of Justice of the European Union, The Court of Justice declares that the Commission’s US Safe Harbour Decision Is Invalid, (Oct. 6, 2015), https://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf.

  3. Federal Trade Commission, Update on the U.S.-EU Safe Harbor Framework, (Jul. 25, 2016), https://www.ftc.gov/business-guidance/privacy-security/us-eu-safe-harbor-framework.

  4. European Parliament At A Glance, The CJEU judgment in the Schrems II Case, (Sept. 2020), https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.

  5. Id.

  6. The White House Briefing Room, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, (Oct. 7, 2022), https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/.

  7. European Commission, Data protection: Commission starts process to adopt adequacy decision for safe data flows with the US, (Dec. 13, 2022), https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7631.

Back to top

About Snell & Wilmer

Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 16 locations throughout the United States and in Mexico, including Los Angeles, Orange County and San Diego, California; Phoenix and Tucson, Arizona; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.

©2024 Snell & Wilmer L.L.P. All rights reserved. The purpose of this publication is to provide readers with information on current topics of general interest and nothing herein shall be construed to create, offer, or memorialize the existence of an attorney-client relationship. The content should not be considered legal advice or opinion, because it may not apply to the specific facts of a particular matter. As guidance in areas is constantly changing and evolving, you should consider checking for updated guidance, or consult with legal counsel, before making any decisions.
Media Contact

Olivia Nguyen-Quang

Associate Director of Communications
media@swlaw.com 714.427.7490