Privacy Shield 2.0

We track the key announcements on the Trans-Atlantic Data Privacy Framework, the replacement to Privacy Shield, updating this page as more comes through
EU US Flags

Agreement in principle reached on new Framework, 250322

White House publish Fact Sheet on new Framework, 250322

The White House published a detailed Fact Sheet the same day as speeches by the two Presidents, announcing a new Trans-Atlantic Data Privacy Framework.

The statement indicates many features are agreed, and stresses the importance of the deal in terms of trade:

‘In fact, more data flows between the United States and Europe than anywhere else in the world, enabling the $7.1 trillion U.S.-EU economic relationship.’

In terms of some of that detail:

‘For EU individuals, the deal includes new, high-standard commitments regarding the protection of personal data.’

‘For example, the new Framework ensures that:

    • Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties;
    • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
    • U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards. 

Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will continue to have access to multiple avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolution and binding arbitration.’

The respective teams will now work to finalise the legal documents. The US and EU published a joint statement with the same information.

 

EC President statement on Privacy Shield successor, 250322

A year after the joint EU-US announcement to intensify negotiations (see below), European Commission President, Ursula von der Leyen, announced ‘agreement in principle’ on a new trans-Atlantic Framework:

‘And we also need to continue adapting our own democracies to a changing world. This is particularly true when it comes to digitalisation, in which the protection of personal data and privacy has become so crucial. Therefore, I am very pleased that we have found an agreement in principle on a new framework for transatlantic data flows. This will enable predictable and trustworthy data flows between the EU and US, safeguarding privacy and civil liberties. I really want to thank Commissioner Reynders and Secretary Raimondo for their tireless efforts over the past months to find a balanced and effective solution. This is another step in strengthening our partnership. We manage to balance security and the right to privacy and data protection.’

The EU has also published a Fact Sheet.

 

Biden refers to Privacy Shield successor, 250322

US President, Joe Biden, referred to a Privacy Shield successor on 25 March 2022 in a major speech in Brussels after meeting European Commission President, Ursula von der Leyen.

You can watch the segment from 41:06 and we’ve put a transcript below.

 

Keepabl transcript of relevant section of Biden’s speech

‘And I’m proud to announce that we’ve also reached another major breakthrough in trans-Atlantic data flows. Privacy and Security are key elements of my digital agenda and, today, we’ve agreed to unprecedented protections for Data Privacy and Security for our citizens.

This new arrangement will enhance the Privacy Shield framework, promote growth and innovation in Europe and the United States, and help companies both small and large compete in the digital economy. Just as we did when we resolved the Boeing Airbus dispute and lifted the steel and aluminium tariffs, the United States and the EU are finding creative new approaches to knit our economies and our people closer together, grounded on shared values.

This framework underscores our shared commitment to Privacy, to Data Protection, and to the rule of law. And it’s going to allow the European Commission to once again authorise trans-Atlantic data flows that help facilitate $7.1 trillion in economic relationships with the EU.

So thank you again, Madam President, for your personal friendship, for your partnership and above all, your leadership. All of this is bringing the European Union and the United States even closer together. And that’s a win for all of us.’ 

 

NOYB’s response, 25/03/22

Max Schrems’s NOYB organisation posted their response the same day which was, shall we say, cautious. This just highlights the intense scrutiny any successor to Privacy Shield will face.

We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.”

“The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.

“It is regrettable that the EU and US have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”

 

Politico link announcement to war in Ukraine, 240322

Politico’s reported, a day ahead of Biden’s announcement, that the US was linking the need to accelerate the Privacy Shield replacement with the war in Ukraine. Biden is in Europe for NATO talks and to visit European partners.

Politico’s report notes that the legal complexities haven’t diminished but its sources state that the proposed deal ‘was based, in part, on recent suggestions from a group of privacy experts. That included the creation of a new agency within the U.S. Department of Justice to oversee how the country’s intelligence agencies handle Europeans’ data; a White House executive order to give that group hefty investigative powers; and the ability for Europeans to challenge that data collection through U.S. federal courts.’

 

Politico report deal nearly done, 030222

Politico’s reporting continues to lead on the Privacy Shield replacement and they now report optimistic hopes among officials for an announcement in May 2022. The full article is well worth a read.

 

Politico reports hopeful negotiations, 211021

Politico reported that the US has proposed an oversight structure with independent judges who would review ‘whether U.S. collection of European data was lawful and proportionate’.

Politico’s sources stress that nothing is fixed as yet and noted the similarity to the Privacy Shield’s ombudsman. Negotiating teams are reported to be meeting regularly with the aim to announce a deal by the end of the year, though Politico notes any deal will have to withstand inevitable scrutiny.

 

EU & US intensify negotiations, 250321

On 25 March 2021, EU Commissioner for Justice, Didier Reynders, and U.S. Secretary of Commerce, Gina Raimondo, released a joint statement regarding the negotiations on transatlantic data privacy flows:

“The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case.’

The statement is welcome but industry is keen to see a successor adequacy decision put in place.

 

The Schrems II decision, ‘Day Zero’, 160720

To learn more about Schrems II, see our blog: What is Schrems II and Privacy Kitchen’s video at the time of the decision: Privacy Shield is Down.


Related Articles

Blog News & Awards Privacy Kitchen
People need GDPR training

Why Privacy Kitchen? Through all our market interactions since our launch in 2017, we kept seeing 3 very big issues for Privacy compliance.   #1 Most people dealing with GDPR for…

Read More
Blog
UK ICO update on breach reporting

In a very welcome speech on 12 September 2018 to the CBI Cyber Security: Business Insight Conference, James Dipple-Johnstone (ICO Deputy Commissioner, Operations) summarised the UK ICO’s approach to security under GDPR and…

Read More