EU Court Decision Invalidating Privacy Shield Results in Massive Confusion for U.S. Businesses: Addendum

This post is an update. Read the original post here, the second addendum here and the third addendum here.

As we previously reported, in July 2020, the Court of Justice of the European Union (“CJEU”), in a case known as Schrems II, invalidated the Privacy Shield, the safe harbor mechanism relied on by businesses to transfer personal data from the EU to the United States in a manner compliant with GDPR. The CJEU finding removed the U.S. from the list of countries deemed to have adequate safeguards to allow the free transfer of personal data of EU residents. Although it was generally anticipated that a new safe harbor would be negotiated, with no replacement mechanism in sight, the Court’s decision left U.S. businesses in an uncertain position, forced to rely on other more burdensome legal bases for data transfer, and threw trans-Atlantic commerce into chaos.

In March 2022 President Biden and European Commission President Ursula von der Leyen announced that an agreement in principle has been reached on Privacy Shield 2.0, to be called the Trans-Atlantic Data Privacy Framework.

The decision of the CJEU in Schrems II was based on its findings that (i) national security and law enforcement interests in the U.S. can take precedence over individual privacy rights and that (ii) data subjects do not have an effective legal remedy in such situations. Few details have been provided as to how Privacy Shield 2.0 will address these problems, but the Fact Sheet released by the White House indicates that the U.S. has made “unprecedented commitments” to strengthen privacy and civil liberties safeguards in the collection of intelligence, limiting what is known as “signals intelligence” to situations when it is necessary to further legitimate national security objectives, and to provide a new, independent two-tier redress system to address complaints by EU residents.

The new system is expected to be implemented by Executive Order in the U.S., a plan which has been questioned by some commentators who suggest that legislative action may be necessary. In addition, Max Schrems, privacy activist and the lead plaintiff in the Schrems cases, and the European Center for Digital Rights (or NOYB, as in “none of your business”) have expressed skepticism over Privacy Shield 2.0, predicting that they will be back in court within months of implementation. Schrems had labeled the invalidated Privacy Shield “lipstick on a pig.”

Further complicating the picture is that, after Brexit, UK GDPR and EU GDPR are not the same, so it remains to be seen whether Privacy Shield 2.0 will also be the solution for data transfers from the UK to the U.S.

Lutzker & Lutzker will continue to monitor and report on developments.