June 30, 2022

Volume XII, Number 181

Advertisement
Advertisement

June 30, 2022

Subscribe to Latest Legal News and Analysis

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis

GDPR Update – US and EEA May Have a Deal for “Privacy Shield 2.0”

On Friday, March 25, 2022, US President Joe Biden and European Commission President Ursula von der Leyen jointly announced that a deal has been reached to replace the former Privacy Shield framework governing data transfers from the European Economic Area (“EEA”) to the US. As they say, the devil is in the details, and to date, there is no actual text of the accord available to provide specifics about the new framework. However, according to a Joint Statement, the US has agreed to implement the following measures:

  • put in place new safeguards to ensure that signals surveillance activities are necessary and proportionate in the pursuit of defined national security objectives;

  • establish a two-level independent redress mechanism with binding authority to direct remedial measures; and

  • enhance rigorous and layered oversight of signals intelligence activities to ensure compliance with limitations on surveillance.[1]

These new concessions by the US are intended to address concerns regarding the potential risk that personal information transferred to the US could be subject to production to the US government under the Foreign Intelligence Surveillance Act of 1978 (“FISA”). Such concerns have been at the forefront of EU privacy law for some time and have been the focus of recent decisions from the Court of Justice of the European Union, most notably when the so-called “Schrems II”[2] decision struck down the former Privacy Shield data transfer framework between the US and EU in 2020 because of the potential risk of production of data under FISA. The test will be whether the new safeguards proposed by the US are deemed sufficient to mitigate the risk of production and alleviate concerns in the EU.

Certainly, news of this agreement will be very much welcomed by many given the uncertainty previously created by Schrems II and its progeny. After the court struck down the former Privacy Shield framework, organizations were left to determine for themselves other purportedly lawful means for transatlantic data transfers, such as agreeing to standard contractual clauses (“SCC”) to safeguard data. However, even the use of an SCC has recently been called into question. In the last three months, data protection authorities in both Austria and France invalidated the use of Google Analytics[3] after concluding that data collected by the Google software could be subject to production under FISA. Taken together, these decisions from EEA authorities have had many wondering if there is any lawful means of transferring personal information to the US.

Despite this new agreement, it remains uncertain whether the US and EU can settle their differences to create an enforceable regulatory regime. The perspective with which EEA authorities view risk starkly contrasts with the predominant viewpoint in the US. For example, in order to have standing to sue in the US, there must be proof of a concrete risk of harm rather than merely an abstract or hypothetical risk. In contrast, EEA authorities have consistently upheld restrictions based on the type of hypothetical risk of production underpinning Schrems II. With such contrasting viewpoints on measuring actionable risk, it should be fascinating to watch the two sides try to reach a satisfactory compromise.

Meanwhile, privacy advocate Max Schrems, whose lawsuit successfully challenged Privacy Shield, has left no doubt that he intends to pursue a Schrems III as he has stated “[i]n the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.”[4]

ENDNOTES

[1] Joint Statement on Trans-Atlantic Data Privacy Framework (europa.eu)

[2] CURIA - Documents (europa.eu)

[3] To access the opinion from the Austrian Data Protection Authority (DPA), please click here: Standarderledigung Bescheid (noyb.eu). The French authority’s opinion can be reviewed here: Decision ordering X to comply (cnil.fr)

[4] "Privacy Shield 2.0"? - First Reaction by Max Schrems (noyb.eu)

Copyright ©2022 Nelson Mullins Riley & Scarborough LLPNational Law Review, Volume XII, Number 90
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Brad C. Moody Partner, Co-Chair, Data Breach Response Practice Nelson Mullins
Partner, Co-Chair, Data Breach Response Practice

Brad counsels clients in responses to cybersecurity and other data incidents and provides guidance in ensuing governmental investigations and actions. He has extensive experience across a broad range of cyber incidents, including ransomware attacks, network intrusions, business email compromises, and denial of service attacks, affecting a multitude of industries, including the healthcare, retail, automotive, manufacturing, information technology, and education sectors. In addition to his incident response practice, Brad assists businesses with risk mitigation against...

601-278-2118
Blythe K. Lollar Of Counsel Nelson Mullins
Of Counsel

Blythe provides comprehensive services to her clients in assessing and responding to an extensive range of matters involving data protection, privacy, and cybersecurity. She counsels clients nationwide through responses to cyber incidents involving personal, financial, and medical data, including ransomware attacks, network intrusions, business email compromises, and denial of service attacks and defends clients in governmental investigations and actions.  Blythe also works with clients from all industry sectors, including healthcare, financial services, education,...

601-937-9925
Advertisement
Advertisement
Advertisement