The EU–US Privacy Shield was a legal framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.[1] One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens.[2] The EU–US Privacy Shield went into effect on 12 July 2016 following its approval by the European Commission. It was put in place to replace the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.[3] The ECJ declared the EU–US Privacy Shield invalid on 16 July 2020, in the case known as Schrems II.[4] In 2022, leaders of the US and EU announced that a new data transfer framework called the Trans-Atlantic Data Privacy Framework had been agreed to in principle, replacing Privacy Shield.[5] However, it is uncertain what changes will be necessary or adequate for this to succeed without facing additional legal challenges.
History
In October 2015 the European Court of Justice declared the previous framework called the International Safe Harbor Privacy Principles invalid in a ruling that later became known as "Schrems I".[3] Soon after this decision, the European Commission and the U.S. Government started talks about a new framework, and on February 2, 2016, they reached a political agreement.[1] The European Commission published the "adequacy decision" draft, declaring principles to be equivalent to the protections offered by EU law.[6]
The Article 29 Data Protection Working Party delivered an opinion on April 13, 2016, stating that the Privacy Shield offers major improvements compared to the Safe Harbor decisions, but that three major points of concern still remain. They relate to deletion of data, collection of massive amounts of data, and clarification of the new Ombudsperson mechanism.[7] The European Data Protection Supervisor issued an opinion on 30 May 2016 in which he stated that "the Privacy Shield, as it stands, is not robust enough to withstand future legal scrutiny before the [European] Court".[8]
On 8 July 2016 EU member states' representatives (article 31 committee) approved the final version of the EU-U.S. Privacy Shield, paving the way for the adoption of the decision by the commission.[9] The European Commission adopted the framework on 12 July 2016 and it went into effect the same day.[10][11]
On January 25, 2017, U.S. President Donald Trump signed an executive order entitled "Enhancing Public Safety" which states that U.S. privacy protections will not be extended beyond US citizens or residents:
Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.[12]
This executive order was repealed by President Joe Biden on January 20, 2021.[13]
The European Commission has stated that:
The US Privacy Act has never offered data protection rights to Europeans. The Commission negotiated two additional instruments to ensure that EU citizens’ data is duly protected when transferred to the US:
- The EU–U.S. Privacy Shield, which does not rely on the protections under the US Privacy Act.
- The EU–US Umbrella Agreement, which enters into force on 1 February (2017). To finalize this agreement, the US Congress adopted a new law in 2017, the US Judicial Redress Act,[14] which extends the benefits of the US Privacy Act to Europeans and gives them access to US courts."[15]
The commission said it will "continue to monitor the implementation of both instruments".[15]
Privacy Shield principles
In general, there are seven major principles which the organization has developed. They are stated in the following paragraphs:[16]
- Notice – Individuals must be informed that their data is being collected and how it will be used. The organization must provide information about how individuals can contact the organization with any inquiries or complaints.
- Choice – Individuals must have the option to opt out of the collection and forward transfer of the data to third parties.
- Accountability for onward transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data integrity and purpose limitation – Data must be relevant and reliable for the purpose it was collected.
- Access – Individuals must be able to access information held about them, and correct or delete it, if it is inaccurate.
- Resources, enforcement and liability – There must be effective means of enforcing these rules.
Response
German MEP Jan Philipp Albrecht and Austrian campaigner Max Schrems criticized the new ruling, with the latter predicting that the commission might be taking a "round-trip to Luxembourg" (where the European Court of Justice (CJEU) is located).[17] Many Europeans demanded a mechanism for individual European citizens to lodge complaints over the use of their data, as well as a transparency scheme to assure that European citizens' data does not fall into the hands of US intelligence agencies.[18]
Legal challenge
The Privacy Shield has been challenged legally by privacy groups.[19][20] Initially, it was not clear whether the cases would be considered admissible.[21][22] However, by February 2017 the future of the Privacy Shield was contested. One consultant, Matt Allison, predicted that "The EU's citizen-driven, regulated model will swiftly come into conflict with the market forces of the US and the UK."[23] Allison summarized a new paper in which the European Commission lays out its plans for adequacy decisions and global strategy.[24]
In December 2019, the Court of Justice of the European Union (CJEU) issued a preliminary opinion in the Data Protection Commissioner v Facebook Ireland case (also known as Schrems II). It outlined various scenarios that may result from the conflict in regimes. One lawyer concluded that the opinion "should generate equal measures of relief and alarm for the U.S. government and for companies dependent on data transfers."[25]
A final CJEU decision was published on 16 July 2020 in Schrems II.[26][27] The EU–US Privacy Shield for data sharing was struck down by the European Court of Justice on the grounds it did not provide adequate protections to EU citizens from government surveillance.[4] The European Data Protection Board (EDPB), an EU organization whose decisions are binding for national privacy supervisory authorities, declared that, "transfers on the basis of this legal framework are illegal".[28] The ruling did not completely stop data transfers between the EU and other foreign countries as the court upheld the use of "standard contractual clauses" (SCCs). But SCCs do not necessarily protect data in countries where the law is fundamentally incompatible with the Charter of Fundamental Rights of the EU and the General Data Protection Regulation (GDPR), like the US. The existing impasse was the subject of ongoing academic proposals and research.[29]
On 25 March 2022 the US and EU announced that a new data transfer agreement had been reached.[5] The new framework, called the Trans-Atlantic Data Privacy Framework, would allow EU citizens to pursue data privacy violations through a new "Data Protection Review Court".[5][30] On 7 October 2022 President Biden signed an executive order to implement the European Union-U.S. data transfer framework, which adopts new American intelligence gathering privacy safeguards.[31][32]
A decision regarding the impact of Brexit on Privacy Shield was expected by 31 December 2020, but may be moot due to the CJEU decision.[33]
The new version is subject to criticism.[34]
Swiss–US Privacy Shield
Switzerland is not an EU member but follows many EU policies through treaty implementations. Accordingly, it has implemented its own version of the Privacy Shield framework through its own Swiss–US Privacy Shield. It is largely similar to the EU–US Privacy Shield framework, but implements its own DPA instead of various EU DPAs. It also has no grace period and several other meaningful differences to the definition of "sensitive data," binding arbitration, and changes to privacy policies.[35] The EU–US and Swiss–US programs were similar enough that they were administered together by the United States.[36]
See also
References
- 1 2 European Commission - Press release: political agreement on framework
- ↑ "The new transatlantic data "Privacy Shield"". The Economist. ISSN 0013-0613. Retrieved 2016-03-26.
- 1 2 Vera Jourová, "Commissioner Jourová's remarks on Safe Harbour EU Court of Justice judgement before the Committee on Civil Liberties, Justice and Home Affairs (LIBE)", 26 October 2015
- 1 2 "EU-US Privacy Shield for data struck down by court". BBC News. 16 July 2020. Retrieved 17 July 2020.
- 1 2 3 McCabe, David; Stevis-Gridneff, Matina (25 March 2022). "U.S. and European leaders reach deal on trans-Atlantic data privacy". The New York Times. Retrieved 28 March 2022.
- ↑ "5 things you need to know about the EU-U.S. Privacy Shield agreement". PCWorld. 29 February 2016. Retrieved 2016-03-26.
- ↑ Chapter 5 of Opinion 01/2016 on the EU – U.S. Privacy Shield draft adequacy decision, the Article 29 Data Protection Working Party
- ↑ European Data Protection Supervisor, Privacy Shield: more robust and sustainable solution needed Archived 2016-06-25 at the Wayback Machine, 30 May 2016
- ↑ Statement by European Commission Vice-President Ansip and Commissioner Jourová, Adoption by Member States of the EU-U.S. Privacy Shield, 8 July 2016
- ↑ European Commission, European Commission launches EU-U.S. Privacy Shield: stronger protection for transatlantic data flows, accessed 29 July 2021
- ↑ Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield (notified under document C(2016) 4176) (Text with EEA relevance), accessed 29 July 2021
- ↑ Executive Order: Enhancing Public Safety in the Interior of the United States, Section 14, 25 January 2017, accessed 27 March 2017
- ↑ Office of the Press Secretary (January 20, 2021). "Executive Order on the Revision of Civil Immigration Enforcement Policies and Priorities". whitehouse.gov. Washington, D.C.: White House. Retrieved January 21, 2021.
- ↑ Public Law 114-126, 24 February 2016
- 1 2 Muncaster, P., Trump Order Sparks Privacy Shield Fears, InfoSecurity Magazine, accessed 27 March 2017
- ↑ "Requirements of Participation | Privacy Shield". www.privacyshield.gov. Retrieved 2020-12-01.
- ↑ Max Schrems: "EU US Privacy Shield" (Safe Harbor 1.1) "European Commission may be issuing a round-trip to Luxembourg" 16:45 (2nd Feb. 2016), PDF retrieved 3rd Feb. 2016
- ↑ Lomas, Natasha (3 February 2016). "EU-US Data Transfers Won't Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29". TechCrunch. Retrieved 2016-02-03.
- ↑ Case T-670/16, Digital Rights Ireland v the commission, 16 Sep 2016
- ↑ Case T-738/16, La Quadrature du Net and Others v. the Commission, 25 Oct 2016
- ↑ Reuters article EU-U.S. personal data pact faces second legal challenge from privacy groups, 2 Nov 2016
- ↑ Case information on T-738/16 at Curia
- ↑ Allison, Matt. "A Template for Adequacy: EU Pitches for Data Protection Gold Standard, Feb 09, 2017". CircleID. Retrieved 2017-02-14.
- ↑ "Exchanging and Protecting Personal Data in a Globalised World", 10.1.2017, COM(2017) 7 final". European Commission. Retrieved 2017-02-14.
- ↑ Propp, Kenneth (24 December 2019). "European Court of Justice Opinion Clouds Future of Transatlantic Commercial Data Transfers, December 24, 2019". Lawfare. Retrieved December 27, 2019.
- ↑ "The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield" (PDF). Court of Justice of the European Union. 16 July 2020. Press Release No 91/20. Retrieved 17 July 2020.
- ↑ "Search - Case number C-311/18". InfoCuria. 16 July 2020. Retrieved 17 July 2020.
- ↑ "Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems". 24 July 2020. Retrieved 27 August 2020.
- ↑ Christakis, Theodore; Propp, Kenneth; Swire, Peter (16 February 2022). "EU/US Adequacy Negotiations and the Redress Challenge: How to Create an Independent Authority with Effective Remedy Powers, 16 February 2022". European Law Blog. Retrieved March 24, 2022.
- ↑ "FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework". The White House. 25 March 2022. Retrieved 28 March 2022.
- ↑ "Biden signs order to implement EU-US data privacy framework | CNN Business". CNN. Reuters. 2022-10-07. Retrieved 2022-10-09.
- ↑ House, The White (2022-10-07). "FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework". The White House. Retrieved 2022-10-09.
- ↑ "What Does Brexit Mean for Privacy Shield?". 14 February 2020.
- ↑ Karabus, Jude (14 February 2022). "EU lawmakers advise against signing US data pact".
- ↑ "Swiss–U.S. Privacy Shield: Key Similarities, Key Distinctions with the EU–US Approach | White & Case LLP". 2 June 2023.
- ↑ "Privacy Shield Program Overview | Privacy Shield".
External links
- Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU–US Privacy Shield, now void because of Schrems II
- EU–US Privacy Shield fact sheet at the European Union
- EU–US Privacy Shield fact sheet at the US Department of Commerce Archived 2016-03-26 at the Wayback Machine