Assessment of Privacy Shield 2.0: Companies remain without legal security

U.S. President Biden’s decree provides for a number of innovations in the area of data protection. However, experts doubt whether a new agreement will stand up to scrutiny.

US President Joe Biden has signed a decree that is intended to implement the EU-US data protection framework. This is nothing less than a binding commitment by the US, long awaited by many, to meet EU requirements for the protection of personal data when it is transferred from the EU to the US. Even though formal agreement is still pending, this is an important step towards the agreement that has been expected since the end of the first Privacy Shield – but what does the decree actually mean?

Assessment of Privacy Shield 2.0: Companies remain without legal security

First of all, it stipulates that U.S. intelligence services must in future take greater account of the interests of data subjects if they want to access the relevant data. It also requires the “pursuit of defined national security objectives.” The bill “expands the responsibilities of legal, oversight and compliance officials to ensure that appropriate action is taken when breaches occur,” according to a White House press release. U.S. intelligence agencies must also align their privacy policies with the requirements in the decree.

More complaint options

Special attention is being paid to the complaint options available to affected citizens and certain organizations if they want to raise a violation of U.S. law tightened by the decree with regard to accessing and handling personal data from the EU. In the first stage, a “Civil Liberties Protection Officer in the Office of the Director of National Intelligence (CLPO)” is to deal with complaints and be able to order action that is binding on the intelligence agencies.

A “Data Protection Review Tribunal” is to be established to review the CLPO’s decisions. The intelligence services concerned or the person concerned have the right to bring an action. Judges must have a certain level of expertise and knowledge in data protection. Finally, the Privacy and Civil Liberties Oversight Board is required to review the privacy practices of U.S. intelligence agencies for compliance with the decree, as well as annually review the remedies created.

Uncertainty remains for companies

The U.S. President’s decree has no immediate consequences for companies. The EU Commission will now examine the decree and draw up a legal regulation in which the rules it contains will be embedded from the EU perspective. Subsequently, there will be an agreement between the USA and the EU on the transfer of data to the USA. It will probably be some time before this comes into force. Experts assume that this will not be the case before spring or summer 2023.

Until then, the legal situation, which is currently unsatisfactory for many companies, will remain in place. It prohibits the transfer of personal data to the USA unless elaborate exceptions take effect. These include the standard contractual clauses issued by the EU for such transfers. However, data protectors and courts require an individual assessment of the data protection risks by the companies using them. Uncritical adoption of the standard texts is not sufficient.

Furthermore, a data transfer can be based on the consent of the data subjects. Here, too, the requirements for their effectiveness are very high. Finally, within corporate groups, the so-called “Binding Corporate Rules” come into consideration. They are intended to create an appropriate level of data protection within a corporate group.

Further negotiations before the ECJ?

The new regulations on data transfer to the USA will be the subject of further court proceedings. In the end, there could be a “Schrems III ruling” by the ECJ, in reference to Austrian data protection activist Max Schrems, who had already taken the first two attempts for a U.S.-EU agreement to court. This is what his assessment suggests: “At first glance, they are trying to make a third agreement here without a legal basis.” And further, “I assume that even a new agreement will soon be overturned by the ECJ.”

The bottom line is that legal uncertainties remain and further litigation is to be expected. If the new procedure currently under discussion is one day overturned in a Schrems III decision by the ECJ, the process would start all over again. Until we reach Schrems X… ?