On 10 August, the European Commission and the US Department of Commerce confirmed that talks have begun between the EU and US for an “enhanced” Privacy Shield.
This will be the third attempt to revise this framework, following the invalidation of Safe Harbor in 2015 and Privacy Shield in July 2020. Third time a charm? We’re not so sure.
By way of recap, in Schrems II, the court made clear that Privacy Shield was invalid for three main reasons:
- US surveillance rules are disproportionate
- There is a lack of proper oversight over US surveillance programmes
- EU individuals do not have rights actionable in the courts against US authorities and therefore they have no right to an effective remedy. The introduction of a Privacy Shield Ombudsperson, the court found, could not remedy these deficiencies.
Therefore, for Privacy Shield to step up to the mark, it would require: (i) the US to change how it conducts surveillance; and (ii) significantly increased powers and independence for the Privacy Shield Ombudsperson. This is no small order and it is difficult to see how a satisfactory outcome will be achieved. The EU will not want to lower the privacy protections for its citizens and the US will not want to be seen to be curtailing and compromising on national security, particularly given that the US elections are on the horizon.
Even if a new Privacy Shield is agreed (and, if Safe Harbor’s invalidation taught us anything we know this could take around a year to agree!), it seems likely that it would be challenged by Privacy activists. After the announcement, Max Schrems tweeted a link to the joint press statement adding “So the @SecretaryRoss and @EU_Justice are (A) working on changing US surveillance laws or (B) working on the third beating by the #CJEU?!”
Companies need to consider the value of signing up to any new framework that may be agreed in light of these challenges. Instead, pressing ahead with SCCs, the “case-by-case assessments” and “supplementary measures” might be a better use of time and money since the validity of the SCCs is not as precarious following Schrems II.