Just over 20 days ago, it was announced that that a new Privacy Shield regulating trans-Atlantic flows of personal data was in the works. The prospect of having a data transfer mechanism specific to the transfers of personal data between the EU and the U.S.A (again!) is exciting, to stay the least. It also means quite a lot to business worldwide – the transfer of data across the Atlantic facilitates $7.3 trillion in economic relationships between the U.S.A and the EU!
But this agreement “in principle” on a new framework is far from being finalised, so don’t hold your breath! But when can we expect this new Privacy Shield, and more importantly, be able to potentially rely on it for data sharing compliant with the GDPR?
Once the text and content of the agreement is formalised, the European Commission would draft an adequacy determination, which, in this case, would be transmitted to the European Data Protection Board (the ‘EDPB’) for its opinion. The EDPB is an independent European body, composed primarily of representatives of the EU national data protection authorities along with the European Data Protection Supervisor, amongst others, and which is set up under the GDPR. One of the tasks of the EDPB is specifically that of adopting non-binding opinions addressed to the European Commission in order to advise on new proposed legislation related to protection of personal data, which would be the case vis-à-vis the new Privacy Shield.
Based on the feedback of the EDPB, as well as other stakeholders, as relevant, the adequacy determination may be amended or revised, however bearing in mind the length of negotiations since the last Privacy Shield was invalidated in 2020, major changes are not envisioned. The next fundamental step in this process is that the proposal must obtain the approval of 55% of the EU Member States – if this is case, the adequacy determination is formally adopted as a commission decision by the College of Commissioners and once published, the new Privacy Shield would take immediate effect!
So whilst news of the new Privacy Shield is great (well, it depends on who you ask!), we’re quite a long way off from seeing the agreement in action. If there aren’t any hiccups, we might have a new trans-Atlantic agreement published before the end of 2022, but the question then is how long that same agreement will remain in effect. The framework regulating transfers of personal data between the EU and the U.S.A has, since 2015, been challenged successfully in court twice by Max Schrems, who, in relation to the new Privacy Shield, has already expressed that “In the end, the Court of Justice will decide a third time”.
At present, and for the coming months, data controllers subject to the GDPR should therefore continue to ensure that any transfers of personal data they undertake to the U.S.A are made on the basis of lawful data transfer mechanisms, and that where relevant, assessment is made as to whether supplementary measures to those mechanisms are required to ensure that the data can be legally transferred outside of the EEA.