By Dave McKay | April 3, 2021
EU and U.S. Data Flow Talks Cranked Up a Notch
As I reported back in July 2020 in a blog titled CJEU Invalidates EU-US Privacy Shield Agreement, the EU-U.S. Privacy Shield agreement, which allowed data to be transmitted out of the EU to participating US companies, was ruled invalid by the Court of the European Union (CJEU).
On March 25th, 2021, the EU Commissioner for Justice and the U.S. Secretary of Commerce made a joint statement on the state of the negotiations to find a solution that would permit the flow of personal data to recommence.
The statement reads (emphasis is mine):
“The U.S. Government and the European Commission have decided to intensify negotiations on an enhanced EU-U.S. Privacy Shield framework to comply with the July 16, 2020 judgment of the Court of Justice of the European Union in the Schrems II case.
These negotiations underscore our shared commitment to privacy, data protection and the rule of law and our mutual recognition of the importance of transatlantic data flows to our respective citizens, economies, and societies.
Our partnership on facilitating trusted data flows will support economic recovery after the global pandemic, to the benefit of citizens and businesses on both sides of the Atlantic.”
A replacement framework or an upgraded framework is required as soon as possible. Most of the companies I talk to have done nothing to provide safeguards for EU to U.S. data flows following the demise of the original Privacy Shield.
- Standard Contractual Clauses
- Binding Corporate Rules
- Codes of Conduct and Certification Mechanisms
- Derogations
Some companies like MailChimp have effectively said not to worry, business as usual—we already have Standard Contractual Clauses (SCCs) in our terms and conditions. However, it’s not a given that such a measure is sufficient. technically both parties must agree and sign the SCCs. Whether agreeing to MailChimp or whomever’s terms and conditions truly constitutes the enactment of SCCs is a tough call.
Moreover, SCCs don’t address the reason that Privacy Shield was found insufficient. The crux of the matter was that the U.S. intelligence agencies and law enforcement have the power to force a company to hand over electronic data—including personally identifiable information (PII). If that PII belongs to European citizens, argued Max Schrems, that is a breach of privacy. His case was upheld, and Privacy Shield was toppled.
So, SCCs don’t provide any more protection from the demands of U.S. agencies pursuing matters of justice and national security than Privacy Shield did. What we really need is a new framework or a Privacy Shield Mark II that satisfies the shortcomings that made the (CJEU) rule Privacy Shield Mark I insufficient. But how can EU data privacy laws impinge upon U.S. laws regarding fighting organised crime, the pursuit of justice, and national security?
Source: European Commission