EU-US Privacy Shield Research Articles

The EU–US data privacy framework and the impact on companies in the EEA and USA compared to other international data transfer mechanisms

Third time's a charm? Companies in the European Economic Area, Switzerland and the UK (EEA+) are considering the pros and cons of the third attempt of the EU Commission and US government to establish interoperability between their data protection and privacy law systems, after the demise of the US Safe Harbor Program and the EU–US Privacy Shield. Should US companies register? Are the efforts worth the potential benefits, given that the new programme has already been challenged and may be invalidated like previous programmes for reasons that businesses cannot control? Should companies that were already enrolled in the previous programmes accept automatic enrolment or leave the programme? Can and should companies in the EEA+ rely on EU–US Data Privacy Framework (DPF) registration for international transfers? Or insist on registration in addition to standard contractual clauses (EU SCC 2021) or other compliance mechanisms? Are data transfer impact assessments (DTIAs) still required for transfers to the US? Should they be updated? This paper seeks to help companies find answers to these questions and (I) outlines the background and context of the Adequacy Decision, (II) explains how US companies can join the DPF, (III) discusses the impact of the Adequacy Decision, (IV) summarises requirements for other compliance mechanisms for international data transfers under the GDPR, (V) compares the DPF to other transfer compliance mechanisms and (VI) provides practical considerations and a summary.

The Challenges of Collecting Digital Evidence Across Borders

In the modern world, the use of ICT communication technologies has become an integral part of life. ICT infrastructure is the bearer of digital traces of both legal and illegal activities performed through it. However, for something to become digital evidence, it must be obtained by law and by a person authorised by law. Namely, the virtual infrastructure, especially the Internet and the new challenges brought to us by cloud architectue due to its physical positioning outside national borders, calls into question the legality of searching and collecting digital evidence outside national borders. This paper analyses the legal basis for collecting digital evidence in cyberspace internationally, such as the Council of Europe Convention on Cybercrime, the US Cloud Act, the Australian Decryption Act and the European GDPR. Although the Court of Justice of the European Union declared invalid the decision of the European Commission (EU) 2016/1250 on the adequacy of data protection provided through the EU-US Privacy Shield, experts must not stop looking for a solution to the apparent problem. The paper intends to support decision-makers in taking clear national positions regarding the above controversial legal norms and their mutual conflict. The paper compares the legal consequences of such collection, and the acceptability of such digital evidence, and such collection may also be associated with a breach of the privacy of a legal and private entity.

The EU-US Data Privacy Framework: Doomed Like Its Predecessors?

As of 10 July 2023, the EU-US Data Privacy Framework became active 1 and allows for personal data to flow between the EU and US without the need for separate contractual arrangements (such as Standard Contractual Clauses (‘SCC’s’). However, with years of challenges and invalidation of (i) the EU-US Safe Harbor Framework and (ii) the EU-US Privacy Shield, it remains to be seen whether this new mechanism will fall foul of the same data privacy challenges as those mechanisms. Data Protection, International Data Transfers

Transfer of Personal Data to Third Countries and the “Equivalent Level” of Protection According to the European Court of Justice

Abstract The focus of this study is the transfer of personal data to third countries or international organizations according to EU Regulation No. 679/2016 (GDPR) on the protection of personal data. The primary goal of this Regulation concerning data transfer to third countries is to ensure that the subject’s rights and freedoms are safeguarded at the same level as provided by GDPR. According to GDPR, before any transfer to a third country or international organization, it must first be ascertained whether the European Commission has established that a third country ensures an adequate level of protection. Regarding personal data protection in the third state, the Court of Justice of the European Union has intervened on different occasions. In the last decision, in 2020, the Court declared invalid the European Commission’s Decision No. 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield (CJEU, Schrems II, 2020, July 16) because it does not provide effective and enforceable rights for personal data subjects in cases of interference. According to the Court of Justice of the European Union, the US does not guarantee an “essentially equivalent” level of protection to that provided by the European Union under Article 45(1) GDPR, read in conjunction with Articles 7, 8, and 47 of the European Union’s Charter of Fundamental Rights, which guarantee respect for private and family life, personal data protection, and the right to effective judicial protection.

Cross-Border Transfers of Personal Data After Schrems II: Supplementary Measures and new Standard Contractual Clauses (SCCs)

This article analyses the legal challenges of international data transfers resulting from the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). This judgement invalidated the EU-US Privacy Shield Framework but upheld the use of standard contractual clauses (SCCs). However, one caveat is that organisations would have to perform a case-by-case assessment on the application of the SCCs and implement ‘supplementary measures’ to compensate for the lack of data protection in the third country, where necessary. Regrettably, the CJEU missed the opportunity to specify what exactly these ‘supplementary measures’ could be. To fill this gap, the European Data Protection Board (EDPB) adopted guidelines on the measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. In addition, on June 4th, 2021 the European Commission issued new SCCs which replaced the previous SCCs that were adopted under the previous Data Protection Directive 95/46. These new developments have raised the bar for data protection in international data transfers. In this article, we analyse the current regulatory framework for cross-border transfers of EU personal data and examine the practical considerations of the emerging post-Schrems II legal landscape.

Invalidation of the EU–US Privacy Shield: impact on data protection and data security regarding the transfer of personal data to the United States

The Court of Justice of the European Union has attracted international attention with its ruling, in which it declared the EU–US Privacy Shield invalid. Many companies have a connection to the United States, whether through service providers or affiliated companies. Data exporters and data importers are still wondering whether and how they can manage the transfer of personal data to the United States in accordance with European data protection laws. The national German data protection authorities have already published general recommendations for action, but these did not provide any remedy either. In November 2020, the European Data Protection Board published recommendations on measures to complement the transfer tools to ensure compliance with the European level of protection of personal data. The following article presents these recommendations and focuses on data security measures that play a major role in the future transfer of personal data to the United States.

CJEU 16 July 2020 – C-311/18 EU-US Privacy Shield Agreement: Legality of Data Transfers to Non-EU Countries – Schrems II

CJEU 16 July 2020 – C-311/18 EU-US Privacy Shield Agreement: Legality of Data Transfers to Non-EU Countries – Schrems II

Achieving GDPR compliance post-Privacy Shield

In May 2018, the General Data Protection Regulation (GDPR) became enforceable. The GDPR has changed the way that any entity conducting business with an EU country holds and processes data about EU citizens. As companies around the world embarked on a vast undertaking to meet the GDPR's list of requirements, more than 5,000 certified US organisations secured their seal of approval with respect to article 45 of the GDPR relating to data transfers through the EU-US Privacy Shield. Until recently, US organisations have been able to manage the private data of EU citizens under the protection of the EU-US Privacy Shield. But now that has been invalidated, many are left facing uncertainty and risk. This needs to be addressed quickly, and not just to remain compliant with the General Data Protection Regulation (GDPR). There is a great business opportunity for companies to address privacy issues now and it is much better to address privacy proactively, rather being summoned to court for taking the opposite stance, explains Sam Curry of Cybereason.

Transfer danych osobowych do stanów zjednoczonych po stwierdzeniu nieważności decyzji w sprawie tarczy prywatności UE-USA

Transfer of personal data to the United States after the invalidation of the decision regarding the EU-US Privacy Shield The aim of this article is to provide a summary of the legal ground rules for the transfer of personal data to the United States following the ECJ declared the decision of the European Commission on the EU-US Privacy Shield program invalid. The author outlines the general principles of transfer of personal data to third countries in view of the regulations of Chapter 5 of the GDPR, analyzes the presumptions of the Privacy Shield program, and assesses the post-invalidation landscape. The author analyzes the Schrems II judgment, the complaint of M. Schrems, the questions submitted to the CJEU for a preliminary ruling, and describes the key points of the judgment in case file no. C-311/18. The article also provides a brief historical overview of the developments that resulted in the CJEU issuing the aforementioned judgment.

“Schrems II”: The return of the Privacy Shield

On 16 July 2020, the Grand Chamber of the European Court of Justice rendered its landmark judgment in Case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). The Grand Chamber invalidated the Commission decision on the adequacy of the data protection provided by the EU-US Privacy Shield. It however considered that the decision of the Commission on standard contractual clauses (“SCCs”) issued by the Commission for the transfer of personal data to processors established in third states was legally valid.The legal effects of the judgment should first be clarified. In addition, it has far-reaching implications for companies which transfer personal data from the EU to the US. The judgment of the Grand Chamber has also far-reaching implications for transfers of personal data from the EU to other third states. Last, it has far-reaching implications for the UK in the context of Brexit.© 2020 Published by Elsevier Ltd. All rights reserved.

The American Way — Until Machine Learning Algorithm Beats the Law? Algorithmic Consumer Credit Scoring in the EU and US

Algorithmic consumer credit scoring has caused anxiety among scholars and policy makers. After a significant legislative effort by the European Union, the General Data Protection Regulation (GDPR) that has provisions tailored to automated decision-making (ADM) was implemented. When the EU Commission and the US Department of Commerce negotiated for US organizations to whom data from EU data controller is transferred to comply with the key principles of EU Data Protection Law under the EU-US Privacy Shield (PS) Framework, the Department of Commerce refused to incorporate the GDPR principles governing ADM in the PS Framework. The EU Commission accepted this refusal reasoning that where US companies make automated decisions with respect to EU data subjects, such as in consumer credit risk scoring, there are laws in the US that protect the consumer from adverse decisions. This view contradicts recommendations for implementing GDPR-Inspired law in the US to tackle the challenges of automated consumer credit scoring. This article argues that despite the differences in the approach to the regulation of automated consumer credit scoring in the EU and the US, consumers are similarly protected in both jurisdictions. Furthermore, US consumer credit laws have the necessary flexibility to ensure that adverse automated decisions are tackled effectively. This article, through analyzing statutes, cases, and empirical evidence, demonstrates that the seemingly comprehensive legal rules governing ADM in the GDPR do not make the EU consumers better off. In addition, the challenges presented by the increasing sophistication of Artificial Intelligence (AI), especially machine learning, place both the EU and the US legal regimes in similar position as neither jurisdiction is equipped to respond to autonomous, unpredictable, and unexplainable algorithms making decisions. While the EU’s risk-based approach to AI regulation adopted by the Draft AI Regulation which also contains provisions on regulatory sandboxing is a significant improvement, it does not significantly change the rules regarding algorithmic consumer credit scoring. Nevertheless, this is the approach that regulation should primarily adopt for the future.

The Court of Justice of the European Union ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems. Judgment in Case C-311/18

On 16th July, 2020, The Court of Justice for the European Union (CJEU) delivered its verdict in the case brought by Maximillian Schrems against Facebook Ireland. The court’s finding was that EUUS Privacy Shield is invalid, while the Standard Contractual Clauses (SCCs) remained a lawful way to transfer data. This finding is a blow to the US administration and the thousands of businesses relying on it. Many of those companies must remember that the previous framework for data transfers between the regions was found invalid in 2015: Safe Harbour. Now, EU–US data transfers have limited options. The SCCs were found by the CJEU court to only be valid if each processing activity involving an EU to US data transfer is assessed individually, that risks are appropriately mitigated and the rights of data subjects can be guaranteed. This puts an additional compliance burden on smaller businesses. This case study discusses how difficult it is to argue with the court’s decision. The requirement now is to fix the underlying issues surrounding intelligence gathering to make it more transparent, build trust and to establish a framework that balances an individual’s privacy rights with the needs of intelligence agencies.

EU: Invalidity of EU-US Privacy Shield and Legality of Requirements in Standard Contract Clauses – Schrems II

EU: Invalidity of EU-US Privacy Shield and Legality of Requirements in Standard Contract Clauses – Schrems II

The EU-US Privacy Shield Regime for Cross-Border Transfers of Personal Data under the GDPR

Cloud-based technologies, big data, statistical signal processing algorithms, and Artificial Intelligence (AI) technologies are expected to play an increasingly important role in themedical field. Big data and AI-technologies rely on the cloud for data storage as well as for computational power and thus need effective and robust legal frameworks for international data transfer. Because of inconsistent data protection regulations, this is not always simple to achieve as it can be illustrated in the United States (US)–European Union (EU) context. Due to the lack of general data protection law at the federal level, the US currently does not have a general ‘adequacy decision’ from the European Commission (EC) to enable EU-US cross-border data transfers without the need for additional data protection safeguards under GDPR. As a fallback, a ‘limited adequacy’ decision was adopted in 2016 on the so-called ‘EU/US Privacy Shield Framework’. This framework protects the fundamental rights of natural persons in the EU and allows the free transfer of personal data to companies that are certified under the EU-US Privacy Shield. However, the EU-US Privacy Shield has been recently contested at the Court of Justice of the European Union (CJEU). This paper analyzes the EU-US Privacy Shield Framework, the associated legal challenges, and how these might affect organizations deploying or implementing cloud-based medical technologies relying on cross-border data transfers from EU data subjects.

Lost on the High Seas without a Safe Harbor or a Shield? Navigating Cross-Border Transfers in the Pharmaceutical Sector After Schrems II Invalidation of the EU-US Privacy Shield

This article analyzes the impact and associated legal challenges of cross-border data transfers in the pharmaceutical sector after the recent Court of Justice of the European Union (CJEU) decision in Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems (Schrems II). In Schrems II, the CJEU invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield Framework. That said, the Court also found that the European Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries is still valid. The ruling has resulted in significant uncertainty and liability risks for organizations that depend on EU-US cross-border transfers of personal data such as pharmaceutical companies (data controllers) engaged in global clinical trials and their technology providers for endpoint collection and data transfer (processors). In light of these challenges, this paper discusses the need for sustainable practices and a legally sound regulatory environment for data transfer. To mitigate risks and uncertainties, we stress the need for updated SCCs guidelines and argue inter alia for the adoption of contractual frameworks which incorporate SCCs with a robust information security management system (ISMS) and a privacy information management system (PIMS) to ensure an appropriate level of data protection.

The Invalidation of the EU-US Privacy Shield and the Future of Transatlantic Data Flows: Testimony of Professor Neil Richards before the United States Senate

This is the prepared testimony and statement for the records, including responses to questions for the record of Professor Neil Richards before the United States Senate Commerce Committee on December 9, 2020. The testimony explains that while Congress has failed to pass a comprehensive privacy bill despite many opportunities, the judgment of the European Court of Justice in Data Protection Commissioner v. Facebook, (commonly known as “Schrems 2”) represents a real opportunity for it to do just that in the near future. The testimony argues first that Congress should not just pass a comprehensive privacy bill, but one that gets it right, that provides clear but substantive rules for companies, and which provides adequate protections and effective remedies for consumers. A law that meets these features will not just protect consumers – it will be good for business as well, by helping enable transatlantic data flows and building the consumer trust that is essential for long-term sustainable economic prosperity for all. Second, it explains what the judgment in Schrems 2 requires, with particular emphasis on factors within the jurisdiction of the Senate Commerce Committee. Third, it offers some ways in which the Committee’s work can solve some of the challenges for data flows and privacy law that the Schrems 2 judgment raises or illustrates. Fourth, it argues that this Committee should pass a strong privacy law (including a duty of loyalty) that builds the consumer trust that is so essential to sustainable and profitable commerce.

Is Data Localization a Solution for Schrems II?

For the second time this decade, the Court of Justice of the European Union has struck a blow against the principal mechanisms for personal data transfer to the United States. In Data Protection Commissioner v Facebook Ireland, Maximillian Schrems, the Court declared the EU-US Privacy Shield invalid and placed significant hurdles to the process of transferring personal data from the European Union to the United States via the mechanism of Standard Contractual Clauses. Many have begun to suggest data localization as the solution to the problem of data transfer; that is, don’t transfer the data at all. I argue that data localization neither solves the problem of foreign surveillance, nor enhances personal privacy, while undermining other values embraced by the European Union.

International Data Flows and Privacy: The Conflict and Its Resolution

The free flow of data across borders underpins today's globalized economy. But the flow of personal data outside the jurisdiction of national regulators also raises concerns about the protection of privacy. Addressing these legitimate concerns without undermining international integration is a challenge. This paper describes and assesses three types of responses to this challenge: unilateral development of national or regional regulation, such as the European Union's Data Protection Directive and forthcoming General Data Protection Regulation; international negotiation of trade disciplines, most recently in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP); and international cooperation involving regulators, most significantly in the EU-U.S. Privacy Shield Agreement. The paper argues that unilateral restrictions on data flows are costly and can hurt exports, especially of data-processing and other data-based services; international trade rules that limit only the importers' freedom to regulate cannot address the challenge posed by privacy; and regulatory cooperation that aims at harmonization and mutual recognition is not likely to succeed, given the desirable divergence in national privacy regulation. The way forward is to design trade rules (as the CPTPP seeks to do) that reflect the bargain central to successful international cooperation (as in the EU-US Privacy Shield): regulators in data destination countries would assume legal obligations to protect the privacy of foreign citizens in return for obligations on data source countries not to restrict the flow of data. Existing multilateral rules can help ensure that any such arrangements do not discriminate against and are open to participation by other countries.

Redress, the International Protection of Privacy and National Security and Intelligence Agencies: The Role for an Ombudsperson

The term Ombudsman (Ombudsperson) is used in various ways in a wide variety of jurisdictions and organizational settings, but there is no consensus on its definition. The institution of the ombudsperson does not make binding decisions, mandate policies or formally adjudicate issues; it supplements other formal investigative or adjudicative institutions. It is the absence of regulatory power that tends to give the institution its identity. The classical (legislative) ombudsperson responsible for remedying maladministration in an entire jurisdiction is far more common in parliamentary systems than in the U.S., where “executive,” “organizational” or “advocacy” ombudspersons are more typical. The “ombuds” function has always played a central role in the governance of privacy. However, in the context of national security and intelligence, neither ombudspersons nor data protection authorities (DPAs) have played significant roles, to date. The institution of the ombudsperson offers several advantages over judicial forms of redress. However, for any such institution, such as the new ombudsperson established under the EU-US Privacy Shield, some difficult questions of institutional design always need to be resolved on: independence and autonomy; the relationship with other oversight offices; the submission and handling of complaints; powers to force compliance; remedies; and the standards for evaluation and assessment. As these institutions have proliferated, national and international ombudsman associations have promulgated guidelines for the establishment and operation of these offices. These standards offer important international lessons for the effective operation of these offices and the building of trust.

Reality and Illusion in EU Data Transfer Regulation PostSchrems

The judgment of the Court of Justice of the European Union inSchrems v. Data Protection Commissioner, in which the Court invalidated the EU-US Safe Harbour arrangement, is a landmark in EU data protection law. The judgment affirms the fundamental right to data protection in the context of international data transfers, defines an adequate level of data protection, and illustrates how data protection rights under EU law can apply to data processing in third countries. It also raises questions about the status of other legal bases for international data transfers under EU law, and shows that many legal disputes concerning data transfers are essentially political arguments in disguise. TheSchremsjudgment illustrates the tendency of EU data protection law to focus on legalistic mechanisms to protect data transfers rather than on protection in practice. The EU and the US have since agreed on a replacement for the Safe Harbour (the EU-US Privacy Shield), the validity of which will likely be tested in the Court of Justice. Regulation of data transfers needs to go beyond formalistic measures and legal fictions, in order to move from illusion to reality.