Four years ago, the European Union (“EU”) began enforcement of the General Data Protection Regulation (“GDPR”). The GDPR is a comprehensive data privacy law enacted to create a standardized and cohesive data privacy framework across all EU member countries. The GDPR has since encouraged the adoption of data privacy laws throughout the world,[1] such as the California Consumer Privacy Act. Businesses in the United States that process[2] personal data of European residents, after it has transferred from a country in the European Economic Area to the United States, must comply with the GDPR.[3]
Over the last four years, there has been much litigation concerning supposed violations of the GDPR through transfers of data from the EU to the U.S.. The litigation,[4] after resulting in the invalidation of the initial compliance framework, Privacy Shield 1.0, left businesses in the U.S. to navigate GDPR compliance on their own. This resulted in the adoption of a modernized set of Standard Contractual Clauses (“SCCs”), which were “pre-approved” by the European Commission to be compliant with the GDPR[5] and ultimately allowed businesses to operate with more certainty that their data transfer practices would meet the GDPR’s muster.[6] As a result of recent litigation,[7] the SCCs were deemed ineffectual. Businesses have been, once again, left to navigate the GDPR with little guidance. The European Commission and the U.S. hope to fill the gaps left in the wake of this litigation with Privacy Shield 2.0.
The European Commission and the U.S. worked together to reach a solution that would permit the transfer of personal data from the EU to the U.S. in compliance with the GDPR.[8] In March of 2022, the European Commission and the U.S. announced they were in the final stages of a new Trans-Atlantic Data Privacy Framework.[9] The new Trans-Atlantic Data Privacy Framework, or Privacy Shield 2.0, will address the concerns raised by the recent litigation.[10]
Privacy Shield 2.0 creates pressure for additional data privacy regulations in the U.S., as it requires the U.S. to take substantial action to comply with the GDPR.[11] The U.S. is set to put new safeguards in place, such as requiring surveillance activities in the name of national security to be “necessary and proportionate in the pursuit of defined national security objectives,”[12] adopting a two-level redress procedure, and taking measures to ensure surveillance activities are enhanced and independently supervised.[13]
Privacy Shield 2.0 will reinstate a framework for companies in the U.S. to follow to ensure their data processing and transfer activities are compliant with the GDPR.[14] Such framework allows for an easier flow of personal data from the EU to the U.S., while preserving the rights of European citizens and enabling economic growth.[15] Consequently, it will allow businesses to step back and find more comfort in knowing they are following the guidance that has been issued.
Be aware that when agreements are made between countries, such as between the EU and U.S., it does not mean that organizations within those countries can become complacent when it comes to their data privacy policies. As countries around the world continue to address data privacy concerns within their own borders, international organizations must remain vigilant and ensure compliance with the continuously changing laws.
Please contact us should your business need any assistance complying with the new framework under Privacy Shield 2.0 or staying up-to-date with the ever-changing data privacy laws.
If you are looking for more information on this topic, read the full article here.
[1] Matt Burgess, What is GDPR? The summary guide to GDPR compliance in the UK, Wired (Mar. 24, 2020, 4:30 PM), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.
[2] Regulation (EU) 2016/679, art. 4(2), 2016 O.J. (L 119) 33.
[3] EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, art. 2, 2016 O.J. (L 119) 32.
[4] Schrems II is the case that led to the Court of Justice of the European Union invalidating 1.0 and determining stricter requirements were necessary for SCCs-based transfers. Hendrik Mildebrath, The CJEU Judgment in the Schrems II Case, European Parliamentary Research Service (Sep. 2020), https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.
[5] Standard Contractual Clauses, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
[6] Id.
[7] The Austrian Data Protection Authority held that SCCs did not provide an adequate level of protection under the GDPR. Austrian DPA Finds Data Transfers Resulting from Analytics Cookie Use to Be in Violation of GDPR Data Transfer Requirements, Hunton Andrews Kurth LLP (Jan. 24, 2022), https://www.huntonprivacyblog.com/2022/01/24/austrian-dpa-finds-data-transfers-resulting-from-analytics-cookie-use-to-be-in-violation-of-gdpr-data-transfer-requirements/.
[8] United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework, The White House (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/united-states-and-european-commission-joint-statement-on-trans-atlantic-data-privacy-framework/.
[9] Id.
[10] Id.
[11] Id; FACT SHEET: United States and European commission Announce Trans-Atlantic Data Privacy Framework, The White House (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/.
[12] White House, supra note 8; White House, supra note 11.
[13] White House, supra note 8; White House, supra note 11.
[14] White House, supra note 8; White House, supra note 11.
[15] White House, supra note 8; White House, supra note 11.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2024 Keating Muething & Klekamp PLL. All Rights Reserved
- Associate
Nicole Cloyd practices in the firm’s Business Representations & Transactions Group, Data Privacy & Cybersecurity Group, and Intellectual Property & Technology Group. Nicole advises individuals and domestic and ...
Topics/Tags
Select- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Privacy
- Cybersecurity Regulation
- GDPR
- Data Breach
- Cyber Insurance
- Coronavirus
- CCPA
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- SEC
- FISMA
- Incident Response Plan
- Information Governance
- Corporate Law
- E-Discovery
- Federal Trade Commission
- Department of Justice
- Litigation
- Seventh Circuit
Recent Posts
- New York Bans Sale of Certain Supplements to Minors
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation