What is the General Data Protection Regulation and Why Should Your Business Care?
Four years ago, the European Union ("EU") began enforcement of the General Data Protection Regulation ("GDPR"). The GDPR is a comprehensive data privacy law enacted to create a standardized and cohesive data privacy framework across all EU member countries. The GDPR has since encouraged the adoption of data privacy laws throughout the world,1 such as the California Consumer Privacy Act. Businesses in the United States that process2 personal data of European residents, after it has been transferred from a country in the European Economic Area to the United States, must comply with the GDPR.3
Over the last four years, there has been much litigation concerning supposed violations of the GDPR through transfers of data from the EU to the U.S. The litigation initially left businesses in the U.S. to navigate GDPR compliance on their own, with relatively little guidance from the government.4 This resulted in the adoption of a modernized set of Standard Contractual Clauses ("SCCs"), which were "pre-approved" by the European Commission to be compliant with the GDPR5 and ultimately allowed businesses to operate with more certainty that their data transfer practices would meet the GDPR's muster.6 As a result of recent litigation, the SCCs were deemed ineffectual.7 Businesses have been, once again, left to navigate the GDPR with little guidance. The European Commission and the U.S. hope to fill the gaps left in the wake of this litigation with Privacy Shield 2.0.
Why is it Difficult for Data to Be Transferred from the United States to Europe?
The GDPR restricts the transfer of personal data from the EU to other countries or international organizations unless the transfer complies with certain conditions, including the following: "a transfer of personal data to a third country or an international organisation may take place where the [European] Commission has decided that the third country... or the international organization in question ensures an adequate level of protection."8 The Commission considers multiple factors in making its determination, including the existence and effectiveness of independent supervisory authorities, relevant legislation, data subject rights, and administrative and judicial redress.9 Once the decision is made, the Commission reviews the decision at least every 4 years to confirm an adequate level of privacy is being maintained.10 The Commission may amend, repeal, or suspend their prior decision if they determine certain developments have led to inadequate protection.11
Privacy Shield 1.0
Privacy Shield 1.0, which was designed by the U.S. Department of Commerce and the European Commission and approved for use on July 12, 2016,12 provided a framework for companies within the EU and U.S. to follow in order to establish compliance with the GDPR.13 U.S. organizations were able to self-certify to the Department of Commerce each year to confirm compliance with the GDPR. This framework allowed for the relatively efficacious transfer of data between the EU and U.S.,14 in part due to the adoption of SCCs.15
Prior to the approval of Privacy Shield 1.0, an Austrian citizen named Max Schrems made a complaint to the Irish Data Protection Agency ("IDPA") concerning whether Facebook's transfer of his Facebook data from its Ireland-based European headquarters to servers located in the United States violated his rights under the GDPR. The IDPA rejected the complaint on the ground that the EU-US transfer of data relies on a binding Safe Harbor decision in a case now known as Schrems I.16
Schrems revised his complaint to the IDPA, arguing that U.S. surveillance programs infringed on his rights to privacy, data protection, and effective judicial protection under the GDPR.17 On July 16, 2020, the Court of Justice of the European Union issued its decision in the Schrems II case, agreeing with Schrems, invalidating Privacy Shield 1.0, and determining stricter requirements were necessary for SCCs-based transfers.18
The U.S. surveillance program Schrems cited in his complaint is codified in the Foreign Intelligence Surveillance Act ("FISA"). Specifically, Section 702 of FISA allows the U.S. Government to engage in warrantless searches of foreign persons19 and does not provide judicial redress for EU data subjects as required by the GDPR.20 The Schrems II court found that the surveillance activities permitted under FISA not only improperly superseded activities approved by Privacy Shield 1.0, but were conducted disproportionately and/or unnecessarily in violation of the GDPR.21
On June 4, 2021, approximately eleven months after the Schrems II decision, the European Commission adopted and released a modernized set of SCCs for the transfer of personal data to third countries.22 The modernized SCCs replaced the SCCs that had been adopted prior to the Schrems II decision.23
While the Schrems II court went out of its way to preserve the validity of its prior decision concerning the SCCs, seven months later, the Austrian Data Protection Authority ("Austrian DPA") held that the SCCs did not provide an adequate level of protection under the GDPR.24In a case brought against Google LLC ("Google") by a non-governmental organization co-founded by Max Schrems, the Austrian DPA found that a combination of the SCCs and technical measures implemented by Google did not provide effective protection of personal data required by the GDPR because they did not eliminate the possibility of surveillance of, and access to, personal data by U.S. intelligence agencies.25
Ultimately, the U.S. and businesses within the U.S. have been left to navigate the GDPR on a case-by-case basis, attempting compliance without much guidance, and hoping for the best. Consequently, the EU and U.S. began to work on a joint solution: Privacy Shield 2.0.
Plan for Privacy Shield 2.0
After the fall of Privacy Shield 1.0, the European Commission and the U.S. worked together to reach a solution that would permit the transfer of personal data from the EU to the U.S. in compliance with the GDPR.26 Eventually, in March of 2022, the European Commission and the U.S. announced they were in the final stages of a new Trans-Atlantic Data Privacy Framework.27 The new Trans-Atlantic Data Privacy Framework, or Privacy Shield 2.0, will address the concerns raised by the Schrems II decision.28 Additionally, it will cause the Austrian DPA's decision regarding the use of SCCs to be effectively void.
Privacy Shield 2.0 creates pressure for additional data privacy regulations in the U.S., as it requires the U.S. to take substantial action to comply with the GDPR.29The U.S. is set to put new safeguards in place, such as requiring surveillance activities in the name of national security to be "necessary and proportionate in the pursuit of defined national security objectives,"30adopting a two-level redress procedure, and taking measures to ensure surveillance activities are enhanced and independently supervised.31
Privacy Shield 2.0 will reinstate a framework for companies in the U.S. to follow to ensure their data processing and transfer activities are compliant with the GDPR.32 Such framework allows for an easier flow of personal data from the EU to the U.S., while preserving the rights of European citizens and enabling economic growth.33 Consequently, it will allow businesses to step back and find more comfort in knowing they are following the guidance that has been issued.
Be aware that when agreements are made between countries, such as between the EU and U.S., it does not mean that organizations within those countries can become complacent when it comes to their data privacy policies. As countries around the world continue to address data privacy concerns within their own borders, international organizations must remain vigilant and ensure compliance with the continuously changing laws.
Please contact us should your business need any assistance complying or staying up-to-date with the ever-changing data privacy laws.
1. Matt Burgess, What is GDPR? The summary guide to GDPR compliance in the UK, Wired (Mar. 24, 2020, 4:30 PM), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.
2. Regulation (EU) 2016/679, art. 4(2), 2016 O.J. (L 119) 33.
3. EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, art. 2, 2016 O.J. (L 119) 32.
4. Seeinfra notes 15-25 and accompanying text.
5. Standard Contractual Clauses, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
7. Seeinfra notes 28-29 and accompanying text.
8. Regulation (EU) 2016/679, art. 45, 2016 O.J. (L 119) 61-62.
9. Regulation (EU) 2016/679, art. 45(2)(a), 2016 O.J. (L 119) 61.
10. Regulation (EU) 2016/679, art. 45(3)-(4), 2016 O.J. (L 119) 61.
11. Regulation (EU) 2016/679, art. 45(5), 2016 O.J. (L 119) 61.
12. Privacy Shield Overview, Privacy Shield Framework, https://www.privacyshield.gov/program-overview.
13. U.S.-EU Privacy Shield and Transatlantic Data Flows, Congressional Research Service (Sep. 22, 2021), https://crsreports.congress.gov/product/pdf/R/R46917.
15. Standard Contractual Clauses, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
16. Shara Monteleone and Laura Puccio, The CJEU's Schrems ruling on the Safe Harbor Decision, European Parliamentary Research Service (Oct. 2015), https://www.europarl.europa.eu/RegData/etudes/ATAG/2015/569050/EPRS_ATA(2015)569050_EN.pdf.
17. Hendrik Mildebrath, The CJEU Judgment in the Schrems II Case, European Parliamentary Research Service (Sep. 2020), https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.
19. Warrantless Surveillance Under Section 702 of FISA, ACLU, https://www.aclu.org/issues/national-security/privacy-and-surveillance/warrantless-surveillance-under-section-702-fisa
20. Caitlin Fennessy, The 'Schrems II' decision: EU-US data transfers in question, iapp (Jul. 16, 2020), https://iapp.org/news/a/the-schrems-ii-decision-eu-us-data-transfers-in-question/.
21. Data Protection Commissioner v. Facebook Ireland Ltd, Maximillian Schrems, Case No. C-311/18  (Grand Ct.) (Ir.).
22. The Definitive Guide to Schrems II, One Trust DataGuidance (Mar. 25, 2022), https://www.dataguidance.com/resource/definitive-guide-schrems-ii#revised%20SCCs.
23. Notably, it is no longer possible to enter into contracts incorporating the earlier sets of SCCs, and businesses can only continue operation under the earlier SCCs until December 27, 2022. Supra note 16.
24. Austrian DPA Finds Data Transfers Resulting from Analytics Cookie Use to Be in Violation of GDPR Data Transfer Requirements, Hunton Andrews Kurth LLP (Jan. 24, 2022), https://www.huntonprivacyblog.com/2022/01/24/austrian-dpa-finds-data-transfers-resulting-from-analytics-cookie-use-to-be-in-violation-of-gdpr-data-transfer-requirements/.
25. The Austrian DPA also found that IP addresses and online identifiers, including those implemented by Google in its Google Analytics feature, qualify as personal data because they allow for individuals to be identified. Id.
26. United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework, The White House (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/united-states-and-european-commission-joint-statement-on-trans-atlantic-data-privacy-framework/.
29. Id; FACT SHEET: United States and European commission Announce Trans-Atlantic Data Privacy Framework, The White House (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/.
30. White House, supra note 30; White House, supra note 33.
31. White House, supra note 30; White House, supra note 33.
32. White House, supra note 30; White House, supra note 33.
33. White House, supra note 30; White House, supra note 33.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.