Four years ago, the European Union (“EU”) began enforcement of the General Data Protection Regulation (“GDPR”). The GDPR is a comprehensive data privacy law enacted to create a standardized and cohesive data privacy framework across all EU member countries. The GDPR has since encouraged the adoption of data privacy laws throughout the world,^[1] such as the California Consumer Privacy Act. Businesses in the United States that process^[2] personal data of European residents, after it has transferred from a country in the European Economic Area to the United States, must comply with the GDPR.^[3]

Over the last four years, there has been much litigation concerning supposed violations of the GDPR through transfers of data from the EU to the U.S.. The litigation,^[4] after resulting in the invalidation of the initial compliance framework, Privacy Shield 1.0, left businesses in the U.S. to navigate GDPR compliance on their own. This resulted in the adoption of a modernized set of Standard Contractual Clauses (“SCCs”), which were “pre-approved” by the European Commission to be compliant with the GDPR^[5] and ultimately allowed businesses to operate with more certainty that their data transfer practices would meet the GDPR’s muster.^[6] As a result of recent litigation,^[7] the SCCs were deemed ineffectual. Businesses have been, once again, left to navigate the GDPR with little guidance. The European Commission and the U.S. hope to fill the gaps left in the wake of this litigation with Privacy Shield 2.0.

The European Commission and the U.S. worked together to reach a solution that would permit the transfer of personal data from the EU to the U.S. in compliance with the GDPR.^[8] In March of 2022, the European Commission and the U.S. announced they were in the final stages of a new Trans-Atlantic Data Privacy Framework.^[9] The new Trans-Atlantic Data Privacy Framework, or Privacy Shield 2.0, will address the concerns raised by the recent litigation.^[10]

Privacy Shield 2.0 creates pressure for additional data privacy regulations in the U.S., as it requires the U.S. to take substantial action to comply with the GDPR.^[11] The U.S. is set to put new safeguards in place, such as requiring surveillance activities in the name of national security to be “necessary and proportionate in the pursuit of defined national security objectives,”^[12] adopting a two-level redress procedure, and taking measures to ensure surveillance activities are enhanced and independently supervised.^[13]

Privacy Shield 2.0 will reinstate a framework for companies in the U.S. to follow to ensure their data processing and transfer activities are compliant with the GDPR.^[14] Such framework allows for an easier flow of personal data from the EU to the U.S., while preserving the rights of European citizens and enabling economic growth.^[15] Consequently, it will allow businesses to step back and find more comfort in knowing they are following the guidance that has been issued.

Be aware that when agreements are made between countries, such as between the EU and U.S., it does not mean that organizations within those countries can become complacent when it comes to their data privacy policies. As countries around the world continue to address data privacy concerns within their own borders, international organizations must remain vigilant and ensure compliance with the continuously changing laws.

[1] Matt Burgess, What is GDPR? The summary guide to GDPR compliance in the UK, Wired (Mar. 24, 2020, 4:30 PM), https://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018.

[2] Regulation (EU) 2016/679, art. 4(2), 2016 O.J. (L 119) 33.

[3] EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, art. 2, 2016 O.J. (L 119) 32.

[4] Schrems II is the case that led to the Court of Justice of the European Union invalidating 1.0 and determining stricter requirements were necessary for SCCs-based transfers. Hendrik Mildebrath, The CJEU Judgment in the Schrems II Case, European Parliamentary Research Service (Sep. 2020), https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf.

[5] Standard Contractual Clauses, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

[6] Id.

[7] The Austrian Data Protection Authority held that SCCs did not provide an adequate level of protection under the GDPR. Austrian DPA Finds Data Transfers Resulting from Analytics Cookie Use to Be in Violation of GDPR Data Transfer Requirements,  Hunton Andrews Kurth LLP (Jan. 24, 2022), https://www.huntonprivacyblog.com/2022/01/24/austrian-dpa-finds-data-transfers-resulting-from-analytics-cookie-use-to-be-in-violation-of-gdpr-data-transfer-requirements/.

[8] United States and European Commission Joint Statement on Trans-Atlantic Data Privacy Framework, The White House (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/united-states-and-european-commission-joint-statement-on-trans-atlantic-data-privacy-framework/.

[9] Id.

[10] Id.

[11] Id; FACT SHEET: United States and European commission Announce Trans-Atlantic Data Privacy Framework, The White House (Mar. 25, 2022), https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/25/fact-sheet-united-states-and-european-commission-announce-trans-atlantic-data-privacy-framework/.

[12] White House, supra note 8; White House, supra note 11.

[13] White House, supra note 8; White House, supra note 11.

[14] White House, supra note 8; White House, supra note 11.

[15] White House, supra note 8; White House, supra note 11.