The Next Phase of Privacy Shield

Jun 16, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy Privacy Initiatives, BBB National Programs

On March 25, 2022, the EU Commission and the US announced they had agreed, in principle, on a new Trans-Atlantic Data Privacy Framework (TADPF). The announcement of TADPF begins to lift the cloud of uncertainty that has been hanging over Privacy Shield for nearly two years since the July 2020 Court of Justice of the European Union’s Schrems II judgment. Additionally, TADPF serves as a foundation for a US adequacy decision reinstituting trans-Atlantic data flow. 

As BBB National Programs’ Global Privacy Division continues to prepare for this next phase of Privacy Shield, we want to highlight several key details regarding the substance of TADPF and the EU’s adequacy decision process.

 

The Substance 

The details are still being hashed out, but so far, we know TADPF will include the following commitments:  

  1. Strengthening individual privacy and civil liberties safeguards by limiting access to data by US intelligence agencies to what is necessary and proportionate for national security. 
  2. The establishment of an independent and binding multi-layered redress mechanism, which will include a Data Protection Review Court composed of individuals outside of the US, to adjudicate claims and direct remedial measures.
  3. The adoption of oversight procedures by US intelligence agencies to ensure privacy is strengthened and civil liberties safeguards are maintained.  

 

Notably, these commitments all fall squarely on the US government to implement. The lift seems to be much lighter for businesses.  

As reported, it appears the commercial data protection obligations, Privacy Shield Principles, and even the name Privacy Shield will remain the same. As such, it is anticipated that businesses currently certified under Privacy Shield will remain certified once TADPF receives an adequacy decision, eliminating the need to complete the certification process again.  

 

The Adequacy Process  

As indicated by the March 25 joint announcement and accompanying fact sheet, the return of Privacy Shield through TADPF will be effectuated through an Executive Order and requires no legislative action. And according to a recent report, the Executive Order is expected later this month (June 2022). After the Executive Order is signed, there will be a need to complete the EU’s adequacy process.  

This process is completed in five distinct steps:  

  1. EU Commission drafts an adequacy determination and provides it to the European Data Protection Board (EDPB) for review. 
  2. EDPB reviews the adequacy determination and issues a non-binding opinion.
  3. European Parliament can adopt a non-binding resolution of its position.
  4. EU Member States must approve. 
  5. Finally, if approved by the Member States, the adequacy determination will be adopted and take immediate effect.  

 

Based on previous adequacy decisions, if the Executive Order is signed this month as anticipated, the process for the return of Privacy Shield could be completed by the end of the year. For example, after Schrems I and the invalidation of Safe Harbor on October 6, 2015, Privacy Shield was announced on February 2, 2016. The Privacy Shield legal documents were published on February 29, 2016, and the EU Commission’s adequacy decision was provided and took effect on July 12, 2016 – a period of approximately five months. Similarly, the UK’s adequacy process was completed in four months, beginning on February 19, 2021, and ending on June 28, 2021.  

 

Our Promise to You 

Undoubtedly, the return of Privacy Shield will present a number of questions. But the Global Privacy Division is here to help. In fact, we have never stopped serving as an independent resource for businesses and consumers with data privacy concerns. 

Over the past two years, BBB EU Privacy Shield has continued to maintain our Independent Recourse Mechanism (IRM) program, ensuring businesses remained in compliance with the GDPR. If you have questions for us about this next phase of Privacy Shield, whether you are a current, previous, or prospective Privacy Shield participant, let us know here.   

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more