EU-US Privacy Shield 2.0 successfully resists judicial scrutiny

The European Union's General Court has rejected a legal challenge against the EU-US 'Privacy Shield 2.0', a framework facilitating data transfers between the two regions. French citizen Philippe Latombe brought the legal challenge, questioning the oversight of bulk data gathering in the US. However, the court found that judicial review of the activity after the fact happens via the Data Protection Review Court (DPRC).

The DPRC, overseen for independence and impartiality, operates independently from the executive branch and intelligence agencies, with the U.S. Attorney General having the power to dismiss judges only for cause. The Privacy and Civil Liberties Oversight Board (PCLOB) also consults on judge appointments independently from the executive. The European Commission continuously monitors the framework to ensure compliance, with the power to suspend, amend, or repeal decisions if U.S. law or practice changes undermine independence.

The 'Privacy Shield 2.0' replaced the original EU-US Privacy Shield, which was found to contain shortcomings by the Court of Justice of the EU (CJEU) in 2020. This new framework is designed to provide stronger protections for EU citizens' personal data when transferred to the US.

Max Schrems, a privacy campaigner, described Latombe's legal challenge as "rather narrow" and believes a broader review of US law may yield a different result. Schrems' campaign group, noyb, is reviewing options for bringing a legal challenge of that nature.

Andreas Carney, a data protection law expert, expressed positivity towards the decision, stating it will give comfort to businesses relying on Privacy Shield 2.0. Where personal data is transferred to a jurisdiction with an adequacy decision, additional contractual protections like standard contractual clauses (SCCs) are not required.

It is important to note that the General Data Protection Regulation (GDPR) applies to personal data within the European Economic Area (EEA). EU data protection law imposes restrictions on the transfer of personal data internationally. Adequacy decisions recognize that other jurisdictions meet data protection standards equivalent to those in the EU. The European Commission has issued adequacy decisions for several countries, including the UK.

Noyb finds it surprising that the General Court issued a different decision on Privacy Shield 2.0 compared to the previous two versions. The group stated that the protections under Privacy Shield 2.0 are almost identical to those found unlawful in previous cases, and in some elements, worse than in the older executive orders.

In 2023, the European Commission adopted a new adequacy decision for certain EU-US data transfers, after Joe Biden signed an executive order providing privacy safeguards and protections. This decision marks a significant step towards strengthening data protection for EU citizens when their personal data is transferred to the US.

As the landscape of data protection continues to evolve, it is crucial for both businesses and individuals to stay informed about the latest developments and ensure compliance with relevant regulations.