Privacy Shield Round 2: Exploring the White House’s Trans-Atlantic Data Privacy Framework Fact Sheet

Sameer Ahirrao -

Background:

The original Privacy Shield framework, designed by the U.S. Department of Commerce and the European Commission, provided companies with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce. However, in July 2020, Privacy Shield was deemed inadequate by the Court of Justice of the European Union with its Schrems II decision for two main reasons: the lack of individual redress or effective remedy and the scoop of U.S. Government intelligence surveillance programs. To learn more, check out our article on Schrems II and Privacy Shield's demise here.

Raising the Shield:

The new U.S.-E.U. Trans-Atlantic Data Privacy Framework supports an "inclusive and competitive digital economy and lays the foundation for further economic cooperation." The framework seeks to allow trans-Atlantic data flows and address the concerns that struck down the previous agreement. Unfortunately, the framework is not yet available; however, the White House put out an agreement fact sheet that we break down below!

The Bottom Line:

Establishing a private right of action is a step forward; however, legitimate changes to U.S. signals intelligence activities are still pending. Furthermore, the secrecy of intelligence collection could limit individual redress. The framework is negotiated as an executive branch accord and does not need congressional approval. Still, without legislative changes in U.S. surveillance practices, "Privacy Shield 2.0" will face the same challenges as the previous data-transfer agreements. In addition, the European Commission must still approve the adequacy of the new framework under GDPR.

United States Framework Commitments:

• Strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities;
• Establish a new redress mechanism with independent and binding authority and
• Enhance its existing rigorous and layered oversight of signals intelligence activities.

New Framework Protections:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties;
• E.U. individuals may seek redress from a new multi-layer redress mechanism that includes an Independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
• U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

Analyzing the New Commitments and Protections:

Balancing between protecting individual privacy and national security continues to be the challenge of a new transfer framework in the aftermath of Schrems II. The E.U. still has concerns over the U.S. government's necessary and proportionate access to data. According to the White House, Signals intelligence (SIGINT) collection, intelligence obtained through the interception of transmission signals, only occurs when necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties. However, SIGINT collection remains secretive and held within the executive branch. Without Congressional privacy reform, the framework is at risk of being struck down, and U.S. companies may face difficulties in the global economy.

SIGINT secrecy can also inhibit an adequate remedy. The broad scope of foreign intelligence creates the scenario that communications with no nexus to a foreign intelligence investigation get collected. Redress will likely be complicated, time-consuming, and expensive for individuals before the Independent Data Protection Review Court.

Participants:

Privacy Shield will remain a voluntary framework for companies and organizations to protect data flows legally. However, participants must self-certify the framework principles through the U.S. Department of Commerce. In addition, other mechanisms for cross-border data transfer continue to substitute Privacy Shield, including Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs).

Reducing Risk and Minimizing Data: Know, Analyze, Act, and Comply.

Companies can take steps to limit customers' personally identifiable information from SIGINT collection. To do so, organizations must know their data inventory. Then, analyze their privacy intelligence, act on minimizing data, and comply with requests for data destruction. Ardent Privacy's TurtleShield data discovery software can help you achieve success in all four areas. Contact us for assistance!

About Ardent Privacy:

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/D.C. region of the United States and Pune, India. Ardent harnesses the power of A.I. to enable companies with data discovery and automated compliance with PDPB (India), RBI Security Guidelines, GDPR (E.U.), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.
For more information, visit https://ardentprivacy.ai/ and find more resources here.

Note:

Ardent Privacy articles should not be considered legal advice on data privacy regulations or specific facts or circumstances.