United States President Joe Biden signed an Executive Order this month to implement the European Union (E.U.) & United States data privacy framework known as Privacy Shield 2.0.
Privacy Shield 2.0 reestablishes a legal way for personal data to flow from the USA to Europe. The Executive Order follows more than a year’s talks between American and European negotiators.
Additionally, Privacy Shield 2.0 follows two rejections of previous transatlantic data transfer agreements by the E.U. Court of Justice — one in 2015 and the other in 2020.
To understand better what the new data privacy framework means for businesses, it helps to know how and why the Privacy Shield 2.0 agreement came about in the first place.
Here’s a timeline of events leading up to the signing of the Executive Order, followed by an analysis of how the framework may assist businesses.
Privacy Shield 2.0: Timeline Of Events
- 2000: U.S. & E.U. established the Safe Harbor Framework to protect data transfers between the United States and Europe.
- 2013: Edward Snowden blows the whistle on a mass surveillance program in the U.S. called PRISM.
- 2014: European privacy activist Max Schrems files a complaint against Facebook with the Irish Data Protection Commissioner. The case is known as Schrems I.
- European privacy laws forbid data transfers to non-EU countries unless the company can guarantee adequate protection.
- The original complaint was rejected, and he appealed the decision to the E.U. Court of Justice.
- 2015: E.U. Court of Justice rules that the US-EU Safe Harbor Framework is no longer sufficient due to the PRISM surveillance program.
- The ruling means the transfer of personal data between the E.U. and the U.S. was no longer allowed.
- 2016: U.S. and E.U. adopt another data transfer agreement called the Privacy Shield.
- The agreement remained in place for four years before Schrems filed another case known as Schrems II.
- 2020: Schrems wins his second case. The E.U. Court of Justice strikes down Privacy Shield 1.0 after deciding that U.S. surveillance programs go beyond what is necessary and proportional.
- 2022: On March 25, U.S. President Joe Biden and European Commission President Ursula von der Leyen signed a political agreement on a new transatlantic data privacy framework. The deal is referred to as Privacy Shield 2.0.
- 2022: On October 6, President Biden signed Executive Order to implement Privacy Shield 2.0.
Biden and Von der Leyen’s new transatlantic data privacy framework agreement promises to implement new safeguards to ensure that U.S. intelligence activities are “necessary and proportionate in the pursuit of national security defiant objectives.”
The new framework will also allow E.U. citizens to take action if they believe U.S. intelligence activities are unlawfully targeting them.
Privacy Shield 2.0 allows E.U. citizens to take privacy complaints to a data protection review court made up of individuals outside the U.S. government. The review court has the final decision on the legal use of data.
What Does Privacy Sheild 2.0 Mean For Businesses?
Many companies with a presence in the United States and Europe are in support of Privacy Shield 2.0, as it renews a data protection relationship worth 7.1 trillion U.S. dollars.
Meta is one of those companies, which is ironic considering Facebook’s handling of personal data led to the old framework getting struck down.
Nick Clegg, Meta’s President of Global Affairs, states on Twitter (in response to the news of Biden signing the Executive Order):
“We welcome this update to US law which will help to preserve the open internet and keep families, businesses and communities connected, wherever they are in the world.”
Personal data is highly valuable to companies with advertisers who utilize said data, so it’s no surprise Meta favors the data pipeline opening up again.
U.S. businesses running ads on Facebook may benefit from the ability to deliver more personalized advertising to European customers.
To that end, the framework may assist all US-based companies that do business overseas. Data is the lifeblood of any successful marketing and advertising campaign, and U.S. businesses can now legally collect more data from their European audience.
Linda Moore, President and CEO of industry group TechNet, also stated support for Privacy Shield 2.0:
“We applaud the Biden Administration for taking affirmative steps to ensure the efficiency and effectiveness of American and European cross-border data flows and will continue to work with the Administration and members of Congress from both parties to pass a federal privacy bill.”
To further illustrate what this framework means for businesses, it’s important to point out what they stand to lose without a data privacy agreement.
Mikołaj Barczentewicz, a Senior Scholar of the International Center for Ław & Economics (ICLE), highlights the implications of delaying the agreement any further:
“It is urgent that agreement on an effective Privacy Shield be reached expeditiously, as EU citizens already face the potential to lose access to services like Google Analytics and Facebook, not to mention the potential disruption to financial services like insurance and payments networks.
What will be crucial is that the U.S. proposal addresses the two aspects the EU expects to be covered: redress for EU citizens and assurances that U.S. data-surveillance practices are ‘necessary and proportionate.’ We can hope that the EU courts will be reasonable, but litigation is all-but-certain.”
What Happens Next?
The Executive Order signed by President Biden will now be submitted to a ratification process by the European Commission.
There’s no telling how long the process will take, as the Executive Order could face legal challenges in Europe.
We’ll continue to follow this story and provide an update when more information is available.
Additional sources: Whitehouse.gov (1, 2), IAPP.org, ec.europa.eu.
Featured Image: J_UK/Shutterstock