Privacy Shield 3.0: A New Agreement on Privacy Between the US and Europe
Miguel Nicolás
-
With the new Privacy Shield 3.0... Are data flows resuming between the two territories? Will it be more secure? What does this agreement include? We are going to tell you all about it.
-
-
Legal matters might not be the sexiest topic in digital marketing, but what we all know for sure is that understanding the legal framework of our activities is immensely important.This Privacy Shield 3.0 could bring about a change in e-commerce, as significant as the revocation of the previous agreement was, given the European Union's concerns regarding American data protection regulations.
-
A Complicated Relationship
-
To better understand why this evolution was necessary, it's important to know the origin.The issue of data transfers between the United States and Europe has been a headache for both entities since e-commerce started gaining momentum.Europeans, by nature, tend to be more scrupulous in complying with laws such as the GDPR, and this is supplemented and enriched by national regulations (it's enough to remember, for example, how the Spanish Data Protection Agency opened a case against ChatGPT). On the other hand, Americans aren't necessarily more lax, but they have a different perspective on the matter and their own rules, which don't always align with European ones.
-
-
Safe Harbor steps in
-
This is why a transatlantic data protection agreement named Safe Harbor was established. It wasn't perfect, but it allowed businesses like online stores or tools collecting personal data, such as email services, to operate.What is considered personal data by the EU? Any information related to physical persons: names, surnames, addresses, phone numbers, emails, vehicle license plates, images, videos...This data processing by any entity, inside or outside the European Economic Area, required following a protocol that the European Union believed wasn't being applied as desired. This was partly because the United States allowed access to data and data transfers without providing any recourse to any entity.Austrian activist Max Schrems raised a case before the Court of Justice of the European Union, demonstrating that the United States violated data protection regulations. In 2015, a verdict was reached in favor of Schrems, and Safe Harbor was annulled.This caused a small earthquake in the digital landscape, leading to some significant fines, such as the one imposed on Facebook. As a result, many American e-commerce businesses suspended their activities in Europe.
-
-
Privacy Shield
-
To overcome this major obstacle, the stumbling block that caused the initial transatlantic data protection agreement to fall, a new one was established within a year.Named Privacy Shield, and thanks to limitations on access to information by its security agencies, the inclusion of an ombudsman in this field, and other changes made by the US government, it seemed an understanding could be reached.However, Max Schrems didn't share this view. Thus, he brought the matter before the CJEU, and once more, the agreement fell.
-
Privacy Shield 3.0
-
This leads to July 2023, with a pressing need to resolve an issue, especially in an environment where the market is globalized.On July 10th, the Privacy Shield 3.0 was introduced, aiming to "ensure secure data flows for Europeans (including Swiss and British citizens) and provide legal certainty on both sides of the Atlantic," in the words of President Ursula von der Leyen.Why should this one succeed? Here are the reasons put forth:
- The creation of the DPRC: a data protection court that safeguards users' rights. The DPRC aims to mediate between users and companies, even determining appropriate remedial measures.
- Further limitations on access by US intelligence services. To use stored data, they must demonstrate the necessity of such access and are only entitled to use data that is strictly necessary and proportionate. If personal data is collected beyond these circumstances, they are obligated to delete it immediately (though this wouldn't exempt them from legal liability).
Is this enough change compared to its predecessor? It's hard to say without being a legal expert, but the general impression is that it's somewhat the same old story. The fact is, there has been evolution, and, for now, the EU has lifted its ban on data transfers to the US. -
-
However, a "familiar face" comes into play: Max Schrems. The Austrian isn't convinced that Privacy Shield 3.0 offers the necessary guarantees. This could lead to a third round of legal battles (and we know how the previous ones ended).
-
How about you? Had you ever heard of Privacy Shield 3.0? What are your thoughts on it? Let us know.
-
Images | Unsplash, Bonobos.