The „Privacy Shield“ was very popular as a legal basis for data transfers to the USA. The European Court of Justice declared it invalid in July 2020. An improved new version is to come as soon as possible. However, it is better not to hope for this before the end of 2022.

Agreement in principle has been reached

The EU and the U.S. have reached an agreement in principle on what a new Privacy Shield model should look like. It is intended to address the legal weaknesses that caused the original Privacy Shield to fail at the European Court of Justice. This was announced jointly by US President Biden and the President of the EU Commission, Ms. von der Leyen, in person on March 25, 2022.

EU citizens to receive legal protection against US intelligence services

A key element of the new model is to improve legal protection for EU citizens against U.S. intelligence services. To put it more precisely, the aim is to introduce such legal protection for the first time. Until now, EU citizens have not been able to defend themselves in court against access to their personal data by U.S. intelligence services.

A new court is even planned for this

This is to change in the future. To this end, a new court is to be set up at federal level in the USA, where EU citizens can apply for legal protection against the US intelligence services. It will be called the „Data Protection Review Court“. The parties involved are still keeping quiet about the details. They are to be worked out in the coming months.

What that means exactly remains to be seen

As is so often the case, the devil is in the details. Of course, the secret services will only have to explain their activities to the court to a limited extent. And, of course, those affected will not be able to learn everything they would like to know. The legal protection granted by this court will certainly not be a one-to-one copy of the legal protection customary in Europe. But – unlike in the past – there will be legal
protection for EU citizens at all.

U.S. national security will remain important

It will be interesting to see the standards by which the court will decide. So far, it has only said in general terms that it should be able to decide whether certain interventions are „appropriate and proportionate.“ This formulation is linked to terms used by the European Court of Justice. It has criticized, mutatis mutandis, that under U.S. law, the personal interests of individuals must take a back seat to the needs of national security.

An adequacy decision by the EU is envisaged

The changes in U.S. law are intended to clear the way for the European Commission to determine the equivalence of data protection in the U.S. and data protection in the EU. This is to be done in a formal „adequacy decision.“ The necessary procedures in the EU institutions will take several months.

There will again be a registration procedure

However, companies will not be able to invoke the future adequacy decision „just like that.“ As was the case with the original Privacy Shield, they will have to register formally. In doing so, they must undertake to comply with the requirements of the Privacy Shield. Registration is only possible for US companies. This means that business partners of companies in the EU must register, but not the
companies in the EU themselves. But this was also the case in the past.

Is the glass half full or half empty?

There is a saying that optimists and pessimists see the same glass as half full or half empty. This describes the current situation around the „Privacy Shield II“, as some are already unofficially calling it, probably quite well:

  • The glass is half empty because the political agreement in principle does not yet have any practical implications for data transfers to the USA. This will only be the case once the agreement in principle has been legally implemented.
  • On the other hand, it is fair to say that the glass is half full. For the fact that a political agreement was reached at all came as a surprise to many.

The path to the European Court of Justice will certainly be taken again

If the new regulation applies at some point, it will very quickly be the subject of proceedings before the European Court of Justice. This is the view of all observers. It will be interesting to see how the Court of Justice will decide. But for the time being, we will have to wait and see the detailed content of the improved Privacy Shield.