Joe Biden’s Executive Order aims to make room for the EU-US Data Privacy Framework (Privacy Shield 2.0) by addressing two primary concerns in the Schrems II court case (which famously ruined the Privacy Shield program that many US-based SaaS or consumer internet companies adhered to):
As expected, Max Schrems (of CJEU fame) was quick to point out that neither of those would suffice.
At the core of his arguments: The US Fourth Amendment keeps making a distinction between US citizens and aliens when shielding people from government-sponsored surveillance (whereas EU law considers privacy a “fundamental human right” regardless of nationality).
As a consequence, when it comes to the solutions provided by the Joe Biden’s Executive Order and Department of Justice Regulations:
The best hope for the Data Privacy Framework’s success seems to lie now in the upcoming renewal of Section 702 FISA (Foreign Intelligence Surveillance Act) – a key piece of the puzzle, allowing US spies to freely collect data pertaining to non-US citizens. The US Congress has a shot at curtailing it reach in January 2023.
No matter what, the Brussels hallways will take months to digest the Data Privacy Framework, and then all EU capitals will take their turn, so even if it ends up obtaining a green light from the EU Commission (subsequently challenged by a Schrems III or not), businesses using US-based MarTech or AdTech SaaS (or, rather, their DPOs) will continue to swim in choppy waters.
If we had to find an immediate positive impact, Transfer Impact Assessments tied to the use of Standard Contract Clauses (an alternative personal data transfer vehicle severely wounded by the same bullet that killed the Privacy Shield: Schrems II) are likely to require a lower bar, in light of the diminished risks resulting from this Executive Order and DoJ Regulations. The same could be said of “supplementary measures” equally required in the use of SCCs (these being dependent on the specific risks associated with surveillance practices in place at the country of destination).
As a result, US-based MarTech SaaS may have to wait many months before they can rely on a Privacy Shield 2.0, but those who can afford larger regulatory compliance teams may have found a way to cling on to their existing customers.
Original publication Sergio Maldonado on 01/12/22, available on Privacy Cloud
(Photo by Ximena Pineda on Unsplash)