Privacy Shield 2.0—A New Trans-Atlantic Data Privacy Framework Between the European Union and the United States

by Sara Gerke* & Delaram Rezaeikhonakdar**

Volume 45 Issue 2

The full text of this article may be downloaded by clicking on the PDF link.

Abstract

This Article is the first to thoroughly examine the new adequacy decision for the Trans-Atlantic Data Privacy Framework (also known as “Privacy Shield 2.0”), including the relevant events and milestones ultimately leading to its adoption. The European Commission adopted the new Privacy Shield on July 10, 2023, to restore transatlantic data flows and commercial exchanges between the European Union and the United States. This Article first explores the holdings of the Court of Justice of the European Union in the groundbreaking cases Schrems I and Schrems II and elaborates on the reasons for the invalidation of the Safe Harbor Decision and the Privacy Shield Decision, respectively. It then examines the practical implications of the invalidation of the Privacy Shield Decision in Schrems II, including the recent decision of the Irish Data Protection Commissioner regarding Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). This Article subsequently discusses the efforts of the United States government and the European Commission toward the adoption of Privacy Shield 2.0. It analyzes recent events, from the announcement of a new Trans-Atlantic Data Privacy Framework to the release of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities to the European Commission’s draft adequacy decision, the launch of its adoption process, and ultimately its adoption.

This Article argues that despite the excitement of a new Trans-Atlantic Data Privacy Framework, it is improbable that the validity of Privacy Shield 2.0 would be upheld by the Court of Justice of the European Union in a possible Schrems III case. Although Privacy Shield 2.0 is a considerable improvement compared to the previously invalidated Privacy Shield Decision, it is likely that the Court of Justice of the European Union would consider the newly introduced safeguards for United States signals intelligence activities insufficient to comply with the General Data Protection Regulation’s requirements, read in the light of the Charter of Fundamental Rights of the European Union. This Article demonstrates the shortcomings of Privacy Shield 2.0 concerning the principles of necessity and proportionality as well as the right to effective judicial protection. It also argues for a comprehensive U.S. federal privacy law that ensures adequate protection of personal data for all data subjects in the United States.

* Assistant Professor of Law, Penn State Dickinson Law, Carlisle, PA, USA; Co-Principal Investigator, WP8 (Legal, Ethical & Liability), Validating AI in Classifying Cancer in Real-Time Surgery (CLASSICA), European Union (Grant Agreement no. 101057321); Co-Principal Investigator, WP4 (Addressing Ethical/Legal Concerns), Optimizing Colorectal Cancer Prevention through Personalized Treatment with Artificial Intelligence (OperA), European Union (Grant Agreement no. 101057099); Multiple Principal Investigator, Bioethical, Legal, and Anthropological Study of Technologies (BLAST), National Institute of Biomedical Imaging and Bioengineering (NIBIB) and the National Institutes of Health Office of the Director (NIH OD) (Grant Agreement no. 1R21EB035474-01); Co-Investigator (Supplemental Project), PREMIERE: A PREdictive Model Index and Exchange Repository, NIBIB and NIH OD (Grant Agreement no. 3R01EB027650-03S1); Co-Investigator, Penn State TCORS: Tobacco Product Composition Effects on Toxicity and Addiction, National Institute on Drug Abuse (NIDA)/National Institutes of Health (NIH) (Grant Agreement no. 1U54DA058271-01). This Article greatly benefited from feedback from participants at the 2023 Health Law Professors Conference organized by the American Society of Law, Medicine & Ethics and the University of Maryland Francis King Carey School of Law. We thank Kaci McNeave and Robin Platte for their assistance with footnote formatting. All errors are our own. Correspondence to sgerke@psu.edu. ** S.J.D. Candidate, Penn State Dickinson Law, Carlisle, PA, USA.