In early October, President Joe Biden signed an executive order with a new framework to protect data transfers between the U.S. and the European Union with a mission to provide a joint Privacy Shield 2.0.
The European Union rejected the last framework in 2020, in the court case Schrems II. After Schrems II, most companies within the EU had a hard time to be fully compliant. This is because many companies use American cloud services. Even if they managed to provide services with data storage in the EU, the company might still have business in the U.S., which complicates matters. This is mostly because it is still unclear how personal data is handled, and whether it’s available for U.S. Intelligence Agencies.
This new framework, signed by President Biden, includes privacy guarantees to prevent the U.S. from gathering personal data and contains actions to meet the concerns E.U. had when the last Privacy Sheild was declared invalid.
Here’s everything the Privacy Shield 2.0 covers:
- Adds further safeguards for U.S. signals intelligence activities
- Mandates requirements for personal information
- Requires U.S. Intelligence Community elements to update their policies and procedures
- Creates a multi-layer mechanism for individuals to obtain independent, binding review and redress
- Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures
The goal with the new framework is to reach an agreement to enable usage of services from companies in the US and still be GDPR compliant. But the framework is not finalized yet, and it could be turned down in a Scherms III court act. According to BEUC, The European Consumer Organization, the framework is still insufficient to protect personal data and privacy, and the improvements are not enough.
What does this mean for companies in the U.S. and the EU?
You will still have to take the same actions to protect personal data that GDPR and Schrems II require since it will take around six months for the EU to ratify the framework. However, it’s always important to have a compliance strategy, and if you don’t have one in place, this is certainly the time to create one.
An agreement is necessary to ensure transatlantic data flow and to enable the $7.1 trillion EU-U.S. economic relationship, so let’s hope for a quick resolution.
Let's have a chat!
If you want to know more about Consent Management or to evaluate your current compliance, contact Rebecca Sahlström
Psst! This is a series of blogposts on the GA4 topic. Read the first post here, Is google analytics gdpr compliant?