Skip links

Privacy Shield: EU citizens might get right to challenge US access to their data

Officials from the EU and US are nearing a solution in long-running negotiations over transatlantic data sharing.

Previous legal arrangements for sharing data between the two jurisdictions, the so-called Privacy Shield, were struck down by the EU Court of Justice in what became known as the Schrems II ruling in 2020.

The decision had ramifications for US cloud providers, social media sites, and providers of online tools which are still becoming clear. Although it had been commonly held that standard contractual clauses (SCCs) may offer a way to continue to share data legally, that was also in doubt. Earlier this month, the Austrian data protection authority ruled that those arrangements were insufficient for data sharing.

But according to political news website Politico, officials both sides of the pond have reached an approach that might involve offering EU citizens the right to submit complaints to an independent judicial body if they believe the US national security agencies have unlawfully handled their personal information. If adopted, it would give EU citizens more privacy rights in the US than Americans currently enjoy.

The solution follows nearly two years of increasingly fraught negotiations. “The Biden administration considers finalizing an enhanced Privacy Shield the number one priority, and I remain actively engaged in those negotiations,” said Gina Raimondo, US Commerce Secretary.

Even if the solution survives the negation, Bill Mew, privacy campaigner and CEO of Crisis Team, said there remained the issue of extraterritorial measures that are incompatible with the General Data Protection Regulation (GDPR). He said all US electronic communication service providers (ECSPs) – including telcos, cloud firms, and social media platforms – fall under 702 FISA through which the US intelligence agencies can subject them to surveillance.

While firms like Microsoft can provide information about the types of requests they get from the US government, the question of redress remains. Meanwhile, any new treaty for data sharing between the EU and US would need to survive a period of scrutiny by the EU parliament and member states, Mew said.

The news follows yesterday’s announcement that all data collected through the Transparency & Consent Framework (TCF) must now be deleted by the 1,000-plus companies that pay international digital marketing and advertising association IAB Europe to use it. The Belgian data protection authority [PDF] found that the “consent solution” fails to properly request consent, and relies on a lawful basis (legitimate interest) that is not permissible because of the severe risk posed by the online advertising tracking under Article 5(1)a, and Article 6 of GDPR. ®