The agreement is a response to the invalidation of the privacy shield by Schrems II back in 2020. This has been covered in depth in the past few months, primarily focused on the use of Google Analytics. (You can find our recap here and the announcement of the CNIL & NOYB here and here).
The agreement on a new framework for processing data overseas does not come with a text that can be analyzed for legal purposes. The announcement is probably meant as an "agreement in principle" and acts as the basis for an "adequacy decision" in the E.U. and executive order in the U.S., which will be drafted in the coming months. However, a lot more needs to happen for it to come into effect.
Conclusion: The announcement is (again) a political one with no legal basis. Lipstick on a pig...
It's beautiful, right?
- Privacy Shield 2.0 has no legal basis
- Where do we stand?
- Can you use Google Analytics?
Privacy Shield 2.0 has no legal basis
Here is what Max Schrems had to say:
We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the US did not move. It is especially appalling that the US has allegedly used the war on Ukraine to push the EU on this economic matter.
The final text will need more time, once this arrives we will analyze it in depth, together with our US legal experts. If it is not in line with EU law, we or another group will likely challenge it. In the end, the Court of Justice will decide a third time. We expect this to be back at the Court within months from a final decision.
It is regrettable that the EU and US have not used this situation to come to a 'no spy' agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.
Where do we stand?
The announcement made it seem that a privacy shield 2.0 is close, but we're still far away from one that really works. However, there are a few things we can expect.
Currently, the U.S. now allows little or no review by an independent court of whether the processing of personal data was permitted. The new privacy shield 2.0 would change this. A new independent court to handle disputes regarding processing personal data.
U.S.-based software services will need to self-certify again to comply with GDPR. This means that not every U.S.-based software service can be used immediately for processing personal data. If you want to use U.S.-based services legally, you must check whether they are certified.
Can you use Google Analytics?
In the meantime, the current situation remains in place, whereby the use of U.S.-based software services is in violation of GDPR. There is no legal document that says differently, and we'll probably have to wait for one at least for a couple of moments. The risks of fines are low, but companies that want to be on the 'good side' of the law violate the law by using services like Mailchimp or Google Analytics.
U.S.based services are not the only available software tools. There are tons of E.U alternatives to US-based services that comply with GDPR. For example, we've built a privacy-friendly alternative to Google Analytics called Simple Analytics. You can check out alternativeto.net (crowdsourced software recommendations) for more privacy-friendly alternatives to find alternatives in almost every category.
In conclusion, the new transatlantic data flow agreement announcement is just a political announcement (for now). We first need a legal text to take an "adequacy decision" on it. It will take months (and hopefully not years) before the privacy shield 2.0 will come into effect. In the meantime, the use of U.S.-based software services is in violation of the law.
The new data transfer framework is on its way. US President Joe Biden signed an executive order on electronic surveillance in October 2022, and the EU Commission published a draft adequacy decision for the US two months later.
The proposal will certainly be approved, but will also likely be challenge in the CJEU. In other words, Schrems III is on the horizon already, and it’s hard to say how it will play out.