Privacy Shield 2.0 — A New Trans-Atlantic Data Privacy Framework Between the European Union and the United States

This Article is the first to thoroughly examine the new adequacy decision for the Trans-Atlantic Data Privacy Framework (also known as “Privacy Shield 2.0”), including the relevant events and milestones ultimately leading to its adoption. The European Commission adopted the new Privacy Shield on July 10, 2023, to restore transatlantic data flows and commercial exchanges between the European Union and the United States. This Article first explores the holdings of the Court of Justice of the European Union in the groundbreaking cases Schrems I and Schrems II and elaborates on the reasons for the invalidation of the Safe Harbor Decision and the Privacy Shield Decision, respectively. It then examines the practical implications of the invalidation of the Privacy Shield Decision in Schrems II, including the recent decision of the Irish Data Protection Commissioner regarding Meta Platforms Ireland Limited (formerly Facebook Ireland Limited). This Article subsequently discusses the efforts of the United States government and the European Commission toward the adoption of Privacy Shield 2.0. It analyzes recent events, from the announcement of a new Trans-Atlantic Data Privacy Framework to the release of the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities to the European Commission’s draft adequacy decision, the launch of its adoption process, and ultimately its adoption.

This Article argues that despite the excitement of a new Trans-Atlantic Data Privacy Framework, it is improbable that the validity of Privacy Shield 2.0 would be upheld by the Court of Justice of the European Union in a possible Schrems III case. Although Privacy Shield 2.0 is a considerable improvement compared to the previously invalidated Privacy Shield Decision, it is likely that the Court of Justice of the European Union would consider the newly introduced safeguards for United States signals intelligence activities insufficient to comply with the General Data Protection Regulation’s requirements, read in the light of the Charter of Fundamental Rights of the European Union. This Article demonstrates the shortcomings of Privacy Shield 2.0 concerning the principles of necessity and proportionality as well as the right to effective judicial protection. It also argues for a comprehensive U.S. federal privacy law that ensures adequate protection of personal data for all data subjects in the United States.