Privacy Shield 3.0: A New Agreement on Privacy Between the US and Europe

Legal matters might not be the sexiest topic in digital marketing, but what we all know for sure is that understanding the legal framework of our activities is immensely important.

This Privacy Shield 3.0 could bring about a change in e-commerce, as significant as the revocation of the previous agreement was, given the European Union's concerns regarding American data protection regulations.

To better understand why this evolution was necessary, it's important to know the origin.

The issue of data transfers between the United States and Europe has been a headache for both entities since e-commerce started gaining momentum.

Europeans, by nature, tend to be more scrupulous in complying with laws such as the GDPR, and this is supplemented and enriched by national regulations (it's enough to remember, for example, how the Spanish Data Protection Agency opened a case against ChatGPT). On the other hand, Americans aren't necessarily more lax, but they have a different perspective on the matter and their own rules, which don't always align with European ones.

This is why a transatlantic data protection agreement named Safe Harbor was established. It wasn't perfect, but it allowed businesses like online stores or tools collecting personal data, such as email services, to operate.

What is considered personal data by the EU? Any information related to physical persons: names, surnames, addresses, phone numbers, emails, vehicle license plates, images, videos...

This data processing by any entity, inside or outside the European Economic Area, required following a protocol that the European Union believed wasn't being applied as desired. This was partly because the United States allowed access to data and data transfers without providing any recourse to any entity.

Austrian activist Max Schrems raised a case before the Court of Justice of the European Union, demonstrating that the United States violated data protection regulations. In 2015, a verdict was reached in favor of Schrems, and Safe Harbor was annulled.

This caused a small earthquake in the digital landscape, leading to some significant fines, such as the one imposed on Facebook. As a result, many American e-commerce businesses suspended their activities in Europe.

To overcome this major obstacle, the stumbling block that caused the initial transatlantic data protection agreement to fall, a new one was established within a year.

Named Privacy Shield, and thanks to limitations on access to information by its security agencies, the inclusion of an ombudsman in this field, and other changes made by the US government, it seemed an understanding could be reached.

However, Max Schrems didn't share this view. Thus, he brought the matter before the CJEU, and once more, the agreement fell.

This leads to July 2023, with a pressing need to resolve an issue, especially in an environment where the market is globalized.

On July 10th, the Privacy Shield 3.0 was introduced, aiming to "ensure secure data flows for Europeans (including Swiss and British citizens) and provide legal certainty on both sides of the Atlantic," in the words of President Ursula von der Leyen.

Why should this one succeed? Here are the reasons put forth:

Is this enough change compared to its predecessor? It's hard to say without being a legal expert, but the general impression is that it's somewhat the same old story. The fact is, there has been evolution, and, for now, the EU has lifted its ban on data transfers to the US.