The EU-U.S. Privacy Shield: Feedback, And Potential EU Recognition Of Privacy Laws Of California And Other U.S. States?

Author:Ms Katalina Bateman, Alexis G. Cocco and Karen Lee Lust
Profession:Reed Smith


On October 23, 2019, the European Commission (EC) released its report on a third annual review of the EU-U.S. Privacy Shield. While the report confirms that the U.S. continues to provide an adequate level of protection for personal data transfers in the context of the Privacy Shield, there are some gaps between the expectations of the EC and U.S. authorities, particularly in relation to the lack of transparency concerning U.S. enforcement activities and a lack of co-operation between regulators. You can read our summary on the report via this link.

On Thursday, January 9, 2020, members of the Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) met representatives of the EC and European Data Protection Board to discuss the EC's 2019 report on the Privacy Shield (link accessible here). An interesting question was raised: Would it be possible for the EC to recognize a single state, e.g., a U.S. state such as California, as an adequate territory for transfers of personal data?

Key points

Under the EU General Data Protection Regulation (GDPR), transfers of personal data are permitted to third countries or international organizations that ensure an adequate level of protection. This includes cases where the EC has determined, on the basis of GDPR article 45, that a country outside the EU offers an adequate level of data protection, and adopts an adequacy decision in respect of that third country. To date, the EU has not granted the U.S. an adequacy decision.

Although the U.S. has not passed a comprehensive federal-level data protection law (instead maintaining a patchwork of sector-specific laws), California became the first state to do so with the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. The CCPA is a generally applicable and comprehensive law applicable to most for-profit businesses that operate in the state of California and collect personal information from California residents. This is a significant piece of legislation governing not only many of the world's major tech companies, a number of which are headquartered in California, but also most businesses that maintain an online presence in California.

What was discussed at the LIBE meeting?

In view of the uncertainty and potential strike down of the current legality of EU-U.S. data transfers (such as through standard contractual clauses) under the pending Schrems II litigation (see our post on this here), it was...

To continue reading