Post-Privacy Shield: What future for European data transfers across the Atlantic?
Declared incompatible with the GDPR, the Privacy Shield, which until then had constituted the legislative framework regulating the transatlantic transfer of European citizens' data by companies, was invalidated by the Court of Justice of the European Union. This decision meant that European companies (including GAFAMs) were prohibited from automatically transferring data from the EU to the United States without taking additional protective measures.
This invalidation constituted a major economic and technical upheaval for companies insofar as the majority of data centres are located in the United States (2701 compared to 1300 in Europe). Faced with the difficulties posed by this decision, the President of the United States, Joe Biden, adopted on 7 October 2022 a new legal framework (Executive Order) to strengthen the guarantees concerning the collection and use of personal data by the American intelligence services and began a negotiation process with the European Commission.
In order to understand the issues at stake in the Commission's draft adequacy decision, it is necessary to look back at the decision to invalidate the Privacy Shield in 2020, at its consequences and at the EDPS opinion on the forthcoming draft decision.
I) The Privacy Shield
(i) Definition of the Privacy Shield
The Privacy Shield is a certification mechanism for companies established in the United States that has been recognised by the European Commission as offering an adequate level of protection to personal data transferred by a European entity to companies established in the United States. This protection shield applied to all types of data (commercial, health, human resources) provided that the recipient company had adhered to the scheme. It was the Privacy Shield that allowed companies such as Facebook, Twitter, etc. to automatically transfer European users' data without having to store it in data centres located in Europe.
(ii) History of the Privacy Shield
- The Schrems I judgment
The Privacy Shield agreement was concluded in 2016 between the EU and the US. It follows the invalidation of another agreement: the Safe Harbor.
Safe Harbor was a set of rules put in place in 1998 and 2000 that allowed certain US companies to certify that they complied with European Economic Area legislation in order to obtain permission to transfer personal data from the EEA to the US. The Safe Harbor stems from the Data Protection Directive 95/46/C, which prohibits the transfer of personal data to non-EU states with a lower level of data protection than the EEA.
In 2001, the adoption of the Patriot Act gave US federal agencies broad surveillance powers that compromised the protection of personal data transferred to the US. A few years later, Edward Snowden's revelations about the practices of the National Security Agency (NSA) and the case between Max Schrems, an Austrian data protection activist, and Facebook highlighted the flaws in the Safe Harbor agreement and led to the invalidation of this agreement by the CJEU on 6 October 2015 with its Schrems I ruling.
- The Schrems II ruling
Following this decision, the European Commission and the American authorities quickly drew up a new agreement: the EU-US Privacy Shield, validated by the European Commission on 12 July 2016. This agreement increases the obligations of companies transferring European data to the US and the control of the Department of Commerce and the Federal Trade Commission.
This agreement coincides with the adoption in Europe of the General Data Protection Regulation (GDPR), which increases and harmonises the level of protection of personal data at European level. In particular, Article 48 of the Regulation provides that the transfer of personal data to an administrative authority in a third country may only take place if it is based on an international agreement such as a mutual legal assistance treaty.
However, in 2018, the US Congress adopted the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) allowing US authorities to access and control data relating to users of services offered by companies registered in France. The CLOUD Act allows US federal authorities to require a US service provider to disclose data hosted outside the US. In fact, it contradicts Article 48 of the GDPR and threatens the protection of European citizens.
Following a preliminary ruling by the Irish High Court on the basis of an appeal by the activist Max Schrems, the CJEU ruled on 16 July 2020 that the Privacy Shield does not comply with the GDPR and invalidates this agreement (Schrems II ruling).
II) The consequences of the invalidation of the Privacy Shield
In July 2020, the consequences of the Schrems II ruling and the invalidation of the Privacy Shield are multiple.
First of all, European companies transferring data to the United States must find alternatives that comply with European data protection standards. In practice, this implies several solutions: relocation of data to Europe by the companies (which can be costly and technically complicated given the scale of the transfers to the United States), the implementation of standard contractual clauses, i.e. model contracts for the transfer of personal data previously validated by the European Commission, or the closure of European markets representing, for example, a quarter of the META group's turnover.
In the event of an unauthorised transfer, the RGPD provides for an administrative fine of up to 20,000,000 euros or 4% of the total annual worldwide turnover for the previous financial year, whichever is higher (RGPD, art. 83). Several companies have been given formal notice to comply with this change in standards within one month. In 2022, several companies were given notice by the CNIL to stop using Google Analytics because of the transfer of data to the United States by this IT service.
At that time, the French Association of Personal Data Protection Correspondents (AFCPD) alerted the European CNIL on the opaque and complex nature of this new regime for companies. Similarly, META spokesman Nick Clegg said that "businesses need clear and precise rules, underpinned by a strong rule of law, to protect transatlantic data flows in the long term".
Maintaining relations between US companies based in Europe and the EU therefore depends on the adoption of a new legal framework that meets European standards of protection without profoundly changing the regulations established by Washington.
III) The adoption of a new legal framework and the draft adequacy decision
On 13 December 2022, after a first agreement in principle with the United States in March, the European Commission published its draft adequacy decision based on the EU-US data protection framework that is supposed to replace the Privacy Shield. The draft adequacy decision is a new attempt to provide a secure framework for data transfers between the EU and the US.
This draft decision mentions several new features:
The introduction of a certification mechanism that US entities can join. For certified companies, compliance with the GDPR is mandatory and enforceable;
The application of the GDPR principles to US recipients of EU data (purpose limitation, integrity, prohibition of incompatible further processing, data minimisation, accuracy, security, transparency, etc.);
The introduction of various options for action by data subjects, including recourse to courts in both the US and the EU, recourse to national data protection authorities (with mandatory cooperation from the certified US entity), and the possibility of binding arbitration before the EU-US Data Privacy Framework panel;
The inclusion of a chapter on access to EU data by US public authorities.
However, the Committee expresses concerns about the rights of data subjects and the extent of the exemptions provided. In particular, it is concerned about the lack of a requirement for prior authorisation by an independent authority for bulk data collection under Executive Order 12333 , as well as the lack of systematic independent ex post review by a court or equivalent independent body.
On the occasion of the publication of this opinion, Andrea Jelinek, President of the EDPC, stated that "a high level of data protection is essential to safeguard the rights and freedoms of individuals in the EU. While recognising that the improvements made to the US legal framework are significant, we recommend addressing the concerns expressed and providing the requested clarifications in order to ensure the sustainability of the adequacy decision.
For the same reason, we believe that after the first review of the adequacy decision, subsequent reviews should take place at least every three years and we commit ourselves to contribute to this."
As the EDPC is an independent European body responsible for ensuring that the GDPR and the Data Protection Directive are applied consistently, this opinion is expected to have an upcoming impact on the Commission's draft decision.
- Google Analytics et transferts de données : comment mettre son outil de mesure d’audience en conformité avec le RGPD ? , CNIL, 7 juin 2022, https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/google-analytics-et-transferts-de-donnees-comment-mettre-son-outil-de-mesure-daudience-en-conformite.
- Questions-réponses sur les mises en demeure concernant l'utilisation de Google Analytics, CNIL, 7 juin 2022, https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/questions-reponses-sur-les-mises-en-demeure-de-la-cnil-concernant-lutilisation-de-google-analytics.
- Invalidation du Privacy shield : les conséquences pour les organismes souhaitant transférer des données personnelles hors de l’UE, 23 juin 2021 https://www.cnil.fr/fr/invalidation-du-privacy-shield-les-consequences-pour-les-organismes-souhaitant-transferer-des
- Bertuzzi Luca, Euractiv, EU-US data transfer framework: European privacy authorities put forth caveats, 2 mars 2023, https://www.euractiv.com/section/data-privacy/news/eu-us-data-transfer-framework-european-privacy-authorities-put-forth-caveats/
- El Baze Nina, Carru Hugo,Affiches Parisiennes, La fragile souveraineté numérique des citoyens européens,
Partager en ligne