At first glance, this is excellent news, likely to reassure the thousands of companies who have been sailing in the fog for two years and the spectacular cancellation of the Privacy Shield , the agreement which governed transatlantic data transfers. On the evening of Friday March 25, Washington and Brussels announced, to everyone’s surprise, that they had finally found a solution, in the form of a new agreement in principle.
On paper, this is a major step forward as these data exchanges are crucial for the digital economy. Indeed, American companies that have users in Europe, and vice versa, or European subcontractors of American companies, must be able to transfer data to the other side of the Atlantic in order to be able to provide their service efficiently. If the American digital giants are the first concerned, this situation affects around 5,000 companies, including European ones.
Previous executives canceled due to US espionage
Why, then, not rejoice at this announcement which could put an end to two years of legal uncertainty? Quite simply because the situation was blocked for a good reason: the Privacy Shield was canceled in 2020 because the European Court of Justice found that it did not comply with the European Data Protection Regulation (GDPR). Before him, the previous framework, the Safe Harbor , had suffered the same fate in 2015, two years after the revelations of the activist Edward Snowden on the mass espionage carried out by the United States in Europe.
“A ccording to the CJEU, the surveillance carried out by the American intelligence services on the personal data of Europeans is excessive, insufficiently supervised, and without any real possibility of appeal “, explain Ariane Mole and Willy Mikalef, lawyers specializing in data protection at the within the firm Bird & Bird.
To unblock the situation, it would therefore have been necessary either for the EU to lower its level of requirements concerning the security and accessibility of European data, or for the United States to reform its own legislation, in particular its extraterritorial laws – Cloud Act , Fisa law…- which allow their intelligence services to collect data on a massive scale without having to inform the persons concerned.
However, since 2020, nothing has changed on the legal front. In Europe, the trend is to strengthen data protection in the name of digital sovereignty, and to secure data sharing to stimulate innovation, in particular via a new text in preparation, the Data Governance Act (DGA), which will complete in 2023 or 2024, on the “data” side, the Digital Markets Acts (DMA) which regulates digital markets, and the Digital Services Act (DSA) dedicated to the management of content on the Internet.
As for the United States, they have not reformed their legislation in any way to align with the GDPR and meet the requirements of the EU. On the contrary, they even recently reinforced their intelligence powers and their ability to access data, and refused to reform the problematic Cloud Act, incompatible with the GDPR.
On the front line, companies are the main victims of this legal deadlock. Since 2020, they have been floundering. To transfer data to the other continent, they use the mechanism of standard contractual measures, which impose data security guarantees, as well as technical measures to better protect them from possible external interference. In other words: tinkering, with European Commission ” guidelines ” which arrived gradually in 2020 and 2021, but which do not constitute a satisfactory solution in the long term.
The new agreement condemned to be rejected like the previous ones?
In this context, how on earth could a new agreement be found? And above all, what is it? Neither the European Commission nor the White House have yet revealed the details. ” This agreement will allow predictable and confident transfers of data between the European Union and the United States “, assured a very mysterious Ursula von der Leyen, the President of the European Commission.
We simply know that the new agreement must define new safety nets to ” limit access to data by American intelligence agencies ” to data deemed ” necessary and proportional to protect national security “. It will still be necessary to define the “necessary” data and the notion of proportionality… For their part, the United States undertake to set up an independent appeal mechanism including a data protection review tribunal , responsible for deciding on complaints.
At present, the agreement in principle announced is simply a political declaration which has not yet been translated into legal language in a text. This process could still take months. The text will then have to be adopted by the European Commission, and then pass the obstacle of its examination by the European Data Protection Board (EDPB). All this could take months, especially if the text is appealed to the Court of Justice of the EU.
As soon as this new agreement was announced, the activist Max Schrems, already at the origin of the complaints which led to the cancellation of the Safe Harbor in 2015 then of the Privacy Shield in 2020, shared his incomprehension.
“We already had a purely political agreement in 2015 which had no legal basis. The same game could be played a third time. The agreement is a symbol wanted by Usula von der Leyen, but it does not have the support of legal experts in Brussels, because the United States has not moved,” he said.
Via his organization None of Your Business, the source of numerous complaints against Gafam, some of which lead to sanctions, including by the European Cnil, Max Schrems has already announced that he will not hesitate to file a new complaint if the text appears to violate the GDPR like the previous one.
European Commissioner Margrethe Vestager also seems to expect legal challenges. ” I know how hard they [the negotiators] have worked to make it solid, but of course that remains to be seen and I assume the text will indeed be tested in court ,” she told Reuters.
The United States will supply gas to the EU to reduce its dependence on Russia
The context in which this agreement in principle between the EU and the United States was established is also a challenge. His announcement was made on the evening of Friday March 25, only a few hours after the announcement of another agreement between the two powers, this time relating to gas.
While Europe is again experiencing an inter-state war on its soil for the first time since 1945 with the Ukrainian conflict, the United States will help the European Union to reduce its dependence on Russian gas, because the money paid to Russia helps finance its war in Ukraine. The agreement, negotiated on the sidelines of a European summit, commits the United States to deliver an additional 15 billion m3 of liquefied natural gas (LNG) to the EU in 2022, then to ramp up in the following years until 50 billion m3 per year. The EU’s goal is to phase out Russian fossil fuels by 2027.
Renunciation of the EU on its data? A simple gesture of goodwill that will be rejected?
If we must avoid jumping to hasty conclusions and we will have to see how the future text manages the legal incompatibility between the Cloud Act and the GDPR, it is difficult not to see a link between the two announcements. In a context where the United States has not moved a finger on its data collection practices, and the war in Ukraine which plunges the European Union back into the arms of NATO, has the EU in fact agreed to give up some of its digital sovereignty in exchange for American gas?
This is the opinion of many experts and observers consulted by La Tribune as the legal abyss seemed deep until Friday evening March 25. Especially since the building around illegal data transfers began to fall in recent months. Last February, the French Cnil rendered a thunderclap decision by declaring illegal the use of the Google Analytics website analysis tool by Auchan, precisely because of the illegality of the Privacy Shield. For its part, Meta (Facebook, Instagram, WhatsApp, Messenger) is in trouble in Ireland, where the regulator is preparing to impose sanctions because it has continued the transfer of European personal data to the United States without adapting upon termination of the Privacy Shield.
.. our data against gas .. when we don’t have a vision of sovereignty, we have to accept the vision of the world of others for us. humiliating. https://t.co/hItdavrdIj
— Octave Klaba (@olesovhcom) March 25, 2022
For their part, the tech giants welcomed a deal that “will restore legal certainty for companies and strengthen guarantees for users “, in a statement from the Computer & Communications Industry Association. And the Software Alliance, bringing together the main companies specializing in the cloud, urged the two parties to “ conclude the negotiations quickly ”.
But many are already betting on failure. ” If the text does not comply with the GDPR like the previous ones, then it will be retorted ” relativizes the economist Joëlle Toledano, questioned on the subject by La Tribune during the Think Tech Summit which was held in Paris on Monday March 28.
Unless, of course, EU lawyers pull a legal rabbit out of their hats and find the technical solution that neither Safe Harbor nor Privacy Shield has found, so that transatlantic data transfers can resume. without the United States backing down on its surveillance arsenal. How the text will address the issue of the necessity and proportionality of data collection will be crucial.