On July 16, 2020, the Court of Justice of the European Union (CJEU), canceled the decision of the European Commission which recognized the Privacy Shield as an adequate “shield” for data transfers from a European entity to companies established in the United States. Long awaited, this decision was taken in the context of a preliminary question asked by the High Court (“High Court”, in Ireland) to European judges. Once again, the initiative came from Austrian activist Max Schrems against Facebook Ireland over the portability of his personal data within the United States. By this decision called “Schrems II”, the shield is now deemed inadequate. But then, what’s going on? We take stock.
An insufficiently protective shield
Since 2016, the Privacy Shield allowed 5,226 companies to transfer our data across the Atlantic, according to the official website of american government. Its abolition opens a gaping hole. This agreement covered a market valued at $ 7.1 trillion, according to US Secretary of Commerce Wilbur Ross who declared ” regret deeply »The disappearance of Privacy Shield.
Why was the agreement struck down? In the long stop of 44 pages, The European judges considered that this ” mediation mechanism ”Did not meet the legal requirements established by the GDPR, entered into force in May 2018 on European territory. The CJEU further noted that the agreement did not provide citizens with a remedy. Clearly, the shield is not protective enough for our data and we cannot properly defend ourselves against it – contrary to what the Commission hastily claimed in February 2016.
70% of European data stored outside the EU
Behind this “eminently political decision” hides a legal “clash”. ” In the United States, personal data is monetizable business assets; while in the EU they are an integral part of our fundamental freedoms », Explains Claude-Étienne Armingaud, associate lawyer at K&L Gates law firm.
The invalidation of Privacy Shield caused an uproar from many companies, especially in the digital sector. Asic, Syntec Numérique and TECH IN France have signed a communicated “Worried” about the future of data portability. Recalling ” their commitment to a high level of requirement “, The three entities of digital professionals ask” the implementation of transitional measures […] in order to legally secure the activity of all the companies concerned. “A solution must be found quickly since” more than 70% of European data is now stored in clouds non European », According to OVHCloud, the French leader in hosting.
The “ big blur “
But what does this actually change for our data? Precisely, difficult to know. For now, it’s “ the big blur “, In the words of lawyer Claude-Étienne Armingaud. Since July, European companies have been forced to renegotiate bilateral contracts each on their own with their American partners.
Citizens are even more in the dark. If we take the example of Facebook – at the origin of the case – the social network must respect the conditions of data portability of its European users established by the GDPR. For that, deprived of Privacy Shield, Facebook is obliged to establish a specific contract with the head office based in the United States. For its users, having a right to inspect the text seems almost impossible.
Opaque, the data transfer market from one side of the Atlantic to the other is therefore fraught with uncertainty. The EU is busy trying to find a solution. The National Commission for Informatics and Freedoms (CNIL) and its European counterparts, meeting within the European Committee for Data Protection called “ the Cnil of the Cnils “, Currently proceed” the analysis of this decision to draw the consequences as soon as possible “, has already indicated the French gendarme.
Four possible scenarios
According to lawyer Claude-Étienne Armingaud, several scenarios are possible to ensure the protection of our data. First possibility: re-negotiate a third EU-US bilateral agreement such as Safe Harbor (2000, invalidated in 2015) and the Privacy Shield (2016, invalidated in 2020). This option would respond to the urgency of the EU’s timetable, which is currently in the process of developing the Digital Services Act.
Second possibility: draw up agreements in line with each federal state, since some, like California, are more protective than others. However, this multilateral tool would bring an additional degree of complexity not necessarily sought by market players.
Third possibility: to set up “codes of conduct” to be followed for companies, which induces a great deal of responsibility for them in order to self-regulate. This system is ” ideal “According to the specialist lawyer because” flexible “. But the tense relations between platforms and European institutions suggest that this will be difficult to put in place.
Last possibility: the status quo by building on the bilateral contracts already in force since they have been validated with certain reservations by the CJEU and an update is planned before the end of this year.
” Whatever option is chosen, the priority must remain to clean up this environment », Analyzes Claude-Étienne Armingaud, who does not lose hope. ” We have to be patient, but we will get there! Initiatives like those of Max Schrems push, on the one hand, to a takeover of citizens’ hands and, on the other, to empower the players. Even though the balance is complex, its research is healthy. “