Protection of data transferred to the United States: can we believe it?
Posted: Thu Dec 05, 2024 6:00 am
The European Commission announced on July 10 that it had adopted a new legal framework that once again legalizes the transfer of personal data from the European Union to the United States. More recently, the Norwegian Data Protection Authority took a radical and unprecedented step by prohibiting Meta from profiling Norwegian users for the purpose of targeted advertising. This fine begins on August 4, for a period of three months. These events only confirm that the saga of data transfers to the United States is not at its last twist.
EU-US-data-protection-conflict
Summary
Reminder of the situation
What’s new?
Not so simple in practice
What about the application with other legal provisions?
On the way to a Schrems III stop?
Reminder of the situation
In view of recent news, it seems appropriate to us to provide a reminder of the austria whatsapp number data 5 million situation. Under Article 45 of the General Data Protection Regulation (GDPR), data transfers outside the European Economic Area (EEA) are prohibited, unless it can be demonstrated that one is in a very specific situation provided for in said article. The two exceptions most frequently used by companies to justify data transfers outside the EU and the EEA are (1) an adequate level of protection provided by the destination country and (2) the application of standard contractual clauses (SCCs) between companies transferring data that leaves the European Economic Area. In the first case, the destination country must have legislation recognized by the European Commission as offering a level of data protection equivalent to that applied in the European Union. In the second case, the SCCs signed between the two entities must be based on the models approved by the European Commission.
Regarding transfers to the United States, and since the invalidation by the Court of Justice of the European Union (CJEU) of the Privacy Shield in 2020, companies can no longer rely on an adequate level of protection to justify transfers. Indeed, the CJEU considered that the access to data granted to American intelligence, on the grounds of surveillance, was too broad. As for the SCCs, the recipient organization must still comply with the European models. This is not so easy to implement given the requirements provided for by these models, which are sometimes irreconcilable with the American vision of data protection.
What’s new?
To fill this legal void, and given the crucial issues for the digital economy, the European Commission recently adopted a new text. Additional safeguards have been put in place to regulate access to data by American intelligence agencies. From now on, access, in addition to having to be justified in the name of national security, must be limited to what is "proportionate" and "necessary" in order to comply with the requirements of Article 45.3 of the GDPR, allowing the transfer of personal data to a third country. While the intention is laudable, it must be recognized that these terms, although illustrious in the GDPR, still leave a lot of room for interpretation.
A new feature of the agreement is the granting of a right of appeal to European citizens if they consider that their personal data has been illegally collected by the American authorities. This right of appeal is accompanied by a right to the correction or deletion of this data, also provided for by the GDPR. Compared to the absence that existed previously in this regard, the progress can be welcomed. This new version of the text has the merit of wanting, on paper at least, to grant European citizens the same rights as American citizens. Previously, and even when the Privacy Shield was set up, when an American company inappropriately processed data of European citizens, no appeal was possible.
Not so simple in practice
However, we do not think we should be too quick to rejoice at this progress. Which law will apply in your opinion? American law, of course. In practice, will a European national really go to an American court to assert his rights? In this respect, this law therefore seems utopian to us. Furthermore, in American law as in Belgian law, an interest is required to bring legal action. Demonstrating this interest before a jurisdiction that is not very inclined to data protection can turn out to be a real obstacle course. Offering rights of appeal is good, but being able to have them enforced is better. It seems to us that this globalization of American justice does not truly protect the rights of citizens internationally.
Furthermore, companies that send data to the United States are in the same boat. How will companies, which, as subcontractors, are responsible for the choice of their service providers and the resulting security, be able to carry out their security audits across the Atlantic? How can a company truly allow one of its customers whose data has been compromised to assert their rights before a US court, knowing that there are no federal data protection provisions?
What about the application with other legal provisions?
We can also wonder about the relationship of the new framework agreement with the Cloud Act. This text, in force since 2018 and introduced under the Donald Trump regime, allows American authorities access to all data stored by American companies, regardless of their location. This therefore applies, a fortiori , to all data stored by American companies on European territory. Will the new framework agreement supplant the Cloud Act? Will these two texts apply independently? There are still gray areas. Furthermore, how, even with this new agreement, can we be sure that our data will not be absorbed by an American company that is not immune to surveillance, despite the safeguards put in place?
On the way to a Schrems III stop?
There is no doubt that the new agreement adopted by the Commission is welcomed as good news for many companies, regardless of their size, that transfer data to the United States every day. However, it remains, in our opinion, an initial compromise that will need to be developed. Max Schrems, the Austrian activist behind the previous Schrems I and Schrems II appeals and judgments, has already announced an appeal against this new legal framework. We can therefore expect the case to be brought before the Court of Justice of the European Union again by the beginning of next year. In the meantime, and in these circumstances, we strongly advise you to leave your data within the European Union, under the control of a European actor.
EU-US-data-protection-conflict
Summary
Reminder of the situation
What’s new?
Not so simple in practice
What about the application with other legal provisions?
On the way to a Schrems III stop?
Reminder of the situation
In view of recent news, it seems appropriate to us to provide a reminder of the austria whatsapp number data 5 million situation. Under Article 45 of the General Data Protection Regulation (GDPR), data transfers outside the European Economic Area (EEA) are prohibited, unless it can be demonstrated that one is in a very specific situation provided for in said article. The two exceptions most frequently used by companies to justify data transfers outside the EU and the EEA are (1) an adequate level of protection provided by the destination country and (2) the application of standard contractual clauses (SCCs) between companies transferring data that leaves the European Economic Area. In the first case, the destination country must have legislation recognized by the European Commission as offering a level of data protection equivalent to that applied in the European Union. In the second case, the SCCs signed between the two entities must be based on the models approved by the European Commission.
Regarding transfers to the United States, and since the invalidation by the Court of Justice of the European Union (CJEU) of the Privacy Shield in 2020, companies can no longer rely on an adequate level of protection to justify transfers. Indeed, the CJEU considered that the access to data granted to American intelligence, on the grounds of surveillance, was too broad. As for the SCCs, the recipient organization must still comply with the European models. This is not so easy to implement given the requirements provided for by these models, which are sometimes irreconcilable with the American vision of data protection.
What’s new?
To fill this legal void, and given the crucial issues for the digital economy, the European Commission recently adopted a new text. Additional safeguards have been put in place to regulate access to data by American intelligence agencies. From now on, access, in addition to having to be justified in the name of national security, must be limited to what is "proportionate" and "necessary" in order to comply with the requirements of Article 45.3 of the GDPR, allowing the transfer of personal data to a third country. While the intention is laudable, it must be recognized that these terms, although illustrious in the GDPR, still leave a lot of room for interpretation.
A new feature of the agreement is the granting of a right of appeal to European citizens if they consider that their personal data has been illegally collected by the American authorities. This right of appeal is accompanied by a right to the correction or deletion of this data, also provided for by the GDPR. Compared to the absence that existed previously in this regard, the progress can be welcomed. This new version of the text has the merit of wanting, on paper at least, to grant European citizens the same rights as American citizens. Previously, and even when the Privacy Shield was set up, when an American company inappropriately processed data of European citizens, no appeal was possible.
Not so simple in practice
However, we do not think we should be too quick to rejoice at this progress. Which law will apply in your opinion? American law, of course. In practice, will a European national really go to an American court to assert his rights? In this respect, this law therefore seems utopian to us. Furthermore, in American law as in Belgian law, an interest is required to bring legal action. Demonstrating this interest before a jurisdiction that is not very inclined to data protection can turn out to be a real obstacle course. Offering rights of appeal is good, but being able to have them enforced is better. It seems to us that this globalization of American justice does not truly protect the rights of citizens internationally.
Furthermore, companies that send data to the United States are in the same boat. How will companies, which, as subcontractors, are responsible for the choice of their service providers and the resulting security, be able to carry out their security audits across the Atlantic? How can a company truly allow one of its customers whose data has been compromised to assert their rights before a US court, knowing that there are no federal data protection provisions?
What about the application with other legal provisions?
We can also wonder about the relationship of the new framework agreement with the Cloud Act. This text, in force since 2018 and introduced under the Donald Trump regime, allows American authorities access to all data stored by American companies, regardless of their location. This therefore applies, a fortiori , to all data stored by American companies on European territory. Will the new framework agreement supplant the Cloud Act? Will these two texts apply independently? There are still gray areas. Furthermore, how, even with this new agreement, can we be sure that our data will not be absorbed by an American company that is not immune to surveillance, despite the safeguards put in place?
On the way to a Schrems III stop?
There is no doubt that the new agreement adopted by the Commission is welcomed as good news for many companies, regardless of their size, that transfer data to the United States every day. However, it remains, in our opinion, an initial compromise that will need to be developed. Max Schrems, the Austrian activist behind the previous Schrems I and Schrems II appeals and judgments, has already announced an appeal against this new legal framework. We can therefore expect the case to be brought before the Court of Justice of the European Union again by the beginning of next year. In the meantime, and in these circumstances, we strongly advise you to leave your data within the European Union, under the control of a European actor.