Agreeing a new data transfer deal with the US is a "high priority" for the EU, Margrethe Vestager, the bloc's executive vice president for digital strategy, said yesterday, but she also warned that a replacement for the defunct EU-US Privacy Shield . Safe Harbor before that) is by no means a closed deal, given the fundamental legal clash between European privacy rights and US over-surveillance.
In recent weeks, some media reports have suggested that a new deal on transatlantic data transfers is imminent, according to a political report of February 3.
However, Commissioner Vestager's messages suggest otherwise.
"This is a high-priority effort to reach such an agreement with the Americans," he said during a question-and-answer session at a news conference on the Commission's latest proposal on data sharing (also known as Data Law). “This is not easy, to put it mildly. Because we took the guidance, of course, from the [CJEU] court that ruled on the basis of the Charter of Fundamental Rights, which is not something we can or will change."
“So we need to find a way to work with Americans that are okay with this, of course, so we don't get a negative Schrems III judgment (Schrems II Compliance: Data Privacy Challenges and Solution), if that is the case. But it's a priority for us to enable the business community to get the most out of data, but again to do it in safe, clear and transparent conditions, and that's why we're driving this forward."
The reason why the issue of data transfers arose in the context of the Data Act, which Vestager herself suggested, relates mainly to non-personal data (while the Schrems ruling that rejected the Privacy Shield and the Port insurance refers to exports of personal data outside the block). )—is that the bill proposes a kind of “Schrems II for non-personal data”, as data protection experts were quick to call it.
An explanatory memorandum prefixed to the draft Data Law proposal lists "safeguards against illegal transfer of data without notification by cloud service providers" as one of its specific objectives, explaining: "This is because Concerns have been raised about what falls outside of the EU/European Economic Area (EEA) illegal government access to data. Such safeguards should further enhance trust in the data processing services that increasingly underpin the European data economy.”
Article 27 of the Data Law, which deals with international access and transfer, also establishes:
“Data processing service providers shall take all reasonable technical, legal and organizational measures, including contractual arrangements, to prevent international transfer or government access to non-personal data held in the Union where such transfer or access creates a conflict with the Union. or the national legislation of the Member State concerned”
Summing up, according to an EU source familiar with the matter, he said: “We are saying that non-personal data should not leave the EU if it is likely to fall into the hands of foreign spies”, also comparing it to a “Schrems II for non-personal data”. personal”.
So, to anyone imagining the regional legal uncertainty hanging over (especially) US-based cloud services, since mid-2020, it seems like nothing more than a little fog that's sure to clear, but while it might ominously affect EU data transfers.
Here, in the draft of the Data Act, the Commission can be seen essentially doubling down on Schrems II, rather than looking for ways to circumvent the CJEU ruling, as it did after Schrems I by rushing to accept a Shield of privacy with very obvious legal flaws.
The two attacks by the Court of Justice of the European Union (CJEU) in succession on this issue seem to have ended any equally superficial attempt to hide fundamental legal flaws.
Which in turn means that talk of segregation/federation of services and increasing data localization in the EU is very real, at least while major US surveillance law reforms fail.
During the Data Act press conference, Vestager rejected a journalist's suggestion that the Data Act is protectionist, stating: "It's beneficial for companies, no matter where they are from, that data can flow."
But he also made it clear that the EU rulebook is binding, so it is clear that without a replacement data transfer agreement between the EU and the US, data will not flow freely.
Even, apparently, 'non-personal' data. Which raises the stakes even further, and risks turning the Data Act itself into something of a Privacy Shield negotiating tool given that, without a robust new data transfer agreement between the EU and the The US switch can only be made easier in the future if data is transferred from a US provider to an EU provider, not the other way around.
“The point is that of course we have an obligation to make sure that the way things flow is in accordance with data protection provisions; that's why we can make these adequacy decisions,” Vestager emphasized. “That goes beyond the Data Law. Right now our colleague Didier Reynders [justice commissioner] is chief file of the negotiations with the US and the monitoring of the Schrems II ruling.
“So the Data Act will not stand alone. We will continue this work by making adequacy decisions with third country jurisdictions where we can see that things are as they should be."
The internal market commissioner, Thierry Breton, also reiterated the point to the press. “The goal of the Data Law is to open and unlock industrial data,” he said. “It is important that we give rules and explanations so that all companies, European or not, know exactly what the rules of the game are in the EU single market. We give that legitimacy.”
“For cloud services, we need to ensure that safeguards are in place to protect personal data against forced access by a third party, say a foreign government, where there is no procedural protection or international agreement, which is why we are discussing this with our partners to set the rules.
“It certainly does not prevent the voluntary transfer of data if the company or the citizen so wishes,” he added. “It's obvious, but we have to remember it. International cooperation between judicial authorities and police authorities is obviously included in this.”
With the US, the data protection situation is definitely not where it "should be" in relation to equivalence with EU law as it stands. In reverse.
This is why, in recent months, data protection regulators across the EU have been issuing enforcement decisions involving the use of major US-based services, but saying use must comply with EU legislation (and currently it is not), and therefore it may be necessary to look for alternatives, due to the obvious gap that exists.
France's watchdog, for example, has started work to evaluate alternatives to Google Analytics for website audience measurement and analysis that may be exempt from the need to obtain user consent.
The use of cloud services by European public sector bodies is also facing coordinated scrutiny through a joint enforcement action that began earlier this month, similarly focusing on concerns over international transfers. of data.
Also, of course, there is still a major decision looming over Facebook's EU-US data flows, which were Schrems' original target, back in 2013.
An order to suspend them could come as soon as May, according to the head of the Irish Data Protection Commission (DPC), Helen Dixon, in an interview with Reuters. Although he also made it clear that the Irish regulator will not issue blanket orders based on what it decides on Facebook.
“The decision that the DPC will ultimately make in relation to Facebook will be specific to Facebook and directed only at Facebook,” he said. “The consequence of the CJEU decision is that we cannot make a broader and more radical conclusion. We have to go company by company,” further noting that there are “hundreds of thousands of entities” that would potentially need to be scrutinized, according to the Reuters report, starting with other major internet platforms.
The DPC already issued a preliminary suspension order to Facebook shortly after the CJEU Schrems II ruling, in September 2020, but the tech giant quickly obtained a stay, before losing its challenge of the regulatory proceeding in the High Court of Ireland in May. last.
And as we reported earlier this week, the DPC has now submitted a revised draft decision to Facebook parent Meta, giving the company a month to respond.
After which, the other EU data watchdogs will have a chance to review and potentially challenge the Irish draft decision, which could add more months to the decision-making process. But if there is broad agreement on whatever Ireland has concluded, Dixon's line is that "the earliest time we could have a final decision could be the end of May".
Ireland's slow pace of enforcement in investigations into tech giants means there is absolutely no chance that other short-term decisions will land on the issue of data transfers against the likes of Google.
However, across the EU, we are seeing other regulators taking action where they have local competence, so it may be a case of 'death by thousands of complaints' against tools like Google Analytics, for which there are viable alternatives (Facebook does not it is the only social network but it is more binding, due to network effects and data portability challenges).
A burning question is whether there will be a new 'Privacy Shield 2.0' agreed by the EU and US before Ireland decides on Facebook data flows, assuming there is a final decision from Ireland by the end of May.
Even if there is a basic agreement between the two parties on the substance of a new agreement by then, that timetable seems tight, and any new draft adequacy agreement still needs to be adopted by the Commission, which will have to await an opinion from the European Commission. of Data Protection (EDPB).
The last time, after Safe Harbor was invalidated in October 2015, around seven months elapsed between the publication of the draft Privacy Shield agreement (February 2016) and the mechanism adopted by the Commission, and finally the implementation march for companies to self-certify (August 2016).
Although, in particular, the Working Group 29, also known as the body composed of the data protection agencies of the Member States that has since become the EDPB, agreed not to cut off any transfers during the period of analysis of the Data Shield Privacy.
Meta may be betting on a similarly generous implementation grace period for any new Privacy Shield, allowing it to continue to dodge an order to suspend its data flows between the EU and the US.
That said, it is not clear if the EDPB would feel like doing it this time, given that applications on the issue of data transfers are already happening without the need to wait for Ireland.
The 101 Schrems complaints from August 2020, deliberately filed with agencies across the EU to counter group buying, have made sure of that.
Of course, the CJEU is also likely to take a very negative view of any replacement adequacy agreement that repeats the mistakes of the past. And the court has shown an ability to speed up deliberations when it perceives significant risks to fundamental rights. So while Privacy Shield limped along for four years, any faulty replacement - let's call it a 'privacy umbrella' - may have an even shorter lifespan before hopelessly exploding.
Perhaps the highlight: a third strike by the CJEU would be a great embarrassment for the Commission, which explains Vestager's strong warning signals, to the point of explicitly stating that he does not want "a negative Schrems III judgment".
Whether the Commission will once again voluntarily take illegal Meta data streams is a particularly interesting question.
It is not the same entity that went through all this last time. Furthermore, it has embarked on an ambitious tech policy agenda, of which the Data Act is just the last piece of the puzzle, along with sweeping new plans to tame the market power of tech giants, update e-commerce rules and define a framework for 'Trusted AI'. , among many other legislative moves, wants to reshape the digital economy and European society to boost the EU economy.
Hence, there is talk of a great movement of 'digital sovereignty'.
However, the EU's appetite to discover what digital sovereignty means in practice could soon be put to the test on the commercial end of dozens of interrupted data flows.
