The European framework governing the exchange of data between Europe and the United States has already been called into question several times. In 2015, the Safe Harbor was invalidated by the Court of Justice of the EU. Its successor, the Privacy Shield, met the same fate in 2020.
Since then, Europe has been negotiating with the United States a new legal framework for the transfer of personal data. By continuing to trade despite the invalidation of the Privacy Shield, Meta was severely sanctioned (1.2 billion euros).
A protection framework demanded by companies
Companies were therefore pushing for a new system to be put in place. It is now done, as reported by the Cnil. In a decision of July 10, the European executive considers that the United States ensures a level of protection of personal data equivalent to that of the European Union.
Consequence: “transfers of personal data from the EU to certain US organizations can now be carried out freely, without specific supervision.” It is therefore no longer necessary to resort to standard contractual clauses or another instrument of transfer.
The CNIL recalls that the draft adequacy decision of the European Commission had been submitted beforehand to the European Data Protection Board (EDPS). This had been the subject of the publication of a notice on February 28, 2023.
The committee noted the improvements brought about by the new American legal framework, but also underlined the persistence of concerns. An air of déjà vu. Indeed, the Privacy Shield had already been the subject of similar reservations from the European Cnil.
Schrems promises invalidation as early as 2023
The last word, however, belongs to the Commission, which, as in the past, favors the restoration of data transfers. At the risk of seeing the new framework once again be invalidated by the CJEU.
Max Schrems, the gravedigger of the Safe Harbor and the Privacy Shield, has already announced via the NOYB association that action will soon be taken against the Privacy Shield 2.0.
“The so-called ‘new’ transatlantic framework for the protection of personal data is largely a copy of the ‘data protection shield'”, denounces the organization, which predicts a return to European justice in a few months.
The central point at the origin of the invalidation of the two previous agreements between Europe and the United States persists, considers NOYB. “The fundamental problem of FISA 702 has not been addressed by the United States, which still considers that only American nationals can enjoy constitutional rights,” she pinned.