While a political agreement has been reached between the USA and Europe on the transfer of European data, the body bringing together all the European CNILs is more reserved. He is waiting to see the legal text before celebrating anything.
A political agreement which is welcomed, but whose legal translation will have to be observed with the greatest attention. This, in summary, is the position adopted by the European Data Protection Board (EDPB) on April 13, 2022, after the announcement of common ground between the EU and the United States on personal data.
The institution, which brings together all the CNILs of the European Union (the equivalents, in other countries, of the National Commission for Computing and Liberties), sees in this convergence of transatlantic views ” a positive first step in the right direction “. On paper, this framework will finally regulate once and for all the conditions for the transfer of personal data from the EU to the United States, with all the required legal guarantees.
Two previous plans, two failures
It is true that it is time: two devices existed before, the Safe Harbor until 2015, then the Privacy Shield until 2020, which replaced the first, but they were both canceled by European justice. The reason ? It has been noted that the personal data of Europeans is not sufficiently protected across the Atlantic.
Will the third attempt be the right one? The EDPS notes with satisfaction the demonstrated goodwill of Washington ” to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals […] when their data is transferred to the United States “. But the devil is in the details. It will be necessary to judge on parts.
Because the agreement in principle is not a legal text: it is a direction, an impulse wanted by the two shores of the Atlantic to quickly fill the void left by the Safe Harbor, then the Privacy Shield, which were invalidated by the Court of Justice of the European Union. Clearly, it will be necessary to read the ” concrete legal proposals because that’s the only thing that really counts.
The EDPS, in this regard, warns that he will assess ” precisely the improvements [de ce] new transatlantic framework ”, in particular since the verdicts of the CJEU. Another point of vigilance announced: if there is a collection of data for national security purposes, it will have to be ” limited to what is strictly necessary and proportionate “.
In the meantime, the companies concerned by these data exchanges on one side and the other of the ocean ” must therefore continue to implement the actions required to comply with the case law of the CJEU “. For example, companies can use standard contractual clauses, which remain valid despite the end of the Privacy Shield.
The stakes are considerable for Brussels and Washington, firstly in terms of political credibility, but also for the protection of Europeans’ personal data, and also on an economic level – data being often described as the black gold of digital technology . In many areas, transatlantic transfer is necessary.
This new agreement, which does not yet have a nickname, is in any case eagerly awaited by Maximilian Schrems. His name may not mean anything to you, but in Western capitals as in the companies concerned by this framework, we can no doubt see very well who he is: he is the one who blew up the Safe Harbor and the Privacy Shield. , and it is ready to start again.