The new framework for data transfer between the European Union (EU) and the United States is beginning to take shape. After announcing an agreement in principle last March with Ursula von der Leyen, the President of the European Commission, Joe Biden signed an executive decree on Friday, October 7, 2022 which makes it possible to lay the foundations for a new text governing the exchanges of data between the two sides of the Atlantic. This should put an end to a period of vagueness caused by the invalidation of the Privacy Shield by the Court of Justice of the European Union (CJEU) during the summer of 2020.
The European judges had considered that the text, which served as a legal basis for companies to export the personal data of European users across the Atlantic, did not offer a sufficient level of protection against US surveillance laws, such as the Patriot Act and the Cloud Act. As a result, US companies, including Gafam, had to fall back on standard contractual clauses (SCC), another transfer mechanism offering fewer legal guarantees.
Safeguards to enable European citizens to defend themselves…
To simplify data exchanges between the EU and the United States, and above all to prevent the CJEU from invalidating the new transatlantic agreement, as was the case for the Safe Harbor in 2015 and the Privacy Shield in 2020, the White House had to resolve to provide guarantees deemed solid to the EU authorities. Thus, Joe Biden’s decree requires intelligence agencies to engage in a use of data collected in Europe and transferred or hosted in the United States that is limited to what is “necessary” and “proportionate”. In other words, the CIA and the other agencies of the country of Uncle Sam will have to review their practices to prove that they need deep European data for surveillance activities related to national security or terrorism, for example.
Among the other safeguards included in the decree is also the possibility for nationals of the Old Continent to seize the US authorities if they believe that their personal data has been illegally collected by the US intelligence services. In this context, it would be possible for them to defend their case with an officer in charge of the protection of civil liberties at the American intelligence directorate. And if European citizens were not satisfied with their decision, they could then appeal to an independent tribunal formed by the Ministry of Justice. In case of abuse of data collection, it is expected that these can be deleted. However, even in the event of abuse noted, the complainant could never know whether or not he was monitored by American intelligence, unless the defense secret was lifted.
…but worrying gray areas
Despite the pledges of goodwill given by Washington, there are a few passages in this presidential decree which should arouse the vigilance of European citizens. We thus learn that the American president could not only authorize updates of the objectives sought by his intelligence services to justify the collection of foreign data, but also choose not to make this extension of the list public, in case “it would pose a risk to the national security of the United States”. But it was also in the name of national security that the Patriot Act was adopted by the US Congress after the attacks of September 11, 2001…
Another passage also raises fears. This is the one concerning the collection of information from foreign companies to offer a competitive advantage to companies from across the Atlantic. According to the White House, such a practice would be prohibited, except “to protect the national security of the United States or its allies or partners”. National security definitely has a good back.
Already, some French technology players are sounding the alarm. This is particularly the case of Clever Cloud, whose legal director Guillaume Champeau denounces the excesses of Joe Biden’s decree. “So it looks very much like a big gas factory invented to try to meet the CJEU’s requirements to continue importing data from Europeans, with in theory complaints lodged by people who will not know if they have reasons. to lodge a complaint”he summarizes on Twitter.
Towards an agreement concluded in the spring of 2023?
Despite the great liberties granted by the United States in this presidential decree, it would constitute “a very important step” towards a definitive agreement, as welcomed by the European Commissioner for Justice, Didier Reynders. However, there is still a long way to go. It is now up to the European Commission to take action with the launch of a ratification process which should not be completed before spring 2023.
On this horizon, a new EU-USA agreement could then be formalized. However, Max Schrems, an Austrian lawyer and privacy activist, who initiated the two previous complaints that brought down the Safe Harbor and the Privacy Shield, has already said he is ready to attack the new transatlantic mechanism of data transfer.