HASAt the start of the Ukrainian conflict, the President of the European Commission, Ursula von der Leyen, and the President of the United States, Joe Biden, announced on March 25 that they had reached an agreement on a new framework for the transfer of personal data between the two continents. This announcement, which went relatively unnoticed, could nevertheless ruin years of efforts to establish European digital sovereignty.
The transfer of personal data between Europe and the United States has never really been obvious. The rules negotiated between the European Union and the American Department of Commerce between 1998 and 2000, known as “Safe Harbor” (“sphere of safety”), authorized it, considering that the Americans offered sufficient guarantees as to the protection of the private life. Invalidated by a judgment of the Court of Justice of the European Union (CJEU) in 2015, this agreement was reborn like a phoenix a year later under the name of “Privacy Shield”. (“Privacy Shield”). But, another thunderbolt in 2020, the latter is in turn invalidated by the CJEU, as incompatible with Article 5 of the General Data Protection Regulation (GDPR).
These successive reversals echo the American policy which has continued to relax its laws on the surveillance of personal data for twenty years. Each evolution – Patriot Act in 2001, amendments to the Foreign Intelligence Surveillance Act in 2008, Cloud Act in 2018 – has had the effect of giving ever more new powers to legal and governmental authorities over the personal data hosted by American companies, than their servers are located in the country or elsewhere in the world. A vision incompatible with European data protection rules.
The threat of Meta
The end of the Privacy Shield had shaken the American digital giants hard. Its first effects were beginning to be felt. The National Commission for Computing and Liberties (CNIL) had thus called, in 2021, on the government to rule out the choice of Microsoft Azure for the hosting of health data from the Health Data Hub, a centralized platform for medical data from French. More recently, the CNIL warned higher education establishments about the use of collaborative suites offered by American publishers. Finally, at the beginning of February, it served formal notice on a website publisher using Google Analytics, considering the transfer of this data to the United States as illegal.
You have 49.57% of this article left to read. The following is for subscribers only.