Data transfer: Europe and the United States fill their shields

Posted on Oct 7th. 2022, 4:00 PMUpdated Oct 7, 2022, 4:49 PM

Family photos, payslips… From next year, companies and citizens will be able to send all their ‘data’ across the Atlantic Ocean and use it in complete safety. In any case, this is what provides for an executive order on transfers of personal data, signed by Joe Biden on Friday morning, the culmination of months of consultations with the European Commission.

This decision, which follows an agreement in principle announced last March by the US President and Ursula von der Leyen , defines a new data privacy framework between the two continents. Controversially, it subsequently sparked strong criticism from the accused president of the European Commission, in particular by Octave Klaba, CEO of OVHCloud Having traded European data for an agreement to supply US gas to Europe…

Either way, the new text puts an end to the uncertainty into which thousands of companies plunged when the Court of Justice of the European Union rejected two other transatlantic agreements, the Safe Harbor in 2015 and the Privacy Shield in 2020. She then took the view that the rights of European citizens were not sufficiently protected when their personal data was sent to the servers of US companies, in particular because of surveillance operations by the United States.

The lack of a transatlantic agreement since then has called into question the legality of the activities of companies, especially those of the web giants Google, Facebook, Amazon… for whom the transfer, analysis and use of data on both sides of the Atlantic Ocean essential is business. The flow of transatlantic data soaks up billions of dollars in trade between the United States and the EU. The case had sparked passions: in March, Facebook had threatened to stop offering its social network and Instagram in Europe.

A Data Protection Court

The text describes how the new agreement will work in practice, introduces safeguards to ensure respect for European personal data and establishes a new data protection court under the US Department of Justice that can be seized by European citizens who consider themselves disadvantaged.

Because he attaches particular importance to European concerns about surveillance practices in the United States, a topic that has fueled debate in recent months. One of the challenges was therefore regulating US intelligence access to European data and its use for national security purposes. The Americans will now have to demonstrate that the surveillance activities are “necessary” and “proportionate” to the pursuit of their objectives.

The US agencies will therefore review their working methods. “For every step, from the initial collection to the subsequent processing of data, the new rules will define terms of use, set limits and safeguard what should be considered a legitimate objective of national security, terrorism, fight against organized crime” , explains a European source. . So it is the entire life cycle of the data that is being examined.”

New remedies?

The new Court will be able to order the deletion of the data or its correction. Complaints are pre-examined by a civil liberties officer, depending on the direction of US intelligence. The complainant will submit his complaint in Europe, in his country, to his national data protection authority.

“These commitments relate to the transfer of personal data to the United States under EU law,” said Gina Raimondo, the US Secretary of Commerce, during a conference call with the press. They will enable the continuous flow of data and will mainly benefit small and medium-sized enterprises, which represent 70% of the companies covered by these topics.”

The executive order is likely to be scrutinized by those who benefit most from the data business. What will be the impact on the tool? Google Analytics that the French CNIL deemed incompatible with the GDPR at the beginning of 2022 ? What about US cloud services that use European personal data?

The protagonists again expect this agreement to be the subject of challenges from privacy activists, but claim to have taken maximum guarantees on the legal certainty of the text.

While the Executive Order is an important step, it’s not the end of the story. A process of ratification by the European Commission is now underway and will not be completed before summer 2023.