Privacy shield : is it really necessary to get out of the current ambiguity?
On July 16, 2020, in its “Schrems 2” decision, the Court of Justice of the European Union nullified the Privacy Shield, i.e. the adequacy decision guaranteeing European citizens’ personal data the same level of protection in the United States as in Europe. Since then, due to the lack of a collective “shield”, affected businesses have been forced to resort to the use of standard terms, which are negotiated on a case-by-case basis.
However, on March 25, Joe Biden and Ursual von der Leyen announced, amidst general indifference, that they had reached an agreement in principle in regard to new adequacy measures. While the concurrence of this announcement with discussions surrounding Europe’s energy independence is already surprising, the absence of detail in regard to the practical terms of this agreement should be a call for the greatest caution. In fact, American proposals seem rather unsatisfactory at the moment. “The United States hasn’t budged”, says Max Schrems, the man who felled the Privacy Shield.
Moreover, such an agreement will only respond to the challenges posed by the Cloud Act, which focuses on access by American judicial authorities to data stored by electronic service providers in the context of criminal proceedings, whether this data is stored on US territory or abroad. The issue of American extrajudicial interceptions, which apply to any type of data (i.e. not only personal data but also corporate data) carried out under section 702 of FISA, authorizing American intelligence services to spy on any non-US citizen outside the United States, remains intact. The same goes for Executive Order 12333, under which American intelligence agencies can secretly carry out any interception and exploit vulnerabilities in telecommunications infrastructure. Let’s not forget the PRISM program revealed by Edward Snowden in 2013!
To paraphrase Cardinal de Retz, we thus run the risk of getting out of the ambiguity created by the invalidation of the Privacy Shield to our own detriment. Assuming that a new agreement is reached and validated by the European Data Protection Supervisor, it will only solve part of the problem, that of personal data. Worse, by facilitating the export of European citizens’ personal data to the United States, it will sacrifice the objective of European technological sovereignty for that of the very theoretical protection of our personal data in large American clouds. Is this at all reasonable? On the contrary, was it not an opportunity to develop European cloud computing offers?
General (2S) Marc Watin-Augouard, Founder of the FIC
Guillaume Tissier, Associate, Avisa Partners