Invalidation of the Privacy Shield: the European Union is up against the wall

In a ruling handed down on 16 July 2020 , the Court of Justice of the European Union (CJEU) invalidated a 2016 decision of the European Commission known as the “Privacy Shield” . This “shield” – with a promising title – was a self-certification mechanism accepted by the European Commission and negotiated with the U.S. Department of Commerce (DOC) in 2016. It has recently been severely sanctioned by the CJEU. A decision that puts the European Union under an obligation to react.

No federal law to protect personal data in the U.S…what about us?

The problem that the Privacy Shield was supposed to solve was the following. In the European Union and for 25 years now, legislation has in principle forbidden export of personal data of EU residents outside the European Union territory and their physical storage on infrastructure outside this territory. If law on this matter is violated, national data protection authorities can pronounce administrative sanctions, and even criminal sanctions in France. Yet, this prohibition in principle has some exceptions. For example, countries that have a personal data regulation equivalent to that of the EU and an armed wing to enforce it (such as the CNIL in France) can be recognised as a suitable country by the European Commission. This is the case for a total of ten or so countries, including Canada, Israel, Switzerland, and Japan – the latest to be recognised. The problem comes from the fact that the United States has neither special regulations on personal data nor a data protection authority, which excludes it from this category of exceptions. Forked tongues claim that this situation is the result of an agreement between U.S. public authorities and the large U.S.-based global digital companies, something like “We are not imposing constraints on you in this area, so in return, do enable us to stick our fingers in this nice jam pot.” But only forked tongues say that… Another problem is that it is still difficult to do without U.S.-made digital tools, especially in the European Union, which has been particularly porous to the digital world towards which many companies have moved. However, maintaining such a situation of prohibition would be tantamount to admitting one’s powerlessness to enforce the law. The Commission has therefore created a special exception reserved for organisations from across the Atlantic: the Privacy Shield of 2016. U.S. organisations just need to pay a few dozen dollars to register for the eponymous programme, by which they commit – and swear it on their mother’s life – that they will respect minimum rules similar to that of the GDPR with regard to the personal data of European residents that they store on the North American continent. However, the CJEU did not appreciate this. It considered that the guarantees granted to European residents were insufficient and consequently annulled the agreement on 16 July 2020.

Europe up against the wall

This decision actually has a taste of “déjà vu”. Indeed, on 6 October 2015, a decision by the same European body had already invalidated the pre-existing transfer mechanism known as “Safe Harbour” . It then took the European Commission a few months to rename the Safe Harbour mechanism into ‘Privacy Shield’, to thinly spread here and there a few changes, and there you have it – or so it seemed. The problem is that the CJEU was watching. The first decision of 2015 had already been made following a complaint lodged by a young Austrian law student named Maximillian Schrems. After he had become a lawyer, he lodged a new complaint against the new mechanism and logically obtained the same outcome. The corresponding CJEU ruling is 46 pages long and has 203 recitals and a long and dense decision that seems to definitively condemn the self-regulation mechanism.

Therefore, the question now is: what do we do? The CJEU has indicated a first way out, called the European Commission’s standard contractual clauses . Provided for in Article 46 of the GDPR, transfers of personal data outside the European Union would provide sufficient safeguards under the GDPR if the exporter of this data concludes with the importer located in a country outside the EU standard data protection clauses approved by the European Commission. The CJEU ruling, subsequently supported by the recommendations of the EDPB, clarifies that it is up to the controller to ensure that the third country to which it exports data has a level of protection equivalent to that of the EU, and if not, to put in place the technical and organisational measures to ensure an equivalent level of protection. This verification should be carried out on a “case-by-case” basis. If the measures put in place are insufficient, it will be up to the competent supervisory authorities (including the CNIL in France) to suspend or terminate said transfer. It is therefore the responsibility of the data controller and/or the CNIL to remedy the inadequacies of the legal protections put in place.

In short, this mechanism is complex and difficult to implement, and it is not certain that it gives EU residents – i.e. us, the citizens, consumers, employees, parents, etc. – the guarantees they lacked under Privacy Shield. For the problem is not legal, but political. The Barroso European Commission, in place from 2004 to 2009, let in the European Union a mass of digital companies, most of them coming from the Web or having adapted to it. They all took advantage of the non-national nature of the Internet to set up systems by which they evade European laws. The Commission never reacted to that situation nor initiated public policies to help the emergence of European champions. It even made their task easier by crushing European competitors with various regulatory constraints that increased their costs and harmed their productivity. Today, the picture is bitter. Europe lives under an oligopoly called GAFAM .

The solution is not a new Privacy Shield or a wobbly solution like standard contractual clauses. On the one hand, if they want to serve European customers, the GAFAM must be established in the European Union to become subject to local law. On the other hand, we must help the emergence of an alternative European offer that gives European citizens a choice, and this is the role of public authorities everywhere in the world. The European Commission seems to have understood this, and the best proof that change has started is the recent appointment as European Commissioner for Digital Affairs and other topics of Thierry Breton: out of the 27 Commissioners in the European Commission, he is the only one to come from industry. Over the last few months, the new Commissioner has issued multiple statements on European digital sovereignty, to the point of worrying Google’s CEO.

The CJEU ruling on Privacy Shield could be his new ally. Indeed, this ruling states that the blame should not be placed on the GAFAM. It is rather up to us Europeans to finally take our destiny in our own hands.