Data transfers across the Atlantic… a storm in a teacup?!
On July 10, 2023, the European Commission adopted a new adequacy decision. Considering that US legislation now guarantees a level "substantially equivalent" to that provided for personal data protection in Europe, it declares it "adequate" with regard to self-certified organizations following the new “Data Privacy Framework mechanism” (DPF).
Data transfers between EU member States and US organizations that adhere to the principles of the DPF are now free, and no longer require the use of other legal mechanisms such as the famous standard contractual clauses.
As a very direct consequence of this, the French data protection authority, the “CNIL”, a few days later removed the page it had been publishing on its website deeming illegal the use of the American tool Google Analytics, due to the data transfers that were then being carried out in the USA without the appropriate legal tools, following the conclusions reached by the Court of Justice of the European Union (CJEU) in the famous “Schrems II” ruling.
Indeed, on February 10 and March 2, 2022, the CNIL had issued issue formal notices to three websites prohibiting them to use Google Analytics then current version, due to the illegality of the data transfers to the United States at stake.
A number of similar rulings have been handed down across the European Union: unlike the European Data Protection Supervisoron December 6, 2021, by a German administrative court in a case concerning the use of the "Cookiebot" tool, on December 22, 2021, by the Austrian data protection authority concerning the use of the Google Analytics tool, on June 2022 in Italia. What to say about Meta being fined a record €1.2 billion for the same type of unlawful transfers. Not to mention the Swedish data protection authority, fining about €1 million a company for the use of Google Analytics and its unlawful transfers to the United States June 30, 2023, just a few days before the adequacy decision. Or the Norwegian data protection authority, reprimanding on July 26, 2023 a company for its use of Google Analytics implying unlawful transfers (at the time of inspection) of personal data to the United States, even after said adequacy decision.
The majority of these cases relate to the 101 complaints filed by "None Of Your Business" (NOYB), an association led by Max Schrems, the Austrian activist behind the first two eponymous CJEU rulings that led to the annulment of the first and second adequacy decisions adopted by the European Commission (the "Safe Harbor", adopted in 2000 and the "Privacy Shield", adopted in 2016).
The adoption of the DPF therefore shall put a brutal stop to this doctrine – even if in theory, past breaches remain unlawful and subject to sanction –, and means that all these tools can now be used again with little, if any, difficulty (as long as the company providing them and transferring data to the United States self-certifies with the DPF).
However, that's (probably) not the end of the story.
In its opinion dated February 28, 2023, the European Data Protection Board (EDPB) noted the progress resulting from the new data protection framework in US law. However, it also pointed out many weaknesses that this framework still implies.
On the basis of arguments comparable to those of the EDPB, the European Parliament also issued a negative opinion on the European Commission's draft adequacy decision in a resolution adopted on May 11, 2023, going so far as to call on the European Commission not to adopt its adequacy decision as it stands...
It is therefore highly likely that, in the next few years, the CJEU will once again examine the validity of the mechanism. Maximilien Schrems has already announced his intentions in this respect…
Article provided by INPLP member: Charlotte Barraco-David (OYAT, France)
Co-author: Clyde Coutellier
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)