France Update: Transfer of personal data to the United States: status

AN AGREEMENT IN PRINCIPLE BETWEEN THE EUROPEAN UNION (EU) AND THE UNITED STATES WAS SIGNED ON 25TH MARCH 2022, BUT THE FINAL TEXT IS LONG OVERDUE…

In the era of GAFAM (Google, Apple, Facebook, Amazon and Microsoft), globalization and digitalization, the number of transfers of personal data is increasing exponentially. The protection of personal data, far from being limited to preventing identity theft, is now almost ideological.

The General Data Protection Regulation (GDPR) governs the processing of personal data on the territory of the EU. Entered into force in 2018, it is in line with the French Data Protection Act of 1978 and strengthens the control by citizens of the use that can be made of their personal data.

Chapter V of the GDPR governs transfers of personal data to third countries and imposes a minimum protection base in the event of a transfer outside the EU, i.e. when:

• A controller (RT) or processor (ST) is subject to the GDPR for the given processing;
• This RT or ST “exporter” discloses personal data, subject to this processing, to another RT, a joint RT or a ST “importer”;
• The importer is located in a third country or is an international organisation.

DETAILS:

• The direct collection of a non-EU entity from a European person does not constitute a data transfer: a transfer can only take place between 2 entities;
• A transfer can take place between companies belonging to the same group (between the parent company and its subsidiary for example)
• The employee based outside the EU remains assimilated to his company located in the EU: there is therefore no transfer in the presence of exchanges of personal data between them.

Transfers across the Atlantic are particularly common in the life of companies and it is sometimes difficult to dispense with them. According to estimates, this transfer of information to the United States is necessary for the activity of more than 5000 companies. The clarification of the law governing these transfers is therefore all the more important.

THE IMPACT OF THE SCHREMS CASE LAW ON THE TRANSFER OF PERSONAL DATA TO THE UNITED STATES

In July 2000, the European Commission decided on the adequacy of the “Safe Harbor”, an agreement between the EU and the United States regulating data protection with the aim of allowing the latter to receive the personal data of Europeans. In October 2015, Max Schrems, an Austrian activist for the protection of personal data, obtained the invalidation, by the Court of Justice of the European Union (CJEU), of the “Safe Harbor” (Schrems I judgment).

In order to replace this system, the European Commission and the US government adopted in 2016 a new agreement called “Privacy Shield”. However, as early as 2017, a number of complaints were filed in the EU by None of Your Business, a non-governmental organization founded by Max Schrems, raising the illegality of the use of Google Analytics or Facebook Connect. At the same time, the national supervisory authorities meeting within the European Data Protection Board raised two major issues:

• The shortcomings of the “Privacy Shield”, in particular the lack of support for American companies declaring themselves compatible, the possibilities of recourse and access illusory, the lack of surveillance of companies claiming to be in compliance…
• The hegemony of the American system allowing the authorities to derogate from the general framework for reasons of national security.

On July 16, 2020, in a new Schrems II decision, the CJEU explained that the surveillance carried out by US intelligence agencies in the United States (including the NSA) was insufficiently regulated to comply with the requirements of the GDPR. The “Privacy Shield” was therefore invalidated, as US law did not allow to ensure a sufficient level of protection of personal data for European citizens.

THE TRANSFER OF PERSONAL DATA TO THE UNITED STATES IN THE ABSENCE OF AN ADEQUACY DECISION

As the United States no longer benefits from an adequacy decision, RTs wishing to transfer personal data to this country must ensure protection of such data at least equivalent to that provided for by the GDPR.

Concretely, it is necessary to make an analysis on a case-by-case basis:

• Identify the location of the service providers and the applicable legislation on the protection of personal data (compare offers and try as much as possible to favour intra-EU providers. Although Google Analytics remains the most used solution, European alternatives exist such as Matomo Analytics for example);
• Supervise transfers
• practical framework: limit to what is strictly necessary;
• legal framework: drafting a data processing agreement and using the European Commission’s standard contractual clauses;
• technical framework: data encryption (impossible for “unencrypted” data) with an encryption key held by the RT within the EU;
• Implement organizational measures such as the regionalization of accommodation, in order to limit potential requests for access from public authorities in terms of intelligence;
• Establish binding corporate rules, i.e. an internal policy for the protection of personal data in the event of a transfer;
• Carry out an impact assessment describing the processing carried out, legally assessing the necessity and proportionality of these and technically studying the risks concerning the personal data;
• Inform data subjects of any transfer in a transparent manner;

The fact that transfers of personal data to the United States are no longer covered by an adequacy decision has therefore greatly complicated the lives of companies carrying out these transfers.

TOWARDS A PRIVACY SHIELD II OR A SCHREMS III?

A new agreement in principle was signed on 25 March between the EU and the United States to allow sufficient protection of personal data in the context of transatlantic transfers.

The key principles of this agreement are as follows:

• free flow of data, securely, between the EU and participating US companies;
• a new set of binding rules and safeguards to limit access by US intelligence services to what is necessary and proportionate to protect national security;
• new two-tier effective remedy system to investigate and resolve European complaints about access to data by US intelligence services: creation of an independent tribunal;
• strict obligations for companies processing data transferred from the EU: certification mechanism for adherence to the Principles through the U.S. Department of Commerce;
• specific monitoring and review mechanisms.

This agreement demonstrates the willingness of the United States to offer more guarantee of protection and should lead to a new adequacy decision facilitating the flow of personal data between the EU and the United States.

This “Privacy Shield II” is obviously motivated by important economic interests since the continuous data flows underpin about 900 billion euros of cross-border trade each year. However, like his predecessors, he will certainly have to pass the test of the CJEU, Max Shrems already preparing to act.

By Ginestié Magellan Paley-Vincent, France, a Transatlantic Law International Affiliated Firm.  

For further information or for any assistance please contact france@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.