October was declared Cybersecurity Month by the ANSSI, and there was no shortage of news to comment on, one of which was particularly eagerly awaited: the signing of an executive order by President Biden on the 7th of October 2022[1] to finally make progress on the major issue of the transfer of personal data between the European Union and the United States.
Article published in the Lamy du droit de l’immatériel Revue N°197 of November 2022 (RLDI4583)
After more than two years of legal uncertainty, this news reassures the hundreds of thousands of businesses that transfer personal data from the EU to the US every day. A new way forward seems to be emerging from the fog of legal uncertainty created by the so-called “Shrems II” ruling of the Court of Justice of the European Union (CJEU)[2], which invalidated the main legal instrument underpinning these transfers under Article 45 of the General Data Protection Regulation (GDPR).[3].
As soon as the signature of the US Executive Order was announced, the European Commission welcomed the opportunity to initiate the drafting and adoption process for the new adequacy decision on the same day[4]. This third text, following the successive invalidation by the CJEU of the “Safe Harbor” in 2015 and the “Privacy Shield” in 2020, was the result of an agreement between Joe Biden and Ursula von der Leyen last March[5]. The simultaneity of this arrangement with the question of the supply of energy by the Americans to Europe caused some commentators to react.
United States: “a partner with variable geometry”
Meanwhile, in France, the day before the Biden decree was issued, the Senate Foreign Affairs and Defence Committee held hearings with Stéphane Bouillon, Secretary General of the General Secretariat for Defence and National Security (SGDSN) and Guillaume Poupard, Director General of the National Information Systems Security Agency (ANSSI)[6]. In response to the Commission’s question as to whether the United States was a “partner with variable geometry depending on whether we are talking about cyber, submarines or state visits”, Stéphane Bouillon reiterated that relations between the two powers were essential and of high quality, before concluding with a recommendation for vigilance based on the maxim: “A state has no friends, only interests”.
It must be noted that the balance of power maintained by the United States vis-à-vis Europe, and France in particular, is sometimes described as an “economic war”, as illustrated by highly sensitive cases such as Alstom and Airbus. The use of US extraterritorial legislation is constantly renewing the debate on French or European sovereignty and on our ability to protect our companies and our data, particularly at a time when war is being waged in Europe following Russia’s invasion of Ukraine.
Olivier de Maison Rouge, a business intelligence law specialist, points out that the concept of “national security” in the United States differs substantially from the historical French approach and allows them to “go well beyond the framework of military defence and armies”[7] to include much broader considerations, such as the smooth operation of their national economy.
It is also certain that Edward Snowden’s revelations have enabled Europeans to shake off their naivety about the capture of their data by the US intelligence services.
For Guillaume Poupard, head of the ANSSI, there is no doubt that the new agreement will be cancelled “within 4 years” if the basic rules are not changed[8]. It should be stressed that the United States extraterritorial legal arsenal is now well known[9], and this is precisely what caused difficulties for the CJEU in the “Shrems II” ruling.
Unlawful personal data processing since Shrems II
Since the CJEU’s 2020 ruling, the transfer of European citizens’ personal data to the United States has in principle been considered contrary to the Charter of Fundamental Rights of the European Union, in that US surveillance of these personal data is excessive, insufficiently supervised and, above all, does not allow for the possibility of an effective remedy by the individuals concerned.
In a statement filed by the CNIL at the request of the Conseil d’Etat concerning the action taken against Microsoft in the highly controversial Health Data Hub case, the independent authority points out that the finding of illegality following the CJEU’s decision concerns both the data transferred and those hosted directly in Europe by a US company: as the parent company is governed by US law, it remains subject to US laws. At the request of the US intelligence services, it could be forced to disclose the data concerned, even if it is hosted in France[10].
This latter consideration seems to conclude that virtually all personal data processing in the European economy is illegal because of the supremacy of American players in cloud solutions. However, neither the national authorities nor the European institutions seem to dare to state this so clearly and publicly, and for good reason: in practice, compliance is very difficult, if not impossible, for economic players to achieve.
Since the “Shrems II” ruling, it has been clear that such transfers must be backed up by appropriate safeguards, or more precisely ” additional measures ” designed to compensate for the fact that US law does not provide a level of protection substantially equivalent to that guaranteed by Article 47 of the Charter.
In practice, this means preventing the American intelligence services from gaining unencrypted access to the personal data of Europeans: data encryption or anonymisation are therefore serious ways of providing appropriate guarantees, which are necessary in the absence of an adequacy decision. The problem is that these measures are very complex to implement in the various business contexts in which organisations currently operate.
Additional measures that are difficult to implement in practice: the example of encryption
Encryption is an IT operation whereby unencrypted data becomes unintelligible to those who do not have the means to decrypt it (called a private key or a secret key, depending on the type of encryption in question).
In the era of cloud computing, the issue of encryption is complex and, inevitably, technical. For SaaS solutions, the central issue is determining who holds the key to decrypting the data. In practice, the solution provider must hold this key to be able to serve the data ” on the fly ” to the user: thus, despite all the moral or technical guarantees displayed by these American providers, it remains that if the data can be decrypted by them at a given moment, it can then be captured by the American intelligence services.
For the time being, there are not many examples of real encryption in the cloud, but as the subject is directly linked to the necessity of compliance for organisations, initiatives are regularly being launched, and it is not yet clear whether they will go any further than the inefficiencies previously observed[11].
Some would argue that absolute sovereignty remains a vain hope when it comes to digital technology[12]. The advocates of this “flexible” digital sovereignty consider that it may be excessive to see the suppliers of American solutions as enemies and call instead for technological and legal compromise.
Technological and legal compromise: the wrong solution?
In 2021, the French government indicated that it was in favour of a ” trusted cloud ” combining American software solutions with a solely French-flagged infrastructure: the share capital should be majority French-owned and therefore, a priori, sheltered from American extraterritorial laws. American companies such as Microsoft, Google and Amazon should soon be offering their digital services via French companies such as Orange and Capgemini (‘Bleu’ project), Thalès (‘S3ns’ project) or Atos (not yet officially announced), probably through a complex licensing system in terms of intellectual property.
Not such a good idea, according to the French ecosystem, which advocates uncompromising digital sovereignty. Member of Parliament Philippe Latombe, rapporteur for the information mission “Building and promoting national and European digital sovereignty”, gave his clear opinion on the subject, denouncing to the CNIL, the ANSSI, the Competition Authority and the DGCCRF an “attempt to pull the wool over the eyes” of some of the players concerned.
For the advocates of absolute French and European digital sovereignty, there are still major risks of being subjected to American extraterritorial laws, despite all the good intentions expressed by the GAFAMs.
Towards a new “Shrems III” ruling?
On the 7th of October, the White House announced that the new EU-US agreement would address the concerns raised by the European Court of Justice.
Indeed, some of the GDPR’s principles make their appearance in the American decree: the principle of minimisation[13], as well as considerations relating to retention periods[14], the obligation of security[15]and the principle of accuracy[16]…
Above all, it incorporates the European concept of “proportionality”, which is directly linked to the requirements of the EU Charter of Fundamental Rights regarding the necessity and proportionality of restrictions on established rights and freedoms, such as the right to privacy[17] or the protection of personal data[18].
Still, is this enough? Max Shrems, via his organisation Noyb, points out that while the lexical terms used are now well aligned with those used by the European Commission, the legal meaning given by the United States to the concept of proportionality could differ substantially from the CJEU’s interpretation. According to Max Shrems: “The EU and the US now agree on the use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the CJEU’s definition will prevail – likely killing any EU decision again. The European Commission is turning a blind eye on US law again and allowing the continued surveillance of Europeans”[19].
Other major aspects seem likely to lead to future litigation before the CJEU, such as the new appeal mechanism. The decree establishes a “Data Protection Review Court” to hear appeals in this matter: a major difficulty is that, a priori, this will not be an independent court within the meaning of the Charter, but an entity dependent on the US executive. It is therefore unlikely that the CJEU will consider recourse to the court as a genuine “judicial remedy”, which was one of the main reasons for invalidating the Privacy Shield in 2020.
Conclusion
The European Commission must now work on the new adequacy decision following Article 45 of the RGPD, and then seek the opinion of the European Data Protection Board (EDPB) and the Member States. The final text is not expected before spring 2023. Once validated, it will serve as the basis for data controllers to transfer personal data between the EU and the US. In any case, until it becomes, like its two predecessors, the subject of appeals before national and European courts… It’s a safe bet that we won’t be done with the legal uncertainty in this field any time soon.
By Florian de Vaulx
[1] White House, 7 October 2022, FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework, consulted online [https://www .whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework /]
[2] Court of Justice of the European Union (CJEU), Judgment of 16 July 2020, Grand Chamber, Case C-311/8 Facebook Ireland and Schrems.
[3] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
(General Data Protection Regulation).
[4] European Commission, Questions & Answers: EU-U.S. Data Privacy Framework. Consulted online [https://ec .europa.eu/commission/presscorner/detail/en/QANDA_22_6045]
[5] European Commission, 25 March 2022, Statement by President von der Leyen with President Biden. Press release. Consulted online [https://ec .europa.eu/commission/presscorner/detail/fr/STATEMENT_22_2043]
[6] Committee on Foreign Affairs, Defence and Armed Forces, 5 October 2022, PLF 2023 – Hearing of Messrs Stéphane Bouillon (SGDSN) and Guillaume Poupard (ANSSI).. Consulted online [http://videos .senat.fr/video.3008437_633b624b3e4ca.plf-2023—audition-de-mm-stephane-bouillon-sgdsn-de-guillaume-poupard-anssi-et-de-de-m-emmanu]
[7] de Maison Rouge, Olivier. 28 June 2019, Ecole de Pensée sur la Guerre économique (EPGE). Consulted online [https://www .epge.fr/guerre-economique-et-strategie-de-securite-nationale /]
[8] See above.
[9] See Cloud Act, FISA (section 702) and Executive Order (EO) 12333.
[10] CNIL, 14 October 2020, “Le Conseil d’État demande au Health Data Hub des garanties supplémentaires pour limiter le risque de transfert vers les États-Unis”. Consulted online [https://www .cnil.fr/fr/le-conseil-detat-demande-au-health-data-hub-des-garanties-supplementaires]
[11] For example, Salesforce, the world’s No. 1 software publisher, offers an encryption option based on a temporary cache system but temporarily owns the private key despite the technical encapsulations that try to hide this fact. A recent announcement seems to go even further by including external key managers such as Atos and Thalès, although it is not certain that this will change the previous observation: it does not matter who generates and holds the decryption key, as long as it is necessarily shared with the solution provider at some point.
[12] See above, Guillaume Poupard, hearing before the Committee on Foreign Affairs, Defence and Armed Forces, 5 October 2022, PLF 2023 – Hearing of Messrs Stéphane Bouillon (SGDSN) and Guillaume Poupard (ANSSI)..
[13] III, (A) in Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, 7 octobre 2022, available online [https://www .whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities /]
[14] III, (A), (2) (b) Ibid
[15] III, (B) Ibid
[16] III, (C) Ibid
[17] Article 7 of the Charter of Fundamental Rights of the European Union.
[18] Article 8 Ibid
[19] NOYB, 7 October 2022, “First reaction: Executive Order on US Surveillance unlikely to satisfy EU law”. Available online [https://noyb.eu/fr/le-nouveau-decret-americain-peu-de-chances-de-satisfaire-la-legislation-europeenne]
Find our article published in the Revue Lamy du droit de l’immatériel :
