{"id":2361,"date":"2022-11-18T07:42:53","date_gmt":"2022-11-18T07:42:53","guid":{"rendered":"https:\/\/datasure.net\/uncategorized\/overview-of-the-situation-following-the-us-executive-order-on-the-transfer-of-personal-data-between-the-eu-and-the-usa\/"},"modified":"2023-07-25T14:14:47","modified_gmt":"2023-07-25T14:14:47","slug":"overview-of-the-situation-following-the-us-executive-order-on-the-transfer-of-personal-data-between-the-eu-and-the-usa","status":"publish","type":"post","link":"https:\/\/www.datasure.net\/es\/doctrine-en\/overview-of-the-situation-following-the-us-executive-order-on-the-transfer-of-personal-data-between-the-eu-and-the-usa\/","title":{"rendered":"Overview of the situation following the US executive order on the transfer of personal data between the EU and the USA"},"content":{"rendered":"

October was declared Cybersecurity Month by the ANSSI, and there was no shortage of news to comment on, one of which was particularly eagerly awaited: the signing of an executive order by President Biden on the 7th of October 2022[1]<\/a> to finally make progress on the major issue of the transfer of personal data between the European Union and the United States.<\/strong><\/p>\n

<\/p>\n

Article published in the Lamy du droit de l’immat\u00e9riel Revue N\u00b0197 of November 2022 (RLDI4583)<\/a><\/em><\/span><\/p>\n

After more than two years of legal uncertainty, this news reassures the hundreds of thousands of businesses that transfer personal data from the EU to the US every day. A new way forward seems to be emerging from the fog of legal uncertainty created by the so-called \u00ab\u00a0Shrems II\u00a0\u00bb ruling of the Court of Justice of the European Union (CJEU)[2]<\/a>, which invalidated the main legal instrument underpinning these transfers under Article 45 of the General Data Protection Regulation (GDPR).[3]<\/a>.<\/p>\n

As soon as the signature of the US Executive Order was announced, the European Commission welcomed the opportunity to initiate the drafting and adoption process for the new adequacy decision on the same day[4]<\/a>. This third text, following the successive invalidation by the CJEU of the \u00ab\u00a0Safe Harbor<\/em>\u00a0\u00bb in 2015 and the \u00ab\u00a0Privacy Shield<\/em>\u00a0\u00bb in 2020, was the result of an agreement between Joe Biden and Ursula von der Leyen last March[5]<\/a>. The simultaneity of this arrangement with the question of the supply of energy by the Americans to Europe caused some commentators to react.<\/p>\n

 <\/p>\n

United States: \u00ab\u00a0a partner with variable geometry\u201d<\/strong><\/h2>\n

Meanwhile, in France, the day before the Biden decree was issued, the Senate Foreign Affairs and Defence Committee held hearings with St\u00e9phane Bouillon, Secretary General of the General Secretariat for Defence and National Security (SGDSN) and Guillaume Poupard, Director General of the National Information Systems Security Agency (ANSSI)[6]<\/a>. In response to the Commission’s question as to whether the United States was a \u00ab\u00a0partner with variable geometry depending on whether we are talking about cyber, submarines or state visits\u00a0\u00bb<\/em>, St\u00e9phane Bouillon reiterated that relations between the two powers were essential and of high quality, before concluding with a recommendation for vigilance based on the maxim: \u00ab\u00a0A state has no friends, only interests\u00a0\u00bb. <\/em><\/p>\n

It must be noted that the balance of power maintained by the United States vis-\u00e0-vis Europe, and France in particular, is sometimes described as an \u00ab\u00a0economic war\u00a0\u00bb<\/em>, as illustrated by highly sensitive cases such as Alstom and Airbus. The use of US extraterritorial legislation is constantly renewing the debate on French or European sovereignty and on our ability to protect our companies and our data, particularly at a time when war is being waged in Europe following Russia’s invasion of Ukraine.<\/p>\n

Olivier de Maison Rouge, a business intelligence law specialist, points out that the concept of \u00ab\u00a0national security\u00a0\u00bb<\/em> in the United States differs substantially from the historical French approach and allows them to \u00ab\u00a0go well beyond the framework of military defence and armies\u00a0\u00bb[7]<\/strong><\/a><\/em> to include much broader considerations, such as the smooth operation of their national economy.<\/p>\n

It is also certain that Edward Snowden’s revelations have enabled Europeans to shake off their naivety about the capture of their data by the US intelligence services.<\/p>\n

For Guillaume Poupard, head of the ANSSI, there is no doubt that the new agreement will be cancelled \u00ab\u00a0within 4 years\u00a0\u00bb if the basic rules are not changed[8]<\/a>. It should be stressed that the United States extraterritorial legal arsenal is now well known[9]<\/a>, and this is precisely what caused difficulties for the CJEU in the \u00ab\u00a0Shrems II\u00a0\u00bb ruling.<\/p>\n

 <\/p>\n

Unlawful personal data processing since Shrems II<\/strong><\/h2>\n

Since the CJEU’s 2020 ruling, the transfer of European citizens’ personal data to the United States has in principle been considered contrary to the Charter of Fundamental Rights of the European Union, in that US surveillance of these personal data is excessive, insufficiently supervised and, above all, does not allow for the possibility of an effective remedy by the individuals concerned.<\/p>\n

In a statement filed by the CNIL at the request of the Conseil d’Etat concerning the action taken against Microsoft in the highly controversial Health Data Hub case, the independent authority points out that the finding of illegality following the CJEU’s decision concerns both the data transferred and those hosted directly in Europe by a US company: as the parent company is governed by US law, it remains subject to US laws. At the request of the US intelligence services, it could be forced to disclose the data concerned, even if it is hosted in France[10]<\/a>.<\/p>\n

This latter consideration seems to conclude that virtually all personal data processing in the European economy is illegal because of the supremacy of American players in cloud<\/em> solutions. However, neither the national authorities nor the European institutions seem to dare to state this so clearly and publicly, and for good reason: in practice, compliance is very difficult, if not impossible, for economic players to achieve.<\/p>\n

Since the \u00ab\u00a0Shrems II\u00a0\u00bb ruling, it has been clear that such transfers must be backed up by appropriate safeguards, or more precisely \u00a0\u00bb additional measures \u00a0\u00bb designed to compensate for the fact that US law does not provide a level of protection substantially equivalent to that guaranteed by Article 47 of the Charter.<\/p>\n

In practice, this means preventing the American intelligence services from gaining unencrypted access to the personal data of Europeans: data encryption or anonymisation are therefore serious ways of providing appropriate guarantees, which are necessary in the absence of an adequacy decision. The problem is that these measures are very complex to implement in the various business contexts in which organisations currently operate.<\/p>\n

 <\/p>\n

Additional measures that are difficult to implement in practice: the example of encryption<\/strong><\/h2>\n

Encryption is an IT operation whereby unencrypted data becomes unintelligible to those who do not have the means to decrypt it (called a private key or a secret key, depending on the type of encryption in question).<\/p>\n

In the era of cloud computing<\/em>, the issue of encryption is complex and, inevitably, technical. For SaaS solutions, the central issue is determining who holds the key to decrypting the data. In practice, the solution provider must hold this key to be able to serve the data \u00a0\u00bb on the fly \u00a0\u00bb to the user: thus, despite all the moral or technical guarantees displayed by these American providers, it remains that if the data can be decrypted by them at a given moment<\/em>, it can then be captured by the American intelligence services.<\/p>\n

For the time being, there are not many examples of real encryption in the cloud<\/em>, but as the subject is directly linked to the necessity of compliance<\/em> for organisations, initiatives are regularly being launched, and it is not yet clear whether they will go any further than the inefficiencies previously observed[11]<\/a>.<\/p>\n

Some would argue that absolute sovereignty remains a vain hope when it comes to digital technology[12]<\/a>. The advocates of this \u00ab\u00a0flexible\u00a0\u00bb digital sovereignty consider that it may be excessive to see the suppliers of American solutions as enemies and call instead for technological and legal compromise.<\/p>\n

 <\/p>\n

Technological and legal compromise: the wrong solution? <\/strong><\/h2>\n

In 2021, the French government indicated that it was in favour of a \u00a0\u00bb trusted cloud \u00a0\u00bb combining American software solutions with a solely French-flagged infrastructure: the share capital should be majority French-owned and therefore, a priori<\/em>, sheltered from American extraterritorial laws. American companies such as Microsoft, Google and Amazon should soon be offering their digital services via French companies such as Orange and Capgemini (‘Bleu’ project), Thal\u00e8s (‘S3ns’ project) or Atos (not yet officially announced), probably through a complex licensing system in terms of intellectual property.<\/p>\n

Not such a good idea, according to the French ecosystem, which advocates uncompromising digital sovereignty. Member of Parliament Philippe Latombe, rapporteur for the information mission \u00ab\u00a0Building and promoting national and European digital sovereignty\u00a0\u00bb<\/em>, gave his clear opinion on the subject, denouncing to the CNIL, the ANSSI, the Competition Authority and the DGCCRF an \u00ab\u00a0attempt to pull the wool over the eyes\u00a0\u00bb of some of the players concerned.<\/p>\n

For the advocates of absolute French and European digital sovereignty, there are still major risks of being subjected to American extraterritorial laws, despite all the good intentions expressed by the GAFAMs.<\/p>\n

 <\/p>\n

Towards a new \u00ab\u00a0Shrems III\u00a0\u00bb ruling?<\/strong><\/h2>\n

On the 7th of October, the White House announced that the new EU-US agreement would address the concerns raised by the European Court of Justice.<\/p>\n

Indeed, some of the GDPR’s principles make their appearance in the American decree: the principle of minimisation[13]<\/a>, as well as considerations relating to retention periods[14]<\/a>, the obligation of security[15]<\/a>and the principle of accuracy[16]<\/a>\u2026<\/p>\n

Above all, it incorporates the European concept of \u00ab\u00a0proportionality\u00a0\u00bb<\/em>, which is directly linked to the requirements of the EU Charter of Fundamental Rights regarding the necessity and proportionality of restrictions on established rights and freedoms, such as the right to privacy[17]<\/a> or the protection of personal data[18]<\/a>.<\/p>\n

Still, is this enough? Max Shrems, via his organisation Noyb, points out that while the lexical terms used are now well aligned with those used by the European Commission, the legal meaning given by the United States to the concept of proportionality could differ substantially from the CJEU’s interpretation. According to Max Shrems: \u00ab\u00a0The EU and the US now agree on the use of the word ‘proportionate’ but seem to disagree on the meaning of it. In the end, the CJEU’s definition will prevail – likely killing any EU decision again. The European Commission is turning a blind eye on US law again and allowing the continued surveillance of Europeans\u00a0\u00bb<\/em>[19]<\/a>.<\/em><\/p>\n

Other major aspects seem likely to lead to future litigation before the CJEU, such as the new appeal mechanism. The decree establishes a \u00ab\u00a0Data Protection Review Court\u00a0\u00bb<\/em> to hear appeals in this matter: a major difficulty is that, a priori<\/em>, this will not be an independent court within the meaning of the Charter, but an entity dependent on the US executive. It is therefore unlikely that the CJEU will consider recourse to the court as a genuine \u00ab\u00a0judicial remedy\u00a0\u00bb, which was one of the main reasons for invalidating the Privacy Shield in 2020.<\/p>\n

Conclusion <\/strong><\/h2>\n

The European Commission must now work on the new adequacy decision following Article 45 of the RGPD, and then seek the opinion of the European Data Protection Board (EDPB) and the Member States. The final text is not expected before spring 2023. Once validated, it will serve as the basis for data controllers to transfer personal data between the EU and the US. In any case, until it becomes, like its two predecessors, the subject of appeals before national and European courts… It’s a safe bet that we won’t be done with the legal uncertainty in this field any time soon.<\/p>\n

By Florian de Vaulx<\/p>\n

[1]<\/a> White House, 7 October 2022, FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework, consulted online [https:\/\/www .whitehouse.gov\/briefing-room\/statements-releases\/2022\/10\/07\/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework \/]<\/em> <\/p>\n

[2]<\/a> Court of Justice of the European Union (CJEU), Judgment of 16 July 2020, Grand Chamber, Case C-311\/8 Facebook Ireland and Schrems.<\/p>\n

[3]<\/a> Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC<\/p>\n

(General Data Protection Regulation).<\/p>\n

[4]<\/a> European Commission, Questions & Answers: EU-U.S. Data Privacy Framework. Consulted online [https:\/\/ec .europa.eu\/commission\/presscorner\/detail\/en\/QANDA_22_6045]<\/p>\n

[5]<\/a> European Commission, 25 March 2022, Statement by President von der Leyen with President Biden. Press release. Consulted online [https:\/\/ec .europa.eu\/commission\/presscorner\/detail\/fr\/STATEMENT_22_2043]<\/p>\n

[6]<\/a> Committee on Foreign Affairs, Defence and Armed Forces, 5 October 2022, PLF 2023 – Hearing of Messrs St\u00e9phane Bouillon (SGDSN) and Guillaume Poupard (ANSSI).<\/em>. Consulted online [http:\/\/videos .senat.fr\/video.3008437_633b624b3e4ca.plf-2023—audition-de-mm-stephane-bouillon-sgdsn-de-guillaume-poupard-anssi-et-de-de-m-emmanu]<\/p>\n

[7]<\/a> de Maison Rouge, Olivier. 28 June 2019, Ecole de Pens\u00e9e sur la Guerre \u00e9conomique (EPGE). Consulted online [https:\/\/www .epge.fr\/guerre-economique-et-strategie-de-securite-nationale \/]<\/p>\n

[8]<\/a> See above<\/em>.<\/p>\n

[9]<\/a> See Cloud Act<\/em>, FISA (section 702) and Executive Order<\/em> (EO) 12333.<\/p>\n

[10]<\/a> CNIL, 14 October 2020, \u00ab\u00a0Le Conseil d’\u00c9tat demande au Health Data Hub des garanties suppl\u00e9mentaires pour limiter le risque de transfert vers les \u00c9tats-Unis\u00a0\u00bb. Consulted online [https:\/\/www .cnil.fr\/fr\/le-conseil-detat-demande-au-health-data-hub-des-garanties-supplementaires]<\/p>\n

[11]<\/a> For example, Salesforce, the world’s No. 1 software publisher, offers an encryption option based on a temporary cache system but temporarily owns the private key despite the technical encapsulations that try to hide this fact. A recent announcement seems to go even further by including external key managers such as Atos and Thal\u00e8s, although it is not certain that this will change the previous observation: it does not matter who generates and holds the decryption key, as long as it is necessarily shared with the solution provider at some point.<\/p>\n

[12]<\/a> See above<\/em>, Guillaume Poupard, hearing before the Committee on Foreign Affairs, Defence and Armed Forces, 5 October 2022, PLF 2023 – Hearing of Messrs St\u00e9phane Bouillon (SGDSN) and Guillaume Poupard (ANSSI).<\/em>.<\/p>\n

[13]<\/a> III, (A) in<\/em> Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities, 7 octobre 2022, available online [https:\/\/www .whitehouse.gov\/briefing-room\/presidential-actions\/2022\/10\/07\/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities \/]<\/p>\n

[14]<\/a> III, (A), (2) (b) Ibid<\/em><\/p>\n

[15]<\/a> III, (B) Ibid<\/em><\/p>\n

[16]<\/a> III, (C) Ibid<\/em><\/p>\n

[17]<\/a> Article 7 of the Charter of Fundamental Rights of the European Union.<\/p>\n

[18]<\/a> Article 8 Ibid<\/em><\/p>\n

[19]<\/a> NOYB, 7 October 2022, \u00ab\u00a0First reaction: Executive Order on US Surveillance unlikely to satisfy EU law\u00a0\u00bb<\/em>. Available online [https:\/\/noyb.eu\/fr\/le-nouveau-decret-americain-peu-de-chances-de-satisfaire-la-legislation-europeenne<\/a>]<\/p>\n

<\/p>\n

 <\/p>\n

Find our article published in the Revue Lamy du droit de l’immat\u00e9riel :<\/p>\n

\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

October was declared Cybersecurity Month by the ANSSI, and there was no shortage of news to comment on, one of which was particularly eagerly awaited: the signing of an executive order by President Biden on the 7th of October 2022[1] to finally make progress on the major issue of the transfer of personal data between […]<\/p>\n","protected":false},"author":1,"featured_media":1241,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24],"tags":[],"class_list":["post-2361","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-doctrine-en"],"_links":{"self":[{"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/posts\/2361","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/comments?post=2361"}],"version-history":[{"count":1,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/posts\/2361\/revisions"}],"predecessor-version":[{"id":2362,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/posts\/2361\/revisions\/2362"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/media\/1241"}],"wp:attachment":[{"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/media?parent=2361"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/categories?post=2361"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.datasure.net\/es\/wp-json\/wp\/v2\/tags?post=2361"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}