Commmuniqué de presse
From July 16th onwards: a long-lasting period of legal insecurity
On July 16th, 2020, the Court of Justice of the European Union (CJEU) invalidated the deal setting the rules for transatlantic data transfers — the EU-US Privacy Shield — in a decision known as “Schrems II”. The Court estimated that the deal did not guarantee a sufficient level of protection for the personal data of European citizens. Beyond its historic proportion, this decision has left many European actors in a time of uncertainty and legal insecurity. Not only does it not provide them with a grace period to analyze it and take appropriate measures when necessary, but it is also retroactive. Beyond future international data transfers, the conformity of all previous data transfers operated under the Privacy Shield since 2016 must be reassessed, hence questioning many current contracts. Following this decision, a wave of lawsuits has already been filed, including several against French companies, while the European Commission is still updating the Standard Contractual Clauses — tools offering actors a framework to manage international transfers —, a task that will most probably not be finalised before March.
A strict interpretation by the regulators that weighs heavily on the actors
Following the decision, the European Data Protection Board (EDPB), which gathers all national data protection authorities in Europe, has published a series of guidelines aimed at guaranteeing the respect of the EU's level of personal data protection when it comes to international data transfers. Although we can command the fact that — in an effort to ensure a degree of harmony of the regional framework at a time when national authorities are receiving various complaints across Europe — this initiative was handled at the European level, those recommandations seem hardly applicable. The EDPB proposes extremely strict criteria that clash with the very reality of European national frameworks: very few countries meet the level of requirements set by the European committee, including EU member states like France.
A decision that goes beyond the sphere of personal data protection
In addition to being strict, these recommendations seem to omit the essential principle of the hierarchy of norms that is at the foundation of law. Behind the Schrems II decision hides a conflict of sovereignty between states: what is questioned here is the capacity of governments to access data that is protected by foreign rights. No actor can formally promise that they will disobey their country’s sovereign legal system. This decision also raises the question of balancing fundamental rights, and especially of balancing security and privacy laws. The EU hails the GDPR when other states have their national security at stake. The security-liberty equilibrium is not dealt with by the GDPR, which is a text about freedom. This balance becomes even more contentious at a time when approaches to national security differ between EU member states, and legislative efforts to organise authorities’ access to encrypted data are multiplying across the EU. Hence, the interpretation of this decision requires an expertise which goes far beyond that of data protection authorities, which are not constitutionalists nor antiterrorism specialists. On this matter, the CJEU’s decision offers a certain degree of latitude to guarantee such a balance and its enforceability.
In the absence of a “grace period”, a “grace method”?
In the absence of an official grace period, Renaissance Numerique calls for the implementation of a "grace method" to be shared between all stakeholders: a proportional approach based on the diligence of actors and risk assessments, allowing the identification of operational requirements and the reduction of hasty sanctions, to fill the gap while the European doctrine and tools (updated Standard Contractual Clauses) are not stabilised and enforced. The CJEU's decision is not binary, and offers a range of possible contextualisation that allows the analysis of data transfers on a case-by-case basis. This methodology should especially take into account the degree of sensitivity of the transferred data. It should also assess the potentiality of a national security-related surveillance of certain data, the possible inadequacy of technical measures in some cases, the complexity of the data processing chain, etc. This mid-level step could make it possible to break the deadlock, while waiting for a more robust international agreement to be set up. At a time when sovereignty has become a source of conflict between states in the digital sphere, a genuine solution can indeed only come from a new international deal with the United States, in conformity with the Schrems II judgment. For now, regulators and companies keep rejecting the responsibility to take action on one another, and actors risk being continuously jeopardised by this lasting uncertainty. Renaissance Numérique calls on the European Commission and Europe’s executive power to open a dialogue with all relevant stakeholders, in order to establish a coordinated enforcement of the decision issued by the Court of Justice of the European Union across Europe. This dialogue should allow European authorities to gather all relevant expertise, beyond the sole data protection sphere — for instance experts of international and constitutional law or security issues — and to define standards that comply with our values.