Data transfers now authorized to the United States: really?

You've probably heard about the decision by the European Court of Justice to annul, for the second time, the agreement proposed by the European Commission to allow the transfer of personal data from Europe to the United States, known as the Privacy Shield. The main reason for the annulment was that the American secret services could access personal data held by American companies, and therefore the data of European citizens and consumers, without the latter preventing it, or sometimes even being aware of it. And so, since July 2021, the use of American companies as subcontractors had become complex, if not impossible or illegal.

Following complaints from the NGO, NOYB (None of Your Business) behind the cancellation of the Privacy Shield, complaints were filed across Europe against companies using Google Analytics. The CNIL and other European authorities agreed with them and declared GA contrary to the RGPD.

Most recently, the record 1.2 billion fine for Facebook demonstrated once again the difficulties of reconciling RGPD and data transfer to the USA. All this generated colossal legal uncertainty, as any recourse to one of the GAFAMs could pose a problem and was liable to heavy fines.

Paraphrasing Boileau's phrase about Malherbe: At last Ursula came, with one accord taught power, and reduced DPOs to the rules of duty.

Abracadabra, never two without three the Commission, by a wave of its magic wand and a bit of smoke and mirrors has been considering for a few days that the United States has become frequentable again, that its legislation complies with the RGPD and that the billions of personal data of European citizens will once again be able to be transmitted to American companies.

And yet the European Parliament, the European data protection authorities and the majority of experts had denounced this proposed "adequacy decision" which considers, by turning a blind eye, that US legislation complies with the RGPD.

As a result of this decision, a number of statements - perhaps a little hypocritical, or inspired by convenience - were issued, claiming that everything was fine, and that all Europeans' personal data could now once again be stored on American servers without any problem. Unfortunately, nothing could be further from the truth.

This decision is likely to be overturned, for a third time, by the European Court of Justice in the coming months, for a number of reasons, and in particular because mass surveillance and data monitoring by the European Union's data protection authorities is not a new phenomenon. 

And so, for a few months, European companies and organizations and their American cloud and IT solution providers will pretend that all is well.

And once again, not only is the protection of European citizens' personal data not taken into account by the Commission, but instead of boosting GAFAM's turnover, wouldn't it have been more useful to invest the Commission's efforts in creating European solutions that respect European citizens and consumers?

The NGO NOYB, which was behind the first two cancellations, is in the Starting Blocks to have this decision overturned for the third time. As its president Max Schrems puts it, "They say the definition of insanity is doing the same thing over and over again and expecting a different result".