Privacy shield: say goodbye to Microsoft, Google, etc.

The Court of Justice recently issued an important decision regarding Europe-US data transfers. This decision surprised both by its consequences and by the absence of a "grace period" for companies to adapt. Let's decipher the situation.

The decision of the European Court of Justice puts an end to the Privacy Shield. This agreement allowed European companies to transfer personal data to American companies or servers without this transfer violating the GDPR. The highest European court was seized by an Austrian lawyer concerned about data protection and the powers of the U.S. government to force U.S. companies to open their servers to them. After examining the situation, the court ruled that the powers granted by the legislator to the US government do indeed allow the government to access or capture personal data by automatically examining data flows from Europe.

1. The Privacy Shield is dead. And therefore, it is no longer possible to transfer personal data to American companies under this agreement, since it has been cancelled.
2. Contractual clauses in palliative care. While the clauses proposed by the European Commission for third countries can be applied to many countries, this is not the case for the United States. Indeed, the conditions for their application are not present in the USA, contrary to what the major American players in the sector claim. Indeed, the access to data by the American government makes the use of these clauses inapplicable.
3. Consent is impossible! In theory, a company could ask users to consent to data processing. But, in some cases, consent is not free: what latitude does an employee have to refuse that his employer create an account for him using Gmail or Microsoft Office? And even if consent were possible, how do you explain to potential users that they are consenting to have their data examined by U.S. authorities to ensure U.S. national security, and how do you explain what that government will do with it?
4. Data encryption is not a 100% secure solution. In theory, encrypting the data from end to end (from the company's computers or servers to the servers located in the USA) could offer sufficient guarantees of security. However, companies that use this solution must be very careful. Indeed, the American authorities keep their surveillance rights. It is therefore necessary that the encryption is extremely strong and that the American authorities have no way of obtaining the keys. But everyone knows that absolute security does not exist, even in theory.
5. This means that U.S. companies can no longer be processors under the GDPR. Indeed, they could not commit to the RGPD even if they wanted to, due to US laws. Therefore, we can no longer choose them as processors.

1. Companies must stop all data transfers to U.S. companies.
2. Unfortunately, we don't have the equivalent of all the American service providers in Europe.
3. A considerable workload is placed on the shoulders of companies and their DPOs without the European or national authorities being able to offer them any practical solution.
4. Will the American authorities soften their security and control rules? It is doubtful, unless the American giants of the sector achieve their goals through one of those gigantic lobbying efforts they are famous for. But there, as here, a balance between security and privacy is essential.

In short, it's a bit of a mess at the moment. We can hope that the European authorities will not take sanctions immediately, but nothing is certain at this stage.

Immediately review all your contracts with your DPO or counsel regarding data transfers to U.S. companies.