A little history
You may remember that in 2021, the agreement between the United States and Europe, which allowed the transfer of personal data between the two continents, the Privacy Shield, was annulled by the Court of Justice of the European Union because section 702 of the FISA law(Foreign Intelligence Surveillance Act) implemented under the Bush administration to fight terrorism, allows the American intelligence services to have access to the personal data of the customers of American companies upon their request. And the requests from the intelligence services are numerous, in 2021 nearly 5,000 for Apple, 12,000 for Microsoft and, oh horror, they sometimes concerned American citizens!
The Court of Justice rightly found that this regulation is contrary to the GDPR, as European citizens had no control or possibility of appeal against such requests to use their personal data.
It is following this ruling, and a hundred or so actions by NOYB, Max Schrems' NGO, which was the basis for the Court of Justice's decision, that several decisions by European data protection authorities have banned the use of Google Analytics, which allows the analysis of Internet users' behavior, and that, for example, some European governments were considering banning the use of Microsoft. In addition, several complaints were being examined against GAFAMs for non-compliance with the RGPD, with the risk of fines in the tens of millions of euros...
Continuing legal uncertainty
Since this ruling, specialists have been tearing their hair out, faced with requests from citizens to stop using the services of the famous GAFAM (Google, Amazon, Facebook, Apple and Microsoft). But if European alternatives exist for some services offered by these companies, it is more complex to stop using Microsoft, SalesForce or to give up targeted ads on Facebook. And so companies and organizations were waiting for a solution on both sides of the Atlantic.
In March 2022, during a meeting between President Biden and Ms. Von Der Leyen, President of the European Commission, they announced, all smiles, that they would find a solution. But it took six months for President Biden to issue an Executive Order, which did not respond to the arguments of the Court of Justice. A few months later, the Commission proposed a "data privacy framework". But this proposal, which had to go through several stages before being adopted, was criticized as soon as it was published because it did not solve the problem. Indeed, the American regulations did not change and no response was given to the Court's criticism of the American intelligence requests. The Commission was therefore going to review its copy.
In short, the legal uncertainty persisted and many organizations remained in limbo by continuing to use, in a quasi-illegal manner, the services of American companies, which themselves risked fines of several tens of millions of euros because of this American regulation.
e here
GAFAMs: unexpected allies
While all eyes were on the White House and the European Commission waiting for a real solution, Bloomberg announced that Apple, Alphabet (Google and YouTube), and Meta (Facebook, Instagram), faced with these threats of fines or even a ban on continuing to offer their services in Europe, have suddenly decided to defend their customers, admittedly American, against the intelligence services and declare hand on heart " we no longer want to have to share the personal data of our users with the intelligence services ". They want the deletion of section 702, the article criticized by the Court of Justice and which allows access to personal data by the intelligence services.
And as luck would have it, they are proposing the same thing that the Court of Justice recommended, subjecting these requests to the authorization of a judge, which would allow for an appeal and thus a possible authorization of these transfers in the face of the RGPD. According to Bloomberg, the US Congress will be in favor of this request to protect American citizens, which would indirectly make the United States more amenable to the RGPD.
Let's remember that TikTok is very criticized in the United States because a similar Chinese law allows the Chinese government to have access to American users' data. But this is probably just a coincidence.
A solution in sight for data transfers to the US?
In fact, by putting forward that they want to protect their American customers, the GAFAMs, also have an indirect interest in changing the US law, as this would make these large companies frequent again in Europe and perhaps put an end to this legal uncertainty related to the non-compliance with the RGPD.
When we know the weight of these companies and their lobby in Washington, we can hope for a change in legislation that would bring back some serenity in data transfers between Europe and the United States.
If we often hear on the other side of the Atlantic: "what is good for the United States is good for the world", here we are closer to "if compliance with the GDPR is good for European citizens, it is also good for American citizens".
To be continued...
Article previously published in "Le Soir" newspaper
Want to know more?
Are you looking for a turnkey solution for your RGPD management?
Contact us to learn more about our solution and its applications.