- Introduction: Edward Snowden’s revelations.
«I do not want to live in a world where everything that I say, everything I do, everyone I talk to, every expression of creativity or love or friendship is recorded»[1]. This is what Edward Snowden, the US National Security Agency whistleblower, told the Guardian in 2013. The legal basis that rendered that possible was Section 702 of the Foreign Intelligence Act (FISA 702). Such a provision allowed the US government to monitor foreigners’ personal data with the compelled assistance of electronic communication service providers[2]. According to the documents disclosed by the American whistleblower, Apple, Microsoft, Facebook, Google, and Yahoo belonged to that category[3]. Nine years have passed since such alarming revelations, and European institutions have taken several steps to grant personal data a high level of protection. Still, the long-lasting issue of the transatlantic personal data transfer seems far from being solved.
- Two landmark rulings: Schrems I and Schrems II.
Back in 2013, Maximillian Schrems lodged a complaint with the Irish Data Protection Commissioner against Facebook Ireland Ltd. The subsidiary of Facebook Inc. operates business outside Canada and the US by collecting EU users’ personal data and sending it back to US-located servers. The Austrian activist argued that once transferred the data could be accessed by US authorities thanks to surveillance laws such as FISA 702. Therefore, the validity of the Safe Harbour mechanism, allowing the data flow from the EU to the US, was called into question.
Firstly, the Court of Justice of the European Union (CJEU) clarified that third countries might adopt measures different from those adopted in Europe to protect personal data. However, they must ensure an essentially equivalent level of protection. Secondly, the court acknowledged that the Safe Harbour decision granted any “national security, public interest, or law enforcement requirements” primacy over the Safe Harbour principles. As a consequence, US organisations were bound to disregard those principles in any case of conflict. Thirdly, the court noted that the US did not adopt any rule to limit the interference with the fundamental rights of the persons whose data was transferred. Therefore, the right to respect private and family life, the right to protection of personal data, and the right to a judicial remedy[4] were violated. On these grounds, the Safe Harbour framework was declared invalid on October 6, 2015[5].
After that judgment, Facebook Ireland claimed to rely upon another legal tool to transfer personal data to its parent company: the Standard Contractual Clauses (SCCs). They are non-negotiable terms and conditions, binding on both the sender and receiver of data, approved by the Commission in 2010. Schrems then challenged the validity of the SCCs, arguing that surveillance by US authorities was still possible, thus infringing Artt. 7, 8, and 47 of the EU Charter of Fundamental Rights. In the meantime, another legal means came into play: the Privacy Shield, a set of mutually agreed-upon principles that replaced the Safe Harbour agreement and became relevant to the case[6].
Unfortunately, the new framework shared the same fate as its predecessor. On July 16, 2020, the CJEU declared it void because the US failed to offer a level of protection essentially equivalent to that guaranteed by the GDPR and the Charter. In particular, US surveillance laws provided neither limitations, nor guarantees, nor actionable rights in favor of targeted foreigners. Therefore, they were not limited to what was strictly necessary and constituted a disproportionate interference with data subjects’ rights. On the other hand, the Luxembourg Court upheld the validity of SCCs but stipulated stricter requirements for their use by data controllers. Not only are they required to ensure that receiving countries offer essentially equivalent protection, but they also have to provide additional measures to compensate for possible deficiencies. In addition, where national supervisory authorities reckon that data subjects are not afforded essentially equivalent protection, they must prohibit the transfer[7].
- Schrems saga spillovers: 101 complaints by “None of your business” (NOYB).
The second landmark ruling of the CJEU seemed to outline a clear picture. However, commentators disagreed as to whether SCCs could still be used by most companies or only by those unconstrained by surveillance laws and able to offer additional safeguards. At that point, Schrems decided to analyse the HTML code of some major EU webpages and discovered that many companies were still using Google Analytics and Facebook Connect. Although both companies adopted formally valid SCCs, they were bound by the US surveillance laws found in breach of EU fundamental rights. As a consequence, Schrems’ NGO “None of your business” filed 101 identical complaints against as many companies (such as Allied Irish Bank, Fastweb, Leroy Merlin, etc.) in 30 EEA countries[8]. In response, the European Data Protection Board created a task force to analyse the matter uniformly and enhance the cooperation among Data Protection Authorities (DPAs)[9].
The Austrian DPA was the first to take the floor. On December 22, 2021, it ruled that using Google Analytics by an Austrian website provider was in breach of the GDPR. Companies can use such an analytic tool to track and analyse users’ behaviour on their websites. However, this implies collecting personal data (such as IP addresses, user identifiers, and browser parameters), which is subsequently transferred to the US parent company Google LLC. Since the latter qualify as “electronic communication service provider”, under FISA 702, the data in question is exposed to US surveillance. In addition, the supplementary measures implemented by Google to prevent re-identification, such as encryption and transparency records, were considered insufficient.
A few weeks later, additional warnings came from the Dutch DPA. The latter disclosed it is currently investigating two complaints on the adoption of Google Analytics in the Netherlands, and the use of such a tool may soon not be allowed[10]. By the same token, the Norwegian DPA has recently advised companies to seek viable alternatives to Google Analytics as rulings on potential GDPR violations are coming soon.[11]
The latest authority to follow this path was the Commission Nationale de l’Informatique et des Libertés (CNIL). On February 10, 2022, the French DPA stated that EU-US data transfers remained not sufficiently regulated. Neither an adequacy decision nor other appropriate safeguards were indeed provided to ensure an adequate level of protection. Furthermore, the CNIL considered unsatisfactory the additional measures adopted by Google Analytics to shield Internet users from US surveillance, thus exposing French users to unacceptable risks. On these grounds, the French DPA ruled that basing personal data transfers on Google Analytics violated article 44 at seq. of the GDPR. The website operator was then given one month to comply, either by ceasing to use Google Analytics under the current conditions or adopting other tools to keep personal data in Europe.[12]
While the last ruling remained unanswered, Kent Walker, President of Global Affairs and Chief Legal Officer of Google, responded to the Austrian DPA’s decision by urging the two sides of the Atlantic to finalize a Privacy Shield’s successor. He emphasized how the lack of legal stability for international data flows may undermine the development of global economies and services. On the contrary, a new framework would ensure stability of transatlantic commerce, help businesses of all sizes participate in the digital economy, and prevent disruptions of supply chains.[13] Alongside the call for a Privacy Shield’s heir, new strategies have been put forward, such as storing more personal data in Europe. Google Cloud, for instance, expressed its commitment not only to store customers’ data in the EU but also to prevent access from non-EU administrators and implement the new SCCs set forth by the European Commission in June 2021.[14] Similarly, Microsoft and Tiktok took steps in this direction, the latter by announcing a €420 million investment to build a data center in Dublin[15] and the former by launching its “EU Data Boundary plan” for Microsoft Cloud.[16]
- Meta’s threats and conclusive remarks.
Another European DPA is about to take the floor against one of the companies that impacted our daily life the most. In particular, Facebook’s parent company Meta could soon face an order from the Irish Data Protection Commission (DPC) to halt the personal data transfer to the US. In the aftermath of Schrems II, the Irish DPC issued a preliminary draft decision claiming that Facebook could no longer use SCCs due to non-compliance with the GDPR and proposed to suspend the data transfer. On February 2, 2022, while waiting for a final decision, Meta published its annual report. «We are unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, […] as a result of European regulators […] determining that our reliance on SCCs or other legal bases we rely upon to transfer user data from the EU to the US is invalid»[17], said Meta while listing risk factors to its investors. Many commentators interpreted such a statement as a weapon to lobby European regulators to accept more indulgent data protection standards. At that point, the generalized state of panic prompted the company to clarify its position. Markus Reinisch, Meta’s Vice President of Public Policy Europe, denied the alleged threats and claimed that Meta has no desire to withdraw from Europe. However, the continuing uncertainties over EU-US data transfer mechanisms impair the ability to conduct a global business and serve EU customers. In addition, Meta stressed it is not alone in manifesting these concerns since at least 70 other companies (some European) would be in the same circumstances[18].
Finalizing a long-term solution to secure the transfer of personal data is a high priority shared by both sides of the Atlantic. However, negotiations are still ongoing, and a Privacy Shield replacement seems far from reality. Some commentators look at the EU-US Trade and Technology Council, which is taking place next May, as a possible occasion to make announcements in this regard. Nonetheless, a forum based on trade may not be appropriate to finalize a decision involving fundamental rights[19]. Here is the bone of contention between the EU and the US: they have distinct legal frameworks and value the right to protect personal data differently. In the European legal order, such a right has progressively evolved within the contours of the right to privacy and is today enshrined in two sources of primary law, Art. 8 CFR and Art. 16 TFEU. Therefore, the protection of personal data is a fundamental right of any individual. By contrast, the US constitution does not expressly protect personal data despite the abundance of privacy laws both at the federal and state level. European laws are therefore perceived as obstacles to a free enterprise and innovative business models based on the free flow of data. Since the major companies currently serving the European market were born in the US, they come from that cultural background.[20] Despite their different sensibilities about protecting personal data, the two sides of the Atlantic are urged to strike a proper balance between the competing interests at stake, thus ensuring a smooth transatlantic data flow. At this point, the data-driven economy has gone too far to be confined by national borders.
[1] E. Snowden: ‘The US government will say I aided our enemies’ – video interview, published by The Guardian on 8 July 2013. Interview with Glenn Greenwald, 6 June 2013, Part 2
[2] Section 702 – Basic Infographic, in dni.gov
[3] EU-US Data Transfers, in noyb.eu
[4] Artt. 7, 8, 47 EU Charter of Fundamental Rights
[5] CJEU, Schrems v. Data Protection Commissioner, C‑362/14, October 6, 2015, in eur-lex.europa.eu
[6] H. Mildebrath, The CJEU judgment in the Schrems II case, September 2020, in europarl.europa.eu
[7] Ibidem
[8] 101 Complaints on EU-US transfer filed, August 17, 2020, in noyb.eu
[9] EDPB Press Release 2020-14, September 4, 2020, in edpb.europa.eu
[10] J. Bryant, Austrian DPA’s Google Analytics decision could have ‘far-reaching implications’, January 20, 2020, in iapp.org
[11] Norwegian DPA recommends Google Analytics alternatives, January 27, 2022, in iapp.org
[12] Use of Google Analytics and data transfers to the United States: the CNIL orders a website manager/operator to comply, February 10, 2022, in cnil.fr
[13] K. Walker, It’s time for a new EU-US data transfer framework, January 19, 2022, in blog.google
[14] M. Crandall and M. Rey, Reaffirming Google Cloud’s commitments to EU businesses in light of the EDPB’s Recommendations, July 15, 2021, in cloud.google.com
[15] R. Cloutier, Establishing a new European data centre in Ireland, April 21, 2021, in newsroom.tiktok.com
[16] B. Smith, Answering Europe’s Call: Storing and Processing EU Data in the EU, May 6, 2021, in blogs.microsoft.com
[17] Meta Platforms, Inc., Annual report for the fiscal year ended December 31, 2021, published on February 2, 2022, 14
[18] M. Reinisch, Meta Is Absolutely Not Threatening to Leave Europe, February 8, 2022, in about.fb.com
[19] V. Manancourt and L. Kayali, US-EU data transfers on life support after French Google decision, February 10, 2022, in politico.eu
[20] M. Bassini e O. Pollicino, Ponte transatlantico sulla sovranità digitale, February 21, 2022, in lavoce.info