Transfers of personal data to the United States: progress report

Legal Watch No. 55 – January 2023

Transfers of personal data to the United States: progress reportThe legal uncertainty currently weighing on data exchanges between Europe and the United States impacts areas as concrete as the fight against the housing shortage in France or the use of online libraries in Finland.

The Abritel company has refused to communicate its rental data to the city of Paris because the latter uses a service provider for this collection which transfers the data to the United States.

The Paris judicial court ruled in favor of Abritel in its judgment of November 30, 2022.

Last December, the Finnish Data Protection Authority found that four cities had, among other things, illegally transferred personal data to the United States using Google Analytics and Google Tag Manager on their public library's online services.

The complexity of transfers today is mainly a consequence of the “Schrems I” and “Schrems II” rulings of the Court of Justice of the European Union dated October 2015 and July 2020 respectively.

These rulings invalidated successive agreements concluded between the EU and the United States under the names of Safe Harbour Principles and Privacy Shield.

In its 2020 ruling, the Court held that the Privacy Shield, while in principle providing a level of protection essentially equivalent to that of the European Union, was in practice rendered ineffective by concrete requirements relating to national security, the public interest and compliance with US law.

It found that the scope of the US authorities' surveillance powers was excessive under European law, and that the rights of non-US citizens to appeal to independent courts were not guaranteed.

Since the publication of this decision, data controllers subject to the GDPR must take special precautions before any transfer to the United States.

The use of contractual clauses guaranteeing data protection remains an option, provided that specific checks are carried out concerning the content of the clauses, the context of the transfer, and the legal regime applicable in the third country (in particular concerning national security).

If the situation presents particular risks, the data controller must take additional measures.

Last year, the Commission adopted modernized "standard contractual clauses" to facilitate their use and published practical advice for businesses.

The European Data Protection Board also explained in its recommendations of June 18, 2021 the checks to be carried out as part of a transfer impact analysis.

However, such requirements may be difficult to implement if the recipient of the data is in a dominant position.

A simpler solution in such cases is to use data processing solutions located in the European Union.

On December 13, after several months of negotiations with the United States, the European Commission published its long-awaited draft adequacy decision concerning the level of data protection across the Atlantic.

Among the rights that EU citizens will benefit from under the new legal framework, the European Commission mentions the guarantee of remedies, including free access to independent dispute resolution mechanisms and an arbitration panel.

It further cites a number of limitations and safeguards regarding access to data by US public authorities, particularly for law enforcement and national security purposes.

These guarantees arise from new rules introduced by a US decree of October 7, 2022, which would respond to the questions raised by the Court of Justice of the EU in the Schrems II judgment.

Before a final decision can be adopted, the draft must be reviewed by the European Data Protection Board (EDPB).

This review could result in a decision within approximately two months.

The draft decision will then have to be approved by the committee of representatives of the EU Member States.

The European Parliament also has a right to review adequacy decisions.

Will the final decision expected next spring provide the hoped-for guarantees in terms of data protection, where previous agreements have failed?

The European Data Protection Supervisor (EDPS) recently commented on the project in optimistic terms: "This is different from what we saw with Safe Harbor. This is not what we saw with Privacy Shield. This is something new and very promising."

Max Schrems, for his part, has already announced that he is prepared to take a third legal action if the text does not effectively protect the fundamental rights of Europeans.

And also

France:

The startup Lusha, accused of siphoning off the professional telephone numbers and email addresses of 1.5 million French people, is not subject to the GDPR, according to the CNIL's restricted committee responsible for imposing sanctions.

The debate focused on the interpretation of Article 3(2)(b) of the Regulation, which provides for the application of European law to companies not based in the EU when they carry out “monitoring of the behavior” of data subjects: in its deliberation of December 20, 2022, the CNIL, distancing itself from the conclusions of its rapporteur, “does not consider that the online collection or analysis of personal data relating to individuals in the Union would automatically be considered as “monitoring””, and considers it necessary to take into account the purpose of the data processing and, in particular, any subsequent behavioral analysis or profiling techniques involving these data.

On December 29, the CNIL imposed a fine of €5,000,000 on TikTok. for implanting advertising identifiers on users' devices without their prior consent.

TikTok's cookie banner was also deemed insufficiently informative.

On the same day, it also sanctioned the company VOODOO, a smartphone game publisher, fined €3 million for using a primarily technical identifier for advertising without users' consent.

Contrary to the current trend, the Montpellier City Council decided on December 16th, at the end of a presentation concerning facial recognition in the context of video surveillance and public freedoms, to prohibit the "use of automated image analysis processing based on personal or individual data" in its public space.

The bill concerning the use of artificial intelligence in the context of the 2024 Olympic Games was approved by the Senate on January 24.

The CNIL had issued observations on this text, while noting that several measures were in line with its recommendations: experimental deployment, limited in time and space, for certain specific purposes and corresponding to serious risks for individuals, absence of processing of biometric data and reconciliation with other files, and decisions subject to prior human intervention.

The CNIL also highlighted the intrusive nature of the provisions providing for the processing of genetic data for anti-doping analyses.

Europe:

Following the complaint by the Irish Council for Civil Liberties (ICCL) and the EU Ombudsman's decision dated 19 December 2022, the European Commission has committed to reviewing data protection authorities' handling of GDPR breaches involving Big Tech.

It will measure the time taken for each step of each procedure and its progress, and will carry out this review six times a year.

The European Data Protection Board (EDPB) has set up a working group to examine in detail issues relating to cookies..

In a draft report dated January 17, the EDPB clarifies the specific practices that are illegal, including:

• The lack of an opt-out option on the home page
• Pre-checked boxes
• Links to the opt-out option in lowercase print in separate text
• Links to the opt-out option outside the cookie banner
• Claiming a legitimate interest in installing non-essential cookies
• The absence of a permanent option to withdraw consent.

The EDPB clarifies that these conclusions reflect a minimum threshold in the evaluation of cookies.

They should be combined with the requirements of the ePrivacy Directive, and read in light of the EDPB's other work on dark patterns.

The European Parliament's special committee (PEGA) to investigate the use of Pegasus and other spyware surveillance software continues its work by conducting studies, expert hearings and fact-finding visits to Israel, Poland and Greece. Draft recommendations will be presented to Parliament on June 10.

The NGO EDRi organized its annual conference, the Privacy Camp, on January 25. which brings together digital rights defenders, activists, academics and policy makers around current human rights issues.

The presentations are available online via the event website.

In an important judgment of January 12, 2023 (case C-154/21), the Court of Justice of the European Union confirmed that the data controller has an obligation to communicate to any person who requests it the list of exact recipients of their personal data when they have been shared with third parties, and not just categories of recipients.

The CJEU specifies in another judgment of 12 January (case C-132/21) that administrative and civil remedies provided for by the GDPR may be exercised concurrently and independently from each other.

Parallel complaint procedures before data protection authorities (DPAs) and legal proceedings can thus be initiated on the same issue.

It is up to the Member States to ensure that the parallel exercise of these remedies does not undermine the consistent and uniform application of the Regulation.

The UK's Online Safety Bill is currently being debated in Parliament.

The text, which aims to protect children, identifies risky content, in particular self-harm content, “deep fakes”, and the sharing of intimate images without consent, which will be defined as new criminal offenses.

Critics point to the lack of definition or precision in the text, which would allow excessive deletions of content and the establishment of widespread surveillance.

The "enforcementtracker" website presents an inventory of financial penalties imposed by the supervisory authorities in application of the GDPR: the year 2022 ended with a total of more than 830 million euros for 448 penalties, compared to 1.3 billion euros in 2021.

Unsurprisingly, Ireland, home to the largest technology companies, holds the top spot with over 80,000 fines.

The Irish DPA announced a €5.5 million fine against WhatsApp on Thursday, January 19, in addition to similar decisions against Facebook and Instagram.

The legal basis used by WhatsApp to process personal data (service improvement and security) has been found to be contrary to European law.

This decision has been criticized by civil society, which notes that the central issue of the use of data for behavioral advertising, marketing, provision of metric data to third parties and the exchange of data with affiliated companies has not been addressed by the Irish authority, despite the EDPB decision published on January 24.

Norwegian ODA found that a courier and logistics company had infringed Article 32 of the GDPR due to an insufficient risk assessment and the lack of appropriate security measures.

The application used phone numbers as the only means of authentication to access the customer's profile.

Spanish authority considered that the National Commission against Violence, Racism, Xenophobia and Intolerance in Sport could not invoke the public interest exception of Article 9(2)(g) of the GDPR to process the biometric data of football fans entering stadiums.

Italian ODA fined a sports club €20,000 for illegally using a fingerprint system to record its employees' attendance at work.

It also fined energy supplier Areti €1 million for wrongly labelling some of its customers as fraudsters, thereby preventing them from switching energy suppliers.

Estonian ODA considered that the use of CCTV cameras to monitor employees could not be based on consent, but only on legitimate interest within the meaning of Article 6(1)(f) of the GDPR, provided that a valid assessment of that interest had been carried out.

International

“Privacy by Design” becomes an international standard: On February 8, the International Organization for Standardization (ISO) will adopt the ISO 31700 standard.

This includes 30 requirements and guidance on privacy by design principles.

UNITED STATES : In addition to developing technical standards (NIST Risk Management Framework) in the area of AI policy, the White House has released a draft AI Bill of Rights.

Several US states are also working on legislation in this area.

President Biden recently echoed these recommendations in a column for the Wall Street Journal highlighting his administration's efforts to combat algorithmic discrimination, promote algorithmic transparency, and implement legislation for AI governance.

In the field of AI as well, the On January 27, the European Commission and the US administration signed an "administrative agreement on artificial intelligence for the public good."

The agreement was signed within the framework of the EU-US Trade and Technology Council (TTC).

Microsoft announced on its blog in mid-December that it was relocating the storage of its European customers' data within the European Union.

This program does not, however, resolve all issues related to access to European data by the United States.

The Cloud Act allows US criminal authorities to access data from US cloud service providers, regardless of where the data is stored, and without having to initiate proceedings through international mutual legal assistance.

Australia has been the victim of cyberattacks targeting its government agencies and the private sector for several months.

The country suspects attacks of Russian and Chinese origin, which aim to paralyze the country's institutions and businesses and directly affect the lives of citizens through the massive dissemination of personal data.

For some, this is a foretaste of what awaits Western countries, with several German railway systems, for example, having recently experienced strange malfunctions.

After announcing it last March, the Russian government formally withdraws from the Council of Europe Convention 108 on data protection as well as all other international treaties of the Council of Europe.

Following this announcement, the Council, for its part, implemented a formal mechanism and unilaterally terminated Russia's membership.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.