On 7 October, US President Biden signed an "Executive Order" - a kind of law - that could mark the beginning of a new privacy agreement between the EU and the US. Why is this important? We asked Peter Vergote, our legal expert.
What is this US law about? Can you explain that in a simple manner?
Among other things, it is about the data transfers that happen between the European Union and the United States and the protection regime of personal data stored there. As a user of different services or websites, like Facebook or Google for example, you agree to their terms of use. If so, your personal data may be transferred to US servers and stored there. This may even happen without your knowledge. So there must be "adequate protection" for the personal data of European citizens, in the countries where that data goes. The GDPR has significantly tightened the rules around this.
What does that mean? An "adequate protection" of personal data?
In short, in a country to which personal data is sent, similar protection must exist for this data as within the European Union. And here, of course, quite extensive privacy protection has existed since the beginning of the GDPR.
What prompted President Biden to sign this Executive Order?
After the Schrems II* ruling (see below/here), the so-called 'Privacy Shield' was in tatters and the EU and the US had to renegotiate a framework regarding privacy protection. In doing so, they sought an agreement between the two blocs that would allow data transfers compatible with the GDPR. It took two years of negotiations, but they finally came to an agreement early this year (in 2022) and this Executive Order is the implementation of that agreement in the US.
*Schrems I and II are decisions by the European Court of Justice that followed court cases started by Maximilian Schrems, an Austrian “privacy activist”. More explanation further.
In what way does this agreement improve the situation?
It includes guarantees that the US national security agencies will not be able to access the data of EU citizens. If access were then requested, an ordinary EU citizen could object. In that case, a committee would decide whether the request was sufficiently justified. The security services could also only request the data of one particular group of people. (note: the people suspected in a particular case). What was not there before is there now: US security services have fewer rights to look into data of EU citizens.
Do you expect this agreement to last?
It is very difficult to predict where we will end up. First, this Executive Order (and the underlying arrangement for data transfers between the EU and the US) still has to get the European Commission's blessing. Only then will there be talk of a final new privacy arrangement between the two blocs. We can also assume that as soon as there is an "adequacy decision", a new procedure before the European Court of Justice will immediately be initiated by Schems and co.
What exactly might be contained in a Schrems III ruling is a matter of conjecture. Despite the proportionality of the new regime, US national security agencies can still access the data of EU nationals if you interpret the texts literally. If this is the main conclusion, any Schrems III ruling is likely to once again consider the existing mechanism inadequate. On the other hand, if the restriction on access and the various defences available to EU citizens are sufficient to speak of an "equivalent protection as in the EU", the European Court could still decide that it is secure enough and meets the requirements of the GDPR.
"The fuss about data transfers hits the economic relations between EU and US companies right in the heart. The flou must be cleared up so we finally know which services we are still allowed to use and whether it is OK when data is transferred."
Should we still move away from US services?
In short, if solid and secure alternatives exist, better use them. If another devastating Schrems III judgment arrives much earlier than expected, we will be back in the same situation as today. At first glance, services like Google Analytics or Office 365 do not seem so easy to replace. But an application like Mailchimp, for example, might be easier to replace, there are European alternatives for that like Flexmail. Is there no alternative or is the similar service not great? Then you have to weigh up whether it is more important to keep the service or to have certainty about the legal situation. In doing so, it is best to also take into account the decisions of European data protection authorities, such as the GBA for Belgium.
Of course, the question of whether our data is adequately protected by US firms comes from someone - how did this discussion start in the first place?
In 2011, Maximilian Schrems, an Austrian citizen and law student, decided that his data was insufficiently protected in the US. Schrems was particularly furious against Facebook. The US social media giant sent his data to the US via Ireland. Schrems then launched several legal actions, mainly in Ireland. When the Irish Data Protection Commission rejected his requests, he went to the European Court of Justice. In 2015, this Court vindicated him and the Schrems I judgment was handed down. That marked the end of the so-called "Safe Harbor Principles", under which the EU and the US engaged in transatlantic data transfers.
What were the consequences of the Schrems I ruling?
It caused a whole slew of problems between the EU and the US in terms of data transfers. There was the threat of a ban on transatlantic transfers of personal data, so both sides busily sought a successor to the defunct "Safe Harbor". The "Privacy Shield" seemed to be a solution and guaranteed additional protections in data transfers. As an alternative to "Privacy Shield", the "Standard Contractual Clauses" (SCCs) developed by the European Commission could also be used. These SCCs are individual agreements whereby company X that obtains data from the US confirms that they will use the data in a manner consistent with European law.
In 2016, the European Commission confirmed the "adequate protection" for European citizens under the Privacy Shield regime. And yet Maximilian Schrems continues his crusade.
“Some of the possible consequences of these decisions could set us back 10 years in time.”
What follow-up did Schrems I get?
In the United States, any security service can easily retrieve data on internet users, and thus also that of European citizens stored on servers in the US. Here in our country, it works differently. Our security services can only request data in a proportionate way, for example as part of a particular judicial investigation. For example, if the police are investigating drug smugglers, they can request the data of some individuals who are suspects in this particular investigation. This is not the case in the US; in theory, US state security could request all the data of all Europeans on Facebook without having to give a specific reason. For Schrems, this was unacceptable.
He again started proceedings before the European Court of Justice, which once again vindicated him with the "Schrems II" judgment. That nullifies the "Privacy Shield" between the EU and the US. The reason? Broad access to personal data by US security agencies is not in line with the principles of the GDPR. Strictly speaking, any data transfer between the EU and the US was therefore illegal (again) at that point in time.
What are the implications for US companies?
The implications are hugely far-reaching. For example, Meta is obliged to share data if they are asked to do so. There are only two ways in which Meta can comply with the rules. Or it simply stops offering services to European citizens, or splits into two different companies, one American and one European. The European company would then be able to offer services to European citizens. But that then assumes Meta divests its European operations entirely (as long as they are still connected to the parent company, everything remains under application of US law). US email service Mailchimp itself has admitted that it stores Europeans' personal data in the US. If you follow that through, cloud services like Office 365 might also be illegal. It does get a bit punitive then. For the use of Google Analytics, though, there are already official rulings from some four Data Protection Authorities (DPAs). They ruled that using Google Analytics is inconsistent with the GDPR.
"So we have been stuck with a solid uncertainty for a couple of years about what is and is not allowed. It does remain the case that the EU and the US can work together."
The European Commission must now examine this new law. They will judge whether or not it provides "adequate protection" for European data. This is called an "adequacy decision" in the jargon. We expect this to happen within about six months. It would put us back in a legally secure environment for a while, companies would be able to legally exchange data transatlantically again.