Personal data protection in Europe and American companies, where do we stand?

Last week, Richard posted an article titled « What about invitations to tender?”. What does this have to do with the GDPR and the Privacy Shield?
I found that this article highlighted the gap between “advertising” to sell and, on the other hand, a more “responsible” attitude, aiming at not announcing anything that cannot be reasonably kept.

This reminded me of the Privacy Shield’s adventures, a real novel full of reassuring announcements about agreements “finally reached”, and yet it has been going on for a decade, like a project that has a hard time getting off the ground…

Are we at the end of this story? Probably not, if we are to believe the draft decision of 14 February 2023 of a committee of the European Parliament.

In a nutshell: personal data protection

Europe adopted the GDPR (General Data Protection Regulation) in 2016, which governs how states and companies must commit to protecting our personal data, especially in the web age. This regulation protects European citizens, and I invite you to read it, it is clear and a quick read.

In addition to the work on the GDPR, transatlantic data protection has become even more important because, particularly through AGFAM, a lot of European data is stored in the United States. Since 2016, the United States and Europe have worked out several agreements, the latest being Privacy Shield 2.0.

Several agreements, as each has been overturned by the EU court; we’ve been following these twists and turns with two articles in 2021 and 2022. Here are the latest announcements as of March 25, 2022:

“U.S. President Joe Biden and European Commission President Ursula von der Leyen announced that they have reached an agreement in principle on a new framework for transatlantic data transfer.”

“This will allow for predictable and reliable data flows, while ensuring security, privacy and data protection,” Ursula von der Leyen says on Twitter.

We are talking about personal data collected by European companies and stored in the United States. The opposite case, i.e. data collected by American companies, is … how can I put it? Efficient and simple.

Indeed, in 2018 the United States enacted the Cloud Act, which allows, among other things, the American judicial authorities to request from service providers operating in the United States, the personal communications of an individual, US citizen or resident, without the latter being informed, nor his country of residence, nor the country where these data are stored.

14th February 2023 … dismissal?

As a reminder, Europe is organized around 3 institutions: the Parliament (which votes on the laws and the budget of Europe), the European Commission (proposes the texts of laws submitted to the Parliament), and the Council (gathers the ministers of the Member States in a precise field). These institutions function under the authority of the Member States, which remain sovereign and independent nations. France Info published an interesting summary of this subject.

Let’s pick up the thread of “reassuring announcements”: on February 14, a committee of the European Parliament rejected a draft decision as not being in line with the EU’s GDPR regulations.

For this parliamentary committee, the proposed data protection framework is not fully compliant with the EU’s General Data Protection Regulation (GDPR), especially in light of current U.S. policy that would allow for the large-scale, warrantless collection of user data for national security purposes.

Also according to the commission, an executive order issued by the Biden administration does not provide sufficient additional protection for several reasons, including the mutability of the policy adopted by the executive order it can simply be rescinded or changed by the president at any time and the insufficient safeguards it provides. To summarize:

The commission stated that U.S. domestic law is simply incompatible with the GDPR framework and that no agreement should be reached until these laws are more closely aligned (“LMI” article, 2/20/2013).

However, this is only a “draft motion for resolution” to reject the recommendation of the European Commission, which for its part deems that U.S. law now provides an “adequate” level of protection for the personal data of European users of U.S. companies’ services. Adequate?

One can logically infer that even if the Commission continues along this path, this agreement runs the risk of being invalidated as were the two previous attempts (Safe Harbor in 2015, Privacy Shield in 2020). The question of a “Schrems 3” has already been raised, as described in this article by a law firm.

What does it mean today?

These attempts to reach a common definition between the United States and Europe on how to frame the use of personal data by companies and states have been stalled for almost 10 years.

All this might seem laughable or a bit out of touch, but it is indeed a legal text, which provides for real sanctions in case of non-compliance with the law, that is to say for us Europeans, in case of non-compliance with the GDPR.

We can only suggest being careful, especially by checking very carefully the conditions related to the storage of the data you manage and that you (perhaps) entrust to an external company.

How does J2S manage the personal data of its customers?

On its side, J2S is aware of the respect for the GDPR to its fullest. The data that you entrust to J2S Simple Workspace are securely hosted both physically and legally. They are physically stored in France by a company governed by French law.

We look forward to hearing from you. Contact us!

David Lantier,
Business Developer