The last few months have been riddled with news on the state of the EU-US data transfers. Almost two years elapsed since the legal grounds that allowed European data to freely flow to the US, were annulled by the Court of Justice of the European Union (CJUE). In the meantime, temporary remedies were introduced to avoid a disruption in data traffic worth billions of euros yearly. However, since the beginning of the year, the legal validity of these solutions has been questioned by national data protection authorities (DPAs). This situation is a source of concerns and legal uncertainty for businesses. Ecommerce Europe closely follows the debate and tries to draw up an overview of where we stand and to delineate the likely way forward.
On 29 April, the Austrian Data Protection Authority, Datenschutzbehörde (DSB), issued a follow-up decision confirming its judgment against the use of Google Analytics by an unnamed company, originally released on 13 January 2022. In the initial decision, the DSB ruled that data shuttled to the US through the use of Google Analytics were insufficiently protected from an access of US intelligence services. The decision initially cast doubts on the upholding of the so-called “Standard Contractual Clauses” (SCCs) in the case of a data transfers for analytical purposes to US-based datacentres run by Google Analytics or Facebook Connect. SCCs were previously introduced via implementing acts phased-in by the European Commission as appropriate data protection safeguards constituting a legal basis for data transfers from the EU to third countries.
The initial Austrian decision was shortly followed by similar warnings pronounced by the French and the Dutch national data protection authorities. These and other European DPAs were referred to by Austrian privacy activist and founder of NGO noyb, Max Schrems. In 2020, the Austrian lawyer filed 101 complaints before 30 administrative bodies involved with data privacy issues. Before then, Schrems was also behind the two CJUE decisions respectively called “Schrems I” and “Schrems II”. The former, issued in 2015, resulted in the outlawing of the first adequacy decision that regulated EU-US data flows, the so-called “Safe Harbour”. The latter saw the CJEU invalidating the second adequacy decision for the US (“Privacy Shield”) in 2020.
Since the ad hoc agreements were swept away, data transfers to the US had to comply with GDPR Articles 46 (which introduce the principle of SCCs) or 47 (establishing corporate binding rules as appropriate data protection instruments) or be regulated through supplementary measures. Such complementary measures were gathered in a guidance document published by the European Data Protection Board (EDPB), Recommendations 01/2020. These included, as a possible remedy for the lack of an appropriate adequacy decision, the transfer of pseudonymised data.
With the rulings released by national regulators in the first half of 2022, most of the solutions under GDPR and EDPB were ruled out. The way out of the impasse is to phase in a new adequacy decision which would guarantee EU individuals to legally challenge data misuse by American agencies. This would imply to create a legal redress mechanism for EU citizens within the US jurisdiction. The plans for a new pact were announced by high-level EU and US officials meeting in Brussels on 25 March. However, since the establishment of new legal instruments in the US mainly relies on American endeavours, EU policymakers have very little leeway to push the negotiations higher up on the US political agenda.
Ecommerce Europe, together with other stakeholders, is pushing for a timely start of technical negotiations on a new EU-US framework for data flows. Read our joint statement here.