At a time when data are a strategic asset, their possible transfer to third countries where they may be subjected to less protective legal regimes constitutes a sovereignty issue. Moreover, if we see sovereignty as being first and foremost that of the people, then digital sovereignty is that of the network users, who must be able to exercise and preserve their autonomy in cyberspace. This includes the “right to informational self-determination”, as defined by the German Federal Constitutional Court in its 1983 judgment and enshrined in Article 1 of the French Data Protection Act by the Law n°2016-1321 of 7 October 2016. In a world dominated by transnational platforms established in the United States, this “right to decide and control the uses made of personal data” (Article 1, French Data Protection Act) is particularly difficult to enforce. This acute problem is particularly illustrated by the massive transfer of data outside the territories where the data subjects are established, notably to the United States, which raises the question of the strategy to be followed by the European Union now that the Privacy Shield has been invalidated.
Although the OECD adopted guidelines for the protection of privacy and transborder flows of personal data as early as 1980, it is the 1995 Data Protection Directive n°95/46/CE that put in place rules protecting European citizens against the uncontrolled transfer of their data. However, the massive transfer of data to the United States made it necessary to adopt the so-called “Safe Harbor” Principles by the US Department of Commerce and the European Commission. The aim was to authorise the flow of personal data while guaranteeing an “adequate” level of protection within the meaning of the European legislation. US companies could join the programme by committing to respect seven general principles, including the provision of information to the data subject, the possibility for the individual to refuse the transfer of his or her data, and the right of access to the information held. The system was based on a form of self-certification, under the control of the Federal Trade Commission, which could monitor actual compliance with the principles and impose sanctions. In 2000, the European Commission recognised the “adequate” nature of the protection thus proposed, which meant that companies that had joined the programme were authorised to transfer personal data without European states being able to oppose it.
Despite the adoption, as early as 2001, of the Patriot Act, which gave US federal agencies broad powers of surveillance, it was not until after Edward Snowden’s revelations in The Washington Post and The Guardian about the practices of the National Security Agency (NSA) that the Court of Justice of the European Union finally ruled, in 2015, that the Safe Harbor principles did not guarantee adequate protection for European citizens. The Court held that circumstances arising after the adoption of the adequacy decision and US regulations allowing public authorities widespread access to the content of electronic communications “must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter”.
Following the decision to invalidate the Safe Harbor, the European Commission and the US federal authorities worked quickly on a new agreement, called the EU-US Privacy Shield. As early as 12 July 2016, and despite the reservations expressed by the Article 29 Working Party and the European Commissioner for Data Protection, the European Commission validated the agreement. Companies transferring personal data to the United States were then subject to heavier obligations and more control by the Department of Commerce and the Federal Trade Commission.
The conclusion of the Privacy Shield came at the same time as the European Union adopted new European legislation in the form of the General Data Protection Regulation (GDPR), which provides for a high and harmonised level of personal data protection throughout Europe. The regulation, while falling within the framework set by the 1995 Directive, has raised the level of requirements for companies transferring data to third countries. Transfers to third countries are only possible if they are based on an adequacy decision adopted by the Commission (such as the one relating to Privacy Shield) or, failing that, in very specific circumstances: when appropriate guarantees have been provided, for example by binding corporate rules, standard contractual clauses or certification mechanisms, and when the data subjects have enforceable rights and effective legal remedies (Art. 46 § 1 and 2); or under the conditions listed in Article 49 § 1 which mentions, inter alia, the consent of the data subject, the necessity arising from the conclusion or performance of a contract or important reasons of public interest. As regards decisions of a court or administrative authority of a third country requiring the transfer or disclosure of personal data, Article 48 of the GDPR provides that the transfer may only take place if it is based on an international agreement, such as a treaty on mutual legal assistance. This is where the difficulty posed by the adoption of the CLOUD Act by the US Congress in 2018 came in.
Adopted on 23 March 2018, when a dispute between the FBI and Microsoft was about to be decided by the Supreme Court (see Microsoft Corp. v. United States, 829 F.3D 197 (2d Circ. 2016) Dec. 9 2016), the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), permitted US authorities to access the data concerning the users of services offered by companies established in the United States. By adding a section 2713, the text amended the Stored Communications Act (SCA), which allows the US authorities to oblige providers of electronic communications services (messaging services or social networks) to disclose the content of communications as well as the metadata associated with these communications (dates, times, senders, recipients, addresses). Under the new law, the fact that the data are under the control of a US service provider is sufficient for US authorities – both federal and state – to require direct disclosure on the basis of a warrant or subpoena, even if the data are stored outside the US. This bypasses the classic international mutual legal assistance procedures, which allow disclosure of data but are much slower.
In this respect, the CLOUD Act directly contradicted the GDPR, which does not allow the disclosure of data without international mutual legal assistance. Even the “important grounds of public interest” provided for in Article 49(1) of the GDPR must be recognized by the law of the EU or the law of the Member State to which the controller is subject (Article 49(4) of the GDPR). Moreover, the CLOUD Act pays little attention to international treaties signed by the United States, such as the Treaty of 10 December 1998 on Mutual Assistance in Criminal Matters between France and the United States of America and the Convention of 18 March 1970 on the Taking of Evidence Abroad in Civil or Commercial Matters.
If one had therefore to summarise the situation following the adoption of the CLOUD Act, one would have concluded that this law, by enabling the US authorities to obtain directly and rapidly the data controlled by companies established in the United States (which includes Facebook, Twitter, Amazon, Apple, Microsoft, Airbnb…), introduced a considerable breach in the protection guaranteed to European citizens. In this respect, this law directly threatens the protection guaranteed by the GDPR and the Privacy Shield, inasmuch as even data which are not transferred to the US may be disclosed to the US authorities. Moreover, just recently, the European Court of Justice of the European Union has decided to invalidate the Privacy Shield, which raises the question of the strategy to be followed by the European Union from now on.
On 17 July 2020, the European Court of Justice issued a new decision in the case of Austrian activist Maximilian Schrems against Facebook. As a Facebook user, Schrems objected to the transfer of his personal data to the United States for processing. He referred the matter to the Irish Data Protection authority, which is competent insofar as the data are stored on servers belonging to Facebook Ireland, and argued that US law did not provide sufficient protection against access by US public authorities. In 2015, in Schrems’ first case against the Irish Data Protection authority, the European Court of Justice invalidated the European Commission Decision 2000/520 endorsing the Safe Harbor. Subsequently, as Schrems maintained his opposition to the transfer of his data, the Irish court referred a new question to the Court of Justice for a preliminary ruling on the legal basis for such a transfer, namely the validity of the standard contractual clauses contained in the European Commission Decision 2010/87. In the course of the proceedings, the Commission adopted its Decision (EU) 2016/1250 on the Privacy Shield.
In its judgment of 17 July 2020, the Court of Justice ruled that Decision 2010/87, which contains the standard data protection clauses, is valid insofar as it ensures the level of protection required by EU law. On the other hand, the Court decided that Decision (EU) 2016/1250 is not valid in view of the requirements stemming from the GDPR. The Court stressed that the limitations on the protection of personal data arising from US legislation are not framed in such a way as to meet the requirements of EU law, in particular with regard to the US surveillance programmes, which do not give data subjects judicially enforceable rights against the US authorities or sufficient remedies within the meaning of Article 46 of the GDPR and Articles 7, 8 and 48 of the Charter of Fundamental Rights.
The invalidation of the Privacy Shield creates real uncertainty as to the regime applicable to data transfer to the United States. Certainly, companies wishing to have personal data processed in the United States will be able to rely on the standard contractual clauses. However, this depends on the existence of appropriate safeguards meeting the requirements of Article 46 of the GDPR. The Court of Justice thus held that each data controller will have to verify the level of protection applying to the personal data transferred. This implies, as the EDPB (European Data Protection Board) has underlined, that they must evaluate the legislation of the country receiving the data in order to determine whether the protections offered are sufficient, so that they can put in place additional measures if the recipient country does not offer sufficient protection. It will, in any case, be for the national data protection authorities, starting with the Irish authority, to assess the lawfulness of the transfer. This is the difficulty with regard to transfers to the United States, since it is not certain, as US legislation stands, that the existing safeguards are considered sufficient.
The question therefore arises as to what strategy should be adopted in order to be able to effectively guarantee Europeans a sufficient level of protection, whether it concerns data transferred to the US or data not transferred to the US but controlled by US companies and covered by the CLOUD Act. Most likely would be the conclusion of a new agreement between the European Union and the United States to replace the Privacy Shield, although it is not clear to what extent the United States would be prepared to amend its legislation to better protect the data of European citizens. It would, in any case, be possible to link these negotiations to those to be conducted on the CLOUD Act. Indeed, the CLOUD Act provides for the conclusion of Executive Agreements not only to organise reciprocity by allowing the authorities of the signatory States to receive data directly from service providers, but also to provide that these service providers may contest requests for access. In the wake of the United Kingdom, which concluded such an agreement on 7 October 2019, the European Union has decided to give the Commission a mandate to negotiate a future Executive Agreement in parallel with the forthcoming adoption of the E-evidence Regulation. Finally, in addition to possible negotiations for the purpose of concluding a treaty with the United States, European states may adopt legislation making it possible to oppose requests for disclosure from the US authorities. The idea would be to provide companies established in Europe with legal arguments enabling them to oppose requests for disclosure from the US authorities. To this end, a recent parliamentary report has proposed to amend the provisions of the French “blocking” statute.
On the whole, however, it is difficult to assess the effectiveness of these possible legal barriers, since platforms established in the United States have an interest in collaborating with the federal authorities responsible for regulating them. This explains why the choice of US providers to store confidential data is being challenged. Most recently, BPIFrance called on Amazon Web Services to manage the system for certifying loans guaranteed by the French government. Similarly, Microsoft’s Cloud Azure has been chosen to host the health data collected as part of the implementation of the Health Data Hub, which replaces the current National Health Data System. In this case, the contract concluded with Microsoft does indeed stipulate that the data may be transferred to third countries, in particular the United States, to manage and ensure the proper functioning of the IT system, all under standard contractual clauses. In this context, the risk that US public authorities or courts may order the disclosure of these data cannot be excluded. Opposition to Microsoft’s choice has led to a summary procedure before the Conseil d’Etat, on the initiative of the Conseil National du Logiciel Libre (CNLL), in order to suspend the application of the decree of 21 April 2020, which authorises the Health Data Hub to collect a considerable amount of data for the purposes of the health crisis. This appeal was rejected for understandable reasons: there is little likelihood that health data will be subject to requests for disclosure, since US laws mainly focus on elements that could feed criminal investigations. Nevertheless, the CNIL has expressed its wish for the platform to be managed in the long run by entities which are exclusively subject to the jurisdiction of the European Union.
The most protective solution for European citizens would certainly be to store data in Europe under the control of companies that are not established in the United States, in order to evade the provisions of the CLOUD Act. One is therefore inevitably led to wish to create a “sovereign” cloud. This idea is not new. In 2009, the French government decided to finance two projects finally launched in 2012, Cloudwatt and Numergy, with the aim of providing French administrations and companies with secure infrastructures. However, these two attempts were failures. Most recently, the German and French governments announced the creation of a governance entity to steer Gaïa-X, which is a catalogue of digital services referencing hosting providers and software publishers committed to offering interoperable technologies and communicating transparently on the localisation of data and the possible applicability of extra-European regulations. It is therefore to be hoped that this initiative will lead to greater technological independence, but it will also face some challenges, as discussed in detail in another post from the Chair.
Florence G’sell is professor of law and co-chairholder of the Digital, Governance and Sovereignty Chair