An adequacy decision between the USA and the UE : nothing more than a pipe dream ?
« Insanity is doing the same things over and over and expecting different results. »
This famous quote, usually attributed to Albert Einstein, could very well be applied to the legal saga of the facilitation of data transfer between the European Union (EU) and the USA, a game of cat and mouse with three major players. In one corner, the European Commission and the USA authorities, trying desperately to draft an agreement on free data transfer between the two economical powers they represent. In the other, Max Shrems, creator and head of None Of Your Business, an NGO bent on protecting the digital privacy of European citizens against companies and states alike. And in the middle, an arbiter : the European Court of Justice, which gave right to Max Shrems’s pretences and overturned those aforementioned agreements.
Shrems : II – European Commission : 0
Twice, the European Commission and the USA agreed on a proposal to facilitate the transfer of data. Those agreements were finalised when the Commission decided that the USA was able to guarantee a comparable level of protection of personal data to that in the European Union. In a way, it was a badge of honour certifying that the laws of this country, regarding personal data, were similar to the GDPR, if not identical. Those two agreements were named Safe Harbor, and Privacy Shield, and were enough to green light a free and -arguably- safe data flow between the old and the new continent.
Nevertheless, there was a caveat.
Max Schrems, an Austrian law student passionate about privacy and data laws and regulations took an interest in that first adequacy decision, and discovered that the Safe Harbor was… not so safe for European citizens’s data, after all. After going to the European Court of Justice, the decision that this institution took was a serious blowback for both the Commission and the USA : in 2015, the Safe Harbor was overturned and the free exchange of data between those two powers was forcibly stopped.
It was time for the Commission to go back to work, and less than one year after this case, now dubbed « Shrems I», another draft was produced. From the ashes of the Safe Harbor, the Privacy Shield was born, quickly followed by another adequacy decision. All seemed well, and the European data could flow again from the EU to the USA.
Cue Max Shrems, and his never-ending battle against the misuse of digital data : once again, he argued that the USA couldn’t meet the requirements of an adequate country, and the European Court of Justice agreed. Four years after, the Privacy Shield was overturned by a 2020 decision better known as « Shrems II ».
In the wake of yet another proposition of agreement, one could ponder if the European Commission is not trying to fight an uphill battle. But to answer that question, a small dive into USA regulations is desperately needed.
The Cloud Act and the Patriot act, the roots of the problem
In 2001, after the 9/11 tragedy, the USA passed the aptly named Patriot Act. Among many things, it gave some USA authorities such as the FBI and the NSA the power to seize data present on every server hosted on American soil, independently from its country of origin. In other words, it gave those institutions an opportunity to take personal data in bulk, European or American. Even worse, under the Patriot Act, those investigations are kept secret, which doesn’t fare well for the rights of European Citizens, and is against the core principles of the GDR, such as data minimisation, purpose limitation and transparency.
That act, heavily criticised in the USA by NGO and activists alike, is far from the final nail in the coffin of an adequacy decision.
Indeed, in 2018, the USA passed the CLOUD Act (for : « Clarifyng Lawful Overseas Use of Data Act »), which gave permission to the aforementioned entities to also seize data… but overseas. Under this Act every American company could have to disclose data under its control upon request of USA authorities, regardless of where the data is located, and with a simple warrant. And this time, this Act was not confined to terrorism : it could virtually be used to seize data of interest in any criminal investigation.
Anticipating the future of a new adequacy decision
Two years after « Shrems II », those laws are still in effect, and are very much used by the USA authorities. As long as those two Acts stand, any future adequacy decision would be short lived, and the European Commission run the risk of seeing a fair number of « Shrems number X » judgments overturn its agreements, over and over again.
But will we, as European, be able to put an end to what is -for better or worse- two major tools for criminal investigations, vastly used by every USA government, republican an democrat alike ? Time will tell, but this seems probably unlikely. In light of these cold hard facts, the future of the new draft between the European Commission and the USA doesn’t seem particularly bright.
Same things, not so different results.