Posted on Nov 18, 2020 at 7:12 PMUpdated Nov 18, 2020 10:20 PM
Businesses have what it takes “Stunned”, according to the expression of an observer of the file. Since the invalidation in July of the “Privacy Shield”, a treaty between Europe and the United States which governs the transfer of European personal data to the country of Uncle Sam, no one knows what to do.
The European Court of Justice ruled that the treaty did not guarantee the protection of transferred data equivalent to that imposed in Europe, due to US intelligence laws deemed intrusive.
Consequence: companies that transfer personal data to servers outside the European Union no longer have a legal basis to do so and face prosecution. The NGO “None of Your Business” has already lodged around 100 complaints.
Anxious, however, not to block any communication of data to the United States, the judges had nevertheless called on the European CNIL to determine measures allowing the signing of a standard contract with the importer in compliance with the general regulations on the protection of data. data (GDPR).
These have just made their work public: they recommend encryption of data exported abroad, thus greatly complicating life for companies.
According to these recommendations submitted for consultation until November 30, companies will no longer be able to have their pay slips edited via online software hosted in the United States because this requires unencrypted data. For the same reason, they could also not use a number of targeted advertising platforms whose servers are located outside the European Union.
Social networks like Facebook and Twitter They would not be able to send their users’ data from one side of the Atlantic to the other to feed their algorithms for highlighting content …
Data transfer almost impossible
“As it stands, it will be almost impossible to transfer personal data outside of Europe, unless it is so encrypted or so pseudonymized that the recipient cannot read it”, summarizes Théodore Christakis, professor of international technology law at the University of Grenoble, after a week of discussions with his peers. on his blog.
The European CNILs encourage studies on a case-by-case basis. But above all, they favor technical protections, which are more restrictive for companies than contract law. “Contractual and organizational measures [comme la création de filiales dédiées, NDLR] alone are generally not sufficient to protect against access to personal data by the authorities of a third country ”, they write in their recommendations.
The CNIL also believe that it is important to never entrust the decryption key to your foreign partner. “The problem is, the online software used by businesses does not work with encrypted data”, explains a representative of large French organizations. In many cases, companies would then have to switch software to the benefit of systems hosted in Europe. A complex site.
Consultation in progress
The debate is not, however, definitively settled and the CNIL’s recommendations are in consultation until November 30.
The European Commission is also examining the issue of standard contracts with importers. Everyone is waiting for a lasting solution that could see the birth of a new treaty between Europe and the United States, which would guarantee personal data equivalent protection on both sides of the Atlantic Ocean.
But this equivalent protection would remain weak since American extraterritorial laws, such as the Cloud Act, would still allow the search of data on servers in Europe belonging to American companies …