Europe is finally starting to walk the talk on U.S. data transfers.
Over a year after the EU’s top court annulled the Privacy Shield — an EU-U.S. data flows deal — in the so-called Schrems II decision, negotiators in Brussels and Washington have yet to strike a replacement agreement. The struggle: bridging an impasse over what it means to give Europeans the ability to legally challenge U.S. surveillance practices.
Now, that landmark decision — which upheld other data transfer instruments but increased requirements to keep the data safe — is starting to bite, as privacy regulators across the bloc actually begin to enforce the decision’s onerous provisions. That’s prompting companies like Google, Microsoft and TikTok to consider the once unthinkable: storing ever more data in Europe.
In a decision Thursday, the French privacy regulator CNIL ruled that an unnamed website could not use Google Analytics because doing so involves the transfer of personal information from Europe to the U.S. in violation of the 2020 Schrems II decision.
The CNIL’s conclusions will be closely watched by other regulators, as the French authority has a history of bullishly taking the lead.
The French decision comes hot on the heels of a decision by Austria’s data protection authority to also ban a website from using the popular Google web analytics tool for the same reason, and presages a raft of decisions by other European data protection authorities on the use of these tools. The Dutch privacy agency warned last month that using Google Analytics may soon be illegal. Elsewhere, the Norwegian data watchdog has advised companies to start looking for alternatives to Google’s tools.
Data protection authorities, including the CNIL, are also expected to rule soon on the use of Facebook’s analytics tool, known as Facebook Connect. These decisions mark a significant clamp-down on data transfers, which form the lifeblood of the digital economy and represent billions of euros’ worth of transatlantic trade.
“This is a decision that companies should be aware of at the highest level,” said Caitlin Fennessy, of the International Association of Privacy Professionals, after the Austrian decision. “It would seem to apply so much beyond this particular case.”
Data localization, Big Tech alternatives
Big Tech firms are getting increasingly twitchy, as thousands of companies using their tools will have to adhere to the national regulators’ decisions. The CNIL, which gave the unnamed website one month to comply, compiled a list of alternative tools in September.
In response to the Austrian decision, Google reiterated calls for a new Privacy Shield agreement to keep data flowing. Perhaps as insurance, the company also recently said in filings it planned to store more personal data in Europe, echoing plans announced by TikTok and Microsoft in the aftermath of the Schrems II decision to keep all Europeans’ data in the bloc. (Google had no comment on Thursday’s French decision and a spokesperson redirected POLITICO to previous statements.)
Such announcements would have once been unthinkable, with free data flows considered a cornerstone of the Western approach to using the internet.
Facebook’s parent company Meta, which could have its own transfers of data to the U.S. suspended by the Irish Data Protection Commission, is also issuing warnings. In filings, it said it might have to shutter services including Facebook and Instagram in Europe if the Irish decision comes before Brussels and Washington have agreed on a new data pact.
But that new data pact still looks some way off — weeks, rather than months, for a deal that at one point observers slated to come before the end of 2021.
While there are whisperings that the U.S.-EU Trade and Tech Council in May could see an announcement on a deal, these predictions have proved premature in the past, especially with Brussels uncomfortable with finalizing a decision that for Europeans is about fundamental human rights at a forum focused on trade.
“From a purely technical perspective, there’s no path forward for data transfers. That’s why we need [a] durable EU-U.S. data pact that can stand the test in court,” said Rob van Eijk, Europe managing director for the Future of Privacy Forum think tank.