The US/EU agreement on the export of personal data: why the patch is worse than the hole

On 10 July 2023, with a document of over 190 pages, the European Commission tries for the third time to solve an unsolvable problem: that of allow the exchange of personal data with the USA“accused” of not offering adequate protection to the data of European citizens which are processed, for various reasons, by North American companies.

The news made (more than) a sigh of relief to all the companies based in the EU that are linked, in one way or another, to Big Tech but, in reality, there is little to rejoice about because even this new version of the “privacy shield” is not going to last long. Like its two previous incarnations, in fact, this act too it does not solve the fundamental problem that afflicts relations between the EU and the US: that of possibility for American government structures to do (rightly) what they want with the data of citizens of EU member states.

The concrete perspective, therefore, is that in some time, after the judgments of the European Court known as “Schrems I” and “Schrems II” which had dismantled the previous decisions of the Commission, a “Schrems III” will make the same end to the new text again causing fear, uncertainty and doubt in the public and private ecosystem that relies on Big Tech, as well as slowing down the digital transition. In fact, public administrations and companies will continue to operate under the sword of Damocles of some judicial provision or one issued by some national protection authority which could well detect that the king is naked and bring down the fragile house of cards built by the European Commission.

To demonstrate the correctness of this statement it would be necessary to go into the technical-legal detail of the adequacy decision but, at least here, it is not possible. It will therefore suffice to recall that both the European Parliament and the European Data Protection Board have not declared themselves enthusiastic about the agreement, highlighting (in particular the EDPB) that the issue to be resolved remains that of the extension of the powers of the American institutions that protect security national.

The use by the Commission of a regulatory technique widely practiced also by the other European institutions did not help to circumvent the problem: writing texts of biblical length and understandable only to initiates, which then become unchangeable except with detailed interventions (someone go and see, for example, how many pages the dossier on the AI ​​Act is made up of). However, the more than 190 pages were not enough to sweep the criticisms of the measure under the carpet because, despite the efforts, the bulge is all too visible.

So, reading from a bird’s eye view, just stop at page 35 to discover that “US intelligence agencies may seek access to such data for national security purposes … under the Foreign Intelligence Surveillance Act (Fisa) … Fisa contains several legal bases that may be used to collect … the personal data of Union data subjects transferred under the EU-US DPF (Section 105 FISA222, Section 302 FISA223, Section 402 FISA224, Section 501 FISA225 and Section 702 FISA226)”. But just the FISA (and in particular the Section 702) was one of the reasons that led the European Court to invalidate the predecessors of this decision. If, therefore, it wasn’t good before, it is not clear why the opposite is happening now. Not to mention the Cloud Act, the criticality of which has been reported to the Italian Guarantor for almost a year, without any news of any intervention being received.

A little further on, on the same page, we read that “US intelligence agencies also have possibilities to collect personal data outside the United States, which may include personal data in transit between the Union and the United States”. So, not only can the American authorities access the data of citizens of EU member states that they have at home, but they can also pick them up abroad (where, that is, they have no jurisdiction and where neither does the EU). That the US has spied on the institutions of European countries is not a new fact, and the fact that they can do it (goodbye) only in the face of an Executive Order from the President does not change the fact that the EU (or rather, the individual states) have a say. If, then, one goes into reading the section dedicated specifically to intelligence, one clearly understands that no matter how many rhetorical contortions one may attempt, there is no legal remedy available to non-State citizens to review the work of the structures that guarantee state security. On the other hand, and this is the real Achilles’ heel of the EU, no country (not the US, but not even any other) would accept a limitation of its internal sovereignty on issues concerning its survival or even existence. Therefore, because this is what it is about, thinking of resolving an issue of international relations with a legal instrument is equivalent to driving a nail with a screwdriver.

In concrete terms, the reasoning translates into the observation that the EU Commission has only postponed the problem without solving it, but in doing so it has created more problems than it has eliminated. The application of the new “privacy shield” (or whatever it will be called) is cumbersome, bureaucratic and expensive and, at the same time, it does not facilitate the activity of companies and public institutions. Furthermore, and perhaps this is the most serious thing, the adequacy decision “certifies” that until yesterday it was not possible to exchange data with the US and that, by logical deduction, whoever did so probably violated the law. Hence two considerations: the first is to ask where the national data protection authorities were and why they didn’t block these transfers, and the second is to ask whether, once the decision has been approved, they will now open wide-ranging investigations to sanction those who up to today he used the Gafam services (and those of many other US operators). Yes, because this decision does not “heal” the past and therefore the guarantors should intervene unless they themselves violate their own institutional mandate.

Whatever the choice of the authorities, it will be one pregnant choice of contraindications: if they investigate, they will have to sanction in the name of community and national political inertia; and if they don’t investigate, they will have inflicted irreparable damage on trust in the primacy of the law, because they will certify that in the name of political necessity, the law must take a step back.

Never as in the case of the new adequacy decision, therefore, is the patch worse than the hole and there is no reason to envy the tailor who will have to apply it.