Europe is finally starting to follow the chops on data transfers to the United States.
More than a year after the EU’s top court struck down the Privacy Shield — an agreement on data flows between the EU and the US — in the so-called Schrems II ruling, negotiators Brussels and Washington have not yet concluded a replacement agreement. The fight: overcoming an impasse over what it means to give Europeans the ability to legally challenge US surveillance practices.
Now, this landmark decision – which upheld other data transfer instruments but increased requirements to ensure data security – is starting to bite, as privacy regulators across the bloc actually start enforcing the onerous provisions of the decision. This is prompting companies like Google, Microsoft and TikTok to consider what was once unthinkable: storing ever more data in Europe.
In a decision on Thursday, France’s privacy regulator, the CNIL, ruled that an anonymous website could not use Google Analytics because it involved the transfer of personal information from Europe. to the United States, in violation of the 2020 Schrems II decision.
The CNIL’s findings will be closely watched by other regulators, as the French authority is used to taking the lead in a bullish manner.
The French decision follows a ruling by the Austrian data protection authority also banning a website from using Google’s popular web analytics tool for the same reason, and heralds a series of decisions by other European data protection authorities on the use of these tools. The Dutch privacy agency warned last month that the use of Google Analytics could soon be illegal. Elsewhere, Norway’s data watchdog has advised companies to start looking for alternatives to Google’s tools.
Data protection authorities, including the CNIL, are also expected to comment soon on the use of Facebook’s analytics tool, known as Facebook Connect. These decisions mark a significant crackdown on data transfers, which are the engine of the digital economy and represent billions of euros in transatlantic exchanges.
“This is a decision that companies should be aware of at the highest level,” Caitlin Fennessy of the International Association of Privacy Professionals said after the Austrian ruling. “That would seem to apply well beyond this particular case.”
Data Localization, Big Tech Alternatives
Big Tech companies are growing increasingly nervous as thousands of companies using their tools will have to comply with rulings by national regulators. The CNIL, which gave the anonymous site a month to comply, drew up a list of alternative tools in September.
In response to the Austrian decision, Google reiterated its calls for a new privacy agreement to keep the data flowing. Perhaps as a reassurance, the company also recently said in filings that it plans to store more personal data in Europe, echoing plans announced by TikTok and Microsoft following the Schrems II decision of keep all data of Europeans in the block. (Google had no comment on Thursday’s French decision and a spokesperson redirected POLITICO to earlier statements.)
Such ads would once have been unthinkable, with free data streams considered a cornerstone of the Western approach to internet use.
Facebook’s parent company Meta, which could see its own data transfers to the US suspended by Ireland’s Data Protection Commission, is also issuing warnings. In depots, he said he may have to shut down services such as Facebook and Instagram in Europe if the Irish decision comes before Brussels and Washington have agreed on a new data pact.
But that new data pact still seems a long way off — weeks, rather than months, for a deal that at one point observers were expected to arrive before the end of 2021.
Although there are rumors that the US-EU Trade and Technology Council in May could see an announcement on a deal, such predictions have proven premature in the past, especially with Brussels uneasy about finalize a decision that Europeans believe concerns fundamental human rights at a trade-focused forum level.
“From a purely technical point of view, there is no way forward for data transfers. That’s why we need [a] a lasting data pact between the EU and the US that can stand the test of the courts,” said Rob van Eijk, managing director Europe of the think tank Future of Privacy Forum.