After Austria last January, CNIL’s method was to use a statistical tool to measure the audience of websites called “Google Analytics”. “Illegal”. Why is that? These transfers will not be restricted by the European Court of Justice, as its application involves the transfer of data to the United States and the agreement between the European Commission and the United States (the “Privacy Shield”) and the US intelligence services. The “opportunity” to access this data.
These results are particularly volatile for all European companies. Nationally, nearly 70% of them have been using this solution for more than 15 years to measure the visitors of their websites and improve their ergonomics. In the absence of such high-performance technological alternatives, blocking this solution would force European companies to blindly limit the functionality and performance of their own website. Neither they nor their customers will get anything.
They are also legally questionable. In fact, the CJEU does not, in a general and complete way, restrict any data transfer to the United States. In particular, it recognized the validity of the use of other legal instruments, taking into account the “circumstances of the transaction” and the “guarantees” issued. Therefore, the sensitivity of the data and the past experience of the companies involved should be analyzed in each case, for example, whether they are already in demand or not by the intelligence services. .
However, the French decision, which was only available in a press release, seems to have freed it from the case-based and risk-based approach. In fact, since the existence of such claims is “possible” enough to make the transaction illegal, no publicly available element can prove their existence in a particular case. This theoretical approach, which departs from the theory of proportionality, necessarily leads to insoluble situations because it offers no solution.
Furthermore, this approach is not one that has been adopted by the State Council, which in the previous two cases has examined the possibility of transferring data to the United States, while acknowledging the dangers but requesting that steps be taken to “reduce” them. Do not let them disappear. It is also for health data, which is more sensitive than the result of analysis of site traffic. Similarly, CNIL has authorized the legal auditors regulatory body to transfer data to the United States. At the European level, CNIL’s affiliate has made use of CJEU’s interest in using the video conferencing solution.
Legal uncertainty for businesses
The differences in this assessment are that it is better conducted between the authorities, but between the public sector and the private sector, creating legal uncertainty for companies caught in the middle. Encouraged by the CJEU and European authorities, they believed solutions existed, based on their past experience and objective risk analysis as appropriate criteria for changing their data. Controllers now say otherwise. However, no agency can resolve questions about the powers of the intelligence services and the guarantees offered to individuals. These are political decisions that can only be made by the states.
Data protection is therefore not synonymous with protectionism, and it is urgent that we find an alternative to the “privacy shield” so that our companies do not fall prey to the legal issues that go beyond them. If the French Presidency of the European Union succeeds in doing so, this great victory will be its pride.
March 15, 2022, 7:04