A ” cut » « poker », « salutary », « ballsy ”, or even “ desperate »: here is how the appeal of French MP Philippe Latombe against the new “ Privacy shield », a few hours after the publication of its press release. Thursday, September 7, we learned that the elected representative of the MoDem had initiated a procedure against the agreement on the transfer of data from Europe to the United States, called the “ Data Privacy Framework”, or “DPF”. The Parliamentarian returned, to 01neton his decision to deal, the very first, a “blow” to the text. The DPF allows to American digital giants like Amazon, Google or Meta, the parent company of Facebook, Instagram and WhatsApp, transfer our personal data and that of all Europeans to the United States.
The European Commission made it official on last July 10, despite the concern of associations and the reservations of the European Parliament and the European CNILSwhose opinions are only advisory.
The new agreement, “a true copy of the “Privacy Shield””
Why this recourse? Because the DPF, which replaces after two years of legal vacuum the “ Privacy Shield » « is a true copy of this previous agreement », Estimates the MP. THE ” Privacy Shield » had been invalidated by the Court of Justice of the European Union (CJEU) in 2020. This text itself succeeded the “ Safe Harbor », an agreement also rejected by the same court in 2015.
Read also : Why transferring your personal data to the United States is an incredible headache
And for the Parliamentarian, the DPF should follow the same path: it will certainly be invalidated by European judges. The problem is that ” it will take two years, at best 18 months, for the new text to reach the Court of Justice of the EU », deplores the French politician. Max Schrems, the founder of NOYB, the Austrian association behind the first two “ invalidations », has already explained that he will challenge the DPF before the CJEU. How ? Concretely, ” he is going to find a company that he believes is transferring data from Austrians to the United States using the DPF. He will take legal action in his own country, Austria, and ask the Austrian judge to issue a preliminary question to the Court of Justice of the EU », unfolds the chosen one.
A “real harm for European citizens”
This procedure allows a national judge to ask a question about European law to the European judge – a question which could be, here, does the DPF sufficiently protect European citizens? ” Then, the Court of Justice must respond », underlines Philippe Latombe. Which, in practice, will require months of procedure, so much time wasted “ which will allow American companies to rush into the market », he continues. What constitute “ a real harm to European citizens “.
And if the forty-year-old has already expressed his disagreement about this “ Data Privacy Framework » , what more could he do, as a French politician, once the text, decided at European level, was official? It was while consulting jurists and lawyers that the idea came to him to “ To give it a try », summarizes the one who describes himself as “ a standard bearer “. This blow is a recourse which “ has never been done before “. The MP, also a commissioner of the CNIL, explains that he is acting, in an individual capacity, on the basis of an article in the Treaty on the Functioning of the EU (TFEU). The article 263, paragraph 4 of the TFEU, allows European citizens to challenge a decision of the European Commission, by filing an action for annulment against “ regulatory acts which directly concern them and which do not include implementing measures “. And precisely, the new agreement, the DPF, would tick all the boxes, the MP wants to believe.
A faster procedure, but not necessarily admissible
The advantage is that this appeal would be faster than the classic procedure initiated by Max Schrems. The downside is that the MP will be the first to try it. It is therefore not certain that his procedure is admissible.
Concretely, “on directly asks the court of the European Union to rule. And I don’t need to find a special case – a company that would send data to the United States. I also do not need to take legal action in my country “, he emphasizes. The deputy for Vendée also asks for a “ reprieve, the suspension of the DPF while we examine the file, on the merits “. Because the new legal framework could apply from October 10, three months after its officialization. During this period, companies wishing to transfer the data of Europeans to the United States must complete self-certification.
The idea is to say: “ Wait, put your foot on the brake, we examine the text in depth, we do not let the date of October 10 pass, because a piece of data, when it goes to the United States, it is processed – without guarantee of my rights. In fact, I will never see my data again. I would have lost my rights », insists the elected official.
The data of Europeans, once in the United States, is no longer protected
What is it about here? The politician believes that our data, once in the United States, is not sufficiently protected – an opinion shared by the European Parliament, the European CNILs, and associations like NOYB or Quadrature du Net, among others. When we publish stories on Instagram, carry out research on Google Research, or give our opinion on a product purchased on Amazon, data on our interests, our habits, our purchasing power or our location are taken over by the American giants. The latter end up in the United States, where they are not as protected as in Europe.
Also read: Transatlantic data transfer: The United States will not provide additional guarantees to Europeans
The American secret services notably have access, en masse, under a local law, section 702. This text authorizes massive and indiscriminate access to the personal data of Europeans by American Intelligence. However, Brussels requires, for any transfer of our data to other countries, that the following rule be respected: the protection of our data (covered in particular by the GDPR, the European Regulation on personal data) in the destination country (i.e. the United States) must be equivalent to that which exists in Europe.
A gap now closed, according to Brussels
And twice, European judges ruled, in 2015 and in 2020, that this was not the case. The American legal framework does not sufficiently protect Europeans, wrote the judges who reported to “ interference with the fundamental rights of the people whose data was transferred.” This observation would now belong to the past, since ite ” gap » would be compensated, according to the Commission. The European Commissioner for Justice, Didier Reynders, explained in particular during the press conference on July 10 that the EU had “ achieved considerable progress that meets the requirements of the European Court of Justice. The new framework (of the DPF) is very different from what we knew under the “Privacy Shield” “.
This protection is, however, still insufficient, tackles Philippe Latombe, listing arguments which “have already been developed by quite a few academics and specialists on the subject”. Among them, “ the resorts (against the fact that the American secret services access, for example, my emails or my telephone calls, editor’s note) are not detailed but automated, you can complain to the Americans and they will tell you, you are right or you are wrong, without explaining why “. Likewise, the “appeal” judges set up by the Americans – to decide disputes over access to data and respect for privacy by American Intelligence – would not be truly independent. The members of the Data Protection Review Court (DPRC) “ depend directly on the American Minister of Justice, being directly under his responsibility. Finally, the President of the United States “can modify the criterion of surveillance and authorization of data collection (of Europeans) for the intelligence services in a secret manner, without informing anyone”, he notes.
Also read: How Europe gave up your personal data to American spies
“If it doesn’t work, we’ll have to wait for the Max Schrems procedure”
Has the politician found support in the European Union, apart from Max Schrems and his NOYB association? If he confides “have people behind him, lawyers, jurists, DPOs (data protection delegates, responsible for the protection of personal data within an organization, editor’s note)”, caside from MEPs, it don’t expect anything. The European Parliament has certainly published a reserved opinion on the new agreement. “But he did not pass a resolution telling the President of Parliament, as soon as the Data Privacy Framework is published, you take the matter to the Court of Justice,” he regrets.
Now, his action for annulment has been initiated. “Now we’ll see. The question is: am I eligible for this procedure? », he wonders. “Me, I’ll give it a try”he adds. “If it’s admissible, so much the better. This will be the first step. If it’s not admissible, too bad. If it doesn’t work, we’ll have to wait for the Max Schrems procedure.”