Two years ago, the Court of Justice of the European Union invalidated Privacy Shield, the legal framework for EU-U.S. data flows. The consequences of that ruling reinforce the EU's digital sovereignty agenda, which increasingly sees data localization as one of its core elements.
Since the "Schrems II" judgment by the CJEU, the U.S. presidential administration and European Commission have been working on replacing the trans-Atlantic agreement with a new one that could stand judicial review before Europe's top court. In March 2022, U.S. President Joe Biden and Commission President Ursula von der Leyen announced an agreement in principle.
However, while Brussels seems committed to reestablishing a framework for data transfers with its closest ally, EU policymakers have progressively been looking into elements of data localization that would introduce much stricter limitations to trans-Atlantic data flows.
'Schrems II' fallout
The "Schrems II" ruling has certified that data transfers in a jurisdiction that does not have an equivalent level of data protection as the EU General Data Protection Regulation are illegal unless adequate safeguards are in place.
"It is unclear whether and to what extent a transfer of data to the U.S. is possible even without an adequacy decision," said Stefan Hessel, an attorney at reuschlaw. "The extent to which standard contractual clauses remain an effective tool is disputed, and conflicting statements by supervisory authorities are doing their part to increase uncertainty among companies."
The case law put the EU's system of data adequacy at center stage, whereby the European Commission decides that a country has an adequate level of data protection, resulting in unrestricted transfers with that country.
"There's been a very long-term trend for other countries to adopt GDPR-like legislation to make adequacy decisions easier — the U.S. is becoming an outlier in not doing so," said Ian Brown, a visiting CyberBRICS professor at the Fundação Getulio Vargas Law School.
The problem of jurisdiction
The European Data Protection Board issued guidance on ensuring GDPR compliance when transferring data with countries not covered by adequacy decisions. Legal analysts considered that in this recommendation, European DPAs called for data localization, more or less implicitly supporting those advocating for it in the context of Europe's digital sovereignty.
For Gabriela Zanfir-Fortuna, vice president of the Future of Privacy Forum, the international data transfers regime of the EU is, at least in theory, the opposite of a data localization regime, since it was designed to allow for international transfers of personal data while ensuring that the data is protected similarly as if it were in the EU.
Still, in the joint European Data Protection Supervisor and EDPB opinion on the EU Health Data Space legislative proposal, the authorities urge the legislator to introduce localization requirements for health data. The reasoning is that if the processing infrastructure is located outside their jurisdiction, "control over compliance with EU data protection rules might not always be fully ensured."
Therefore, European DPAs seem increasingly in favor of data localization requirements that go hand-in-hand with the current political agenda in Brussels, even for countries with an adequate data protection level. Zanfir-Fortuna noted that such a shift in policy would entail significant tensions with the data adequacy regime.
The question of which jurisdiction applies is crucial in terms of sovereignty. Meaningfully, the "Schrems II" ruling was motivated by the fact that the U.S. intelligence services have disproportionate access to the data of EU residents without the possibility of judicial redress. Proportionality and judicial remedy are two core EU principles.
For Brown, "Schrems II" is certainly not part of a "grand plan" since the CJEU is an independent institution. Still, it complements a push from certain EU countries, particularly France, toward "digital sovereignty" intended as "Europe's ability to act independently in the digital world."
Placing European data, including non-personal, outside foreign jurisdictions, has a critical role in this notion. For instance, the Data Governance Act requires data intermediaries to take all reasonable measures to prevent the international transfer or governmental access to non-personal data held in the EU that could create conflict with EU or national law.
Similar provisions have been included in the Data Act as well. For European policymakers, the reasoning behind these measures is not meant to be punitive but to ensure that the rigorous rules that the EU is putting in place to create a marketplace for industrial data cannot be bypassed simply by residing outside the bloc.
"We don't want to make it hard for outside actors to operate in the EU, but we want to ensure everyone follows the same rules. The obligations we are defining are not prohibitive for outside actors at all," MEP Damian Boeselager explained.
The cloud infrastructure aspect has been another one where the EU's agenda has taken data localization traits. For the advocates of digital sovereignty, Europe is overly reliant on non-European cloud service providers. As part of the European data strategy, the EU set itself the task "to reduce its technological dependencies in these strategic infrastructures."
The latest initiative comes from the European Cybersecurity Certification Scheme for Cloud Services, a certification based on the Cybersecurity Act. The scheme has three levels of assurance, the highest of which is set to become mandatory for organizations providing essential services under the recently adopted revision of the Network and Information Security directive.
According to a leaked draft, the high assurance scheme includes sovereignty requirements that would make it impossible for non-European companies to be awarded the certificate. The cloud service provider would have to be headquartered in Europe, not be controlled by any non-EU entity and completely independent from non-EU laws.
The proposal, supported by France and the European Commission, has met the resistance of several member states and business representatives, which pushed back against the idea of introducing politically motivated criteria in what is meant to be a technical discussion on secure infrastructure.
The dividing lines are those typical of the debate on digital sovereignty. Paris and other large EU countries push for emancipating from American technology by building up European champions. Conversely, smaller and more liberal member states want the best technology available and do not want to pay for scaling up Franco-German companies.
"The creation of autarkic data spaces is a risk to innovative developments. Moreover, in times of chip shortages and in view of the limited computer capacities in the European Union, it would also be an infrastructural problem to store all data only in the European Union," reuschlaw's Hessel added.
As the applicable jurisdiction is a critical aspect of digital sovereignty, the concept inevitably leads to the fundamental problem of conflict-of-laws. This issue cannot be solved simply with legislation giving itself primacy, since, by definition, other "sovereign" jurisdictions are not influenced by what is mandated by another law system.
For Alberto Di Felice, CIPP/E, director at the trade association Digital Europe, it is simply unrealistic that Europe manages to prevent third-country jurisdictions from accessing EU data. In his view, these efforts are only bound to create legal uncertainty and compliance problems for businesses with international operations.
"If you are a European company and all your data is stored in Europe, but you do business in the U.S., you are still subject to relevant U.S. data requests. The only unilateral way to really change this would be to ask European companies to stop their U.S. presence, which would be self-defeating," Di Felice warned.
The IAPP created an infographic outlining the decision by the Court of Justice of the European Union, declaring the EU-U.S. Privacy Shield arrangement is invalid.
If you want to comment on this post, you need to login.