Update November 2, 2022
The European Data Protection Board (EDPB) provides its framework for compliance with the GDPR in the event of data transfer outside the European Union.
Recommendations 01/2020 on measures that
supplement transfer tools to ensure compliance with
the EU level of protection of personal data
Adopted on 18 June 2021.
It was to be expected that this framework would lighten the contractual formalities for companies (Binding Corporate Rules or standard contractual clauses) in terms of transferring data outside the European Union.
Mais il ressort de ce cadre que l’examen minutieux des législations étrangères reste nécessaire, comme le préconise l’arrêt Schrems II (https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX%3A62018CJ0311), dès qu’une zone territoriale est identifiée comme incertaine par les autorités européennes : https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-monde,
Except to fall within the derogations provided for by article 49 of the GDPR.
Indeed, a sovereign State can in all cases access the data, on specific request: only a general request for access to the data could be contested in terms of principles.
With regard to data transfers to the United States, there is still no adequacy decision by the European Commission, after the so-called Schrems I CJEU judgments of October 6, 2015 (C-362/14) (invalidation of the Safe Harbour) and Schrems II of July 16, 2020 (C-311/18) (invalidation of the Privacy Shield). US legislation indeed reflects a conception of privacy centered on the protection of American citizens, not including foreigners, which is not the universalist one of the European Union.
The 4th Amendment to the United States Constitution provides: "The right of citizens to be secure in their person, domicile, papers and effects against search and seizure without reason shall not be violated nor shall it be issued no warrant except on serious presumption, corroborated by oath or solemn declaration and describing with precision the place to be searched and the persons or things to be seized. »
Despite efforts at reconciliation (cf. Joe Biden's recent executive order of October 7, 2022 clearly providing for recourse to a delegate of the executive power and even to an independent court but whose opinions are not enforceable), the legislation US still provides for mass surveillance and the lack of effective remedies with regard to the rights of data subjects.
It is therefore first and foremost up to the data exporter, in a perilous exercise of evaluation, to check foreign legislation. The Committee provides a list of data sources in Annex III of its recommendations.
The new Standard Contractual Clauses (“SCC”) (adopted by the European Commission on June 4, 2021 and published on June 7, 2021, which will enter into force on June 27, 2021, https://eur-lex.europa.eu/eli/ dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=fr) do not exempt from this exercise.
The provisional Doctolib decision can give clues on how to secure a data transfer: location and encryption in France, obligation for the European subsidiary to contest the foreign “general” request, insensitive data, short data retention period: https://roquefeuil.avocat.fr/2021/04/transfert-de-donnees-sur-un-cloud.html