Personal data is a multi-trillion-euro market. In France, it only makes the news when a major hack reminds the country — again — that it is little more than a digital sieve.

Even that damning image understates the problem. Before measuring the stakes, one must understand what is actually at stake. Under GDPR — the General Data Protection Regulation, binding across the European Union — personal data is any information capable of identifying a natural person, directly or indirectly. The obvious entries: names, addresses, email addresses, social security numbers, fingerprints, facial photographs. But the list doesn’t stop there. It extends to IP addresses, location data, browsing histories, purchasing preferences harvested via cookies, health records, and political opinions.

The definition is sweeping. The exposure, broader still.

These data points form an immense market — one that France has conspicuously failed to measure, let alone confront. The country’s digital literacy has pathetic limits, nowhere more visible than at the top of the state. The parliamentary inquiry into “structural digital dependencies and systemic vulnerabilities” — a document of critical importance — was met with near-total political and media indifference. That tells you everything.

That the European Commission is effectively handing gold on steroids to the Americans is a separate scandal — and one the facts bear out. Personal data has become a strategic asset of the first order. The major platforms use it to construct extraordinarily detailed profiles of billions of individuals: who they are, what they buy, how they can be nudged, and how they will vote. Hyper-targeted advertising. Behavioral manipulation. Political prediction. The infrastructure of influence, quietly assembled.

The commercial dimension is only part of the story. Data is a form power — and Cambridge Analytica made that undeniable. The personal data of millions of Facebook users was weaponized to shape voting intentions on behalf of politicians who hired the British firm co-founded by Steve Bannon, the strategist behind Donald Trump’s 2016 victory. Beyond electoral interference, this data feeds artificial intelligence models and enables surveillance — of citizens by states, of consumers by corporations, and of both by American authorities who can compel disclosure under domestic law, regardless of where in the world the data sits.

Now, Palantir that!

L'Eclaireur In English

Palantir's Dark Side of the Force

Pascal Clérotte

·

Apr 29

Let’s kill a misconception right away. Palantir is not a mass surveillance company — however loudly and repeatedly that claim gets made. Palantir is a software publisher. Its business is consolidating vast, heterogeneous datasets and making them analytically actionable for decision-makers. It is not artificial intelligence, even if AI features sit inside its toolkit. Conflating the two only muddies the debate — and a muddy debate serves Palantir just fine.

Read full story

For Europe, the stakes play out across a single fault line: dependence on American infrastructure. Cloud computing, social networks, collaborative tools, enterprise software — the backbone of European digital life is overwhelmingly American-owned. More than three-quarters of European countries rely on U.S. cloud services for functions essential to national security, according to a report flagging the acute risks of that dependency. The EU has become, in effect, a digital vassal of Washington. France’s decision to award health data hosting to a French provider rather than Microsoft was a first step — largely symbolic, but at least it was a step.

The data flows between the EU and the U.S. are not merely metaphorical. Eighty percent of submarine cables have been laid or acquired by the GAFAM. The physical architecture of the internet is, itself, an American asset.

This matters because the legal architecture is equally asymmetric. Within Europe, the GDPR remains one of the world’s most rigorous privacy frameworks — treating personal data as a fundamental right. That protection largely disappears the moment data crosses the Atlantic. The United States has no federal equivalent. The Fourth Amendment offers Americans some shield against their own government; it offers Europeans almost none. FISA and Section 702 grant U.S. intelligence agencies sweeping access to foreign nationals’ data, without judicial oversight remotely comparable to European standards — and regardless of where the data is physically stored, provided any American point of access exists.

Even that asymmetry, troubling as it is, may be understating the problem.

[ Flash ] Mass Surveillance in the U.S. Takes a Hit

Pascal Clérotte

·

Apr 17

Read full story

This legal vacuum is not new — and it has already been tested. Twice, the Court of Justice of the European Union struck down transatlantic data transfer agreements between the EU and the United States, following complaints brought by Austrian privacy activist Max Schrems. Both agreements were sold as guarantees that Europeans’ personal data would be protected to European standards once it crossed the Atlantic. The CJEU disagreed, both times.

A third attempt was signed in 2023: the Data Privacy Framework. Critics, Schrems foremost among them, are unconvinced. The DPF, they argue, is little more than a cosmetically improved Privacy Shield — the same inadequate protections, repackaged. In France, MP Philippe Latombe — who also chairs the parliamentary inquiry on digital dependency — brought the agreement before the EU’s General Court. His case was dismissed at first instance. He has appealed. The CJEU will examine this framework for a third time. NOYB, Schrems’ organization, may file its own challenge in parallel.

For Schrems, the urgency has sharpened considerably since 2023. With American legal instability now impossible to ignore and Washington showing open hostility toward the EU, he warns that the time has come to reassess where European data goes — and how long the EU’s legal construction can hold before it collapses.

The warning is not abstract. The DPF was signed by Ursula von der Leyen without meaningful parliamentary input or public debate. More damning still: it rests not on an act of Congress but on an Executive Order signed by President Biden in 2022. It can be modified — or revoked — at any moment, by any president, for any reason.

That is the legal guarantee Europe is currently relying on.

From mass surveillance to the kill switch

U.S. law grants sweeping access to European data the moment it touches American soil. This is not a revelation — Snowden settled that question a decade ago. What it amounts to is mass surveillance: legal and unremarkable in the United States, particularly when the targets are foreign nationals, and flatly prohibited on European territory. The European Commission, apparently undeterred, pursues the same ends through other means — ChatControl, age-verification mandates — proposals whose surveillance implications deserve far more scrutiny than they receive.

But privacy is only part of the exposure. The deeper vulnerability is infrastructural. Europe’s dependence on American hyperscalers has handed Washington a geopolitical weapon: the kill switch. They control the infrastructure. They control the switch. As Schrems has noted, the United States has a long, uninterrupted history of digital embargoes. Cuba, Syria, and Iran cannot access Microsoft, Google, or AWS. The mechanism exists. The willingness to use it has been demonstrated repeatedly.

There was, briefly, the outline of a response. The EUCS — the EU Cloud Services Scheme — would not have solved everything. But it would have meaningfully reduced exposure to American surveillance, extraterritorial legal reach, and strategic dependency. Backed strongly by France and modeled on its own SecNumCloud standard, the EUCS aimed to set a genuine sovereignty benchmark for the EU’s most sensitive data. Brussels gutted it.

The most demanding tier — High+ — which offered real protection against U.S. access, was quietly dropped. Providers can now self-certify compliance. There is no longer any requirement for European headquarters, majority European ownership, or robust immunity against American extraterritorial law. The certification that was supposed to protect European data now protects little more than the appearance of doing so.

Microsoft, having lost the French health data contract, did not go away. It found the back door Brussels left open. The result is a new generation of hybrid arrangements — American technology, European branding, structural dependency intact. Microsoft has partnered with Orange and Capgemini to produce “Bleu.” Google has joined with Thales to offer S3NS. The sovereignty is cosmetic. The irony of the name “Bleu,” at least, is unambiguous.

The Irish Achilles’ Heel

The GDPR’s “one-stop-shop” mechanism was designed for efficiency. In practice, it created a bottleneck — and a vulnerability. Under the rule, a company processing personal data answers to a single data protection authority: the one where its European headquarters sits. The consequences are predictable. Google, Apple, Meta, X, and Microsoft all fall under Irish jurisdiction. Amazon answers to Luxembourg. Ireland’s Data Protection Commission handles roughly 20% of all European complaints. It wields authority entirely disproportionate to its accountability.

The practical implications are quietly absurd. A French citizen filing a GDPR complaint against Facebook is routed to a regulator in Dublin they cannot easily reach, in a process that can cost hundreds of thousands of euros and drag on for years. As Schrems puts it, the costs are simply prohibitive for individuals and small organizations. The architecture of European data protection formally guarantees rights that are, for most people, functionally inaccessible.

Ireland does possess real regulatory power. For years, it declined to use it. The DPC became the only European authority to routinely settle complaints through negotiated agreements rather than formal decisions. In 2021, NOYB documented the scale of the dysfunction: by the DPC’s own admission, it was not issuing decisions on GDPR complaints. At least 99.93% of complainants received none — this from an authority with a €19.1 million annual budget.

Under sustained pressure from the European Parliament, the DPC has since hired more staff, overhauled its governance, and started issuing fines — larger ones, more frequently, now totaling over €4 billion on paper. On paper. Actual collections stand at roughly €20 million. Less than half a percent of the amounts imposed has been recovered. The enforcement architecture of the world’s most ambitious privacy regulation is, at its operational core, a deterrent that doesn’t deter.