The European Commission’s third attempt to facilitate the transfer of personal data from the EU to the US has brought great relief to all those who use global cloud providers. Everything is easy for the US, but not for other countries. How much of a role will geography play in NIS 2 and DORA, under which financial institutions will have to carefully evaluate which country a supplier operates in?
First, let’s look at the biggest change with GDPR. Then we’ll look at what’s in store for us under NIS 2 and DORA.
GDPR risks: we have a transatlantic data protection framework for the US
In July 2023, compliance professionals, risk managers and business owners could breathe a sigh of relief: using cloud services from US vendors is a little easier thanks to the European Commission’s adequacy decision.
Personal data is no longer an issue, which was not the case until recently (as you can recall here). What does this mean for us? And does it still make sense to enter into standard contractual clauses (SCCs) under the GDPR?
The obligation to assess the legal environment and the conduct of public authorities in foreign jurisdictions (i.e. the need for a Transfer Impact Assessment, TIA) was one of the big headaches of the GDPR. This is because large IT service providers often require in their contracts that they can use (sub)suppliers from other countries.
The European Commission’s decision has simplified the situation considerably for US (sub)suppliers. It will be easiest for those who are certified under the DFP (EU-US Data Privacy Framework).
However, beware of transferring personal data to other countries outside the US – large providers like South America, India, China etc.
Key obligations when transferring personal data outside the EEA
If you use a supplier or subcontractor from outside the EEA, in addition to the standard GDPR obligations, you must:
- conduct a Transfer Impact Assessment (TIA) – that is, an assessment of the law and practice of public authorities (how much of a threat it poses to the personal data you are transferring to the country),
- put in place and assess additional measures – i.e. strong encryption, properly configured encryption key access, possibly a proxy server for Google Analytics, etc.
So what is the current situation regarding the transfer of personal data to the US?
Following the conclusion of the agreement between the US and the EU, the European Commission, in its decision of 10 July 2023 classified the US as a country with an adequate level of protection of personal data.
How has the US legal system changed?
For example, there is a new mechanism for citizens of the Czech Republic and other EEA countries to claim their rights under the GDPR (right to erasure, rectification, access to processed data, etc.). There have also been changes to the powers by which public authorities can seek the release of data from a supplier. These modifications have been assessed by the European Commission as providing sufficient safeguards of rights.
In the US today, there are two groups of processors/importers of personal data from the EU: those certified under the DPF and those not certified under the DPF:
1) Suppliers certified under DFP
You can transfer personal data to these companies without using a transfer instrument under Article 46 of the GDPR (typically standard SCC contractual clauses or BCRs).
You no longer need to assess the legal environment and practices of the authorities (TIAs) or put in place additional measures (these were previously necessary to prevent personal data from being accessed by US public authorities).
You can transfer personal data to a certified vendor without concern from the moment it is listed on the Privacy Shield Framework. The list includes Google LLC and Microsoft Corporation, for example, but Oracle Corporation is still not on the list in October 2023.
2) Suppliers not certified under the DFP
In this case, the processing of personal data remains as problematic as before.
The bad news: in order to fulfil all the obligations of a controller, you still have to choose a transfer tool (typically an SSC). You should also conduct a TIA and put sufficient additional measures in place.
The good news: TIAs will be simple. In fact, you can refer to the European Commission’s decision, which assesses the rules newly introduced into US law as sufficient. These rules apply to both certified and non-certified suppliers. Therefore, you do not even need additional measures (encryption, appropriate management of encryption keys, etc.).
For example, Swiss expert David Rosenthal has pointed out this possibility and the EDPB agrees.
Newly available axle mechanism
With the issuance of the Adequate Protection Decision for the U.S., the redress mechanism under U.S. Executive Order 14086 is now available to citizens of all EEC countries (i.e. EU + 3 other countries). This improves their position should they wish to file a complaint for a violation of rights by U.S. security authorities.
One final complication remains: subcontractors from third countries
If a U.S. supplier uses subcontractors (in the words of the GDPR, “sub-processors”) from outside the EEA for which an Adequacy Decision has not been issued, you should again draft a TIA and put sufficient additional measures in place. In fact, you are ultimately responsible for each subsequent transfer, as you “set the personal data in motion” and sent it outside the EU in the first step.
Can a supplier lose certification?
Yes. A certified supplier may voluntarily withdraw from certification, may choose not to renew registration the following year… and may also be struck off if they commit misconduct. Therefore, you’d better also negotiate Standard Contractual Clauses (SCCs) to cover the transfer of data in the event that a supplier suddenly does not have certification.
Legal Window – Evaluation of the US legal framework
The key passage of the entire decision can be found in paragraph 200, which reads: „It follows from the above that when U.S. law enforcement and national security authorities access personal data falling within the scope of this Decision, such access is governed by a legal framework that lays down the conditions under which access can take place and ensures that access and further use of the data is limited to what is necessary and proportionate to the public interest objective pursued. These safeguards can be invoked by individuals who enjoy effective redress rights.“
Access to personal data by public authorities in the US is therefore limited to what is necessary and proportionate. And the data subject has access to an effective redress mechanism.
Schrems III? Or a look into the future
The non-profit organisation NOYB (founded by the well-known activist Max Schrems) has decided to put the European Commission’s decision to the test before the CJEU. It has reservations about the substantive changes compared to the previous solution (Privacy Shield, which was annulled by the Schrems II decision).
It is therefore possible that in a few years’ time the “Schrems III” judgment will come, which will make the transfer of personal data to the US more difficult again. Until then, however, it is possible to transfer personal data to the US in full compliance with the GDPR.
There is another reason for optimism: it is possible that over the next few years cloud providers will complete the more secure solutions they are already working on today, such as:
- confidential computing,
- sovereignty controls,
- establishing cooperation with European IT service providers.
This would lead to opportunities to be “easily and quickly” GDPR compliant even after the eventual repeal of the Adequacy decision.
Geographical risks of NIS 2 and the draft new law on cyber security
The behaviour of public authorities in different countries is also addressed in the draft decree on contractor risk criteria, which is one of the decrees implementing the new law on cybersecurity. In order to be compliant with NIS 2, you will also need to assess your supplier’s risks:
- the country of domicile and the country from which the supplier is managed,
- the country of residence of the beneficial owner and, where applicable, the person who controls the supplier,
- the country that may influence or put pressure on the supplier.
You will also have to take into account the international sanctions imposed, the activities of the secret services or the absence of a separation of powers or a democratic regime. Whether the country in question is acting against the interests of the Czech Republic will also play a role. We will therefore also get into the political and geopolitical levels.
DORA risks: geography again
One of the draft RTS (Regulatory Technical Standards) complementing the DORA Regulation prescribes details on the register of ICT service providers in the financial sector. Such a register will be used by the supervisory authorities (ESAs) to monitor concentration risk among suppliers. Banks and others will thus have to register e.g.:
- the country in which the provider is based,
- the country in which the ultimate parent company of the provider is based,
- the country from which ICT services are provided,
- the country where the data is stored (data at rest),
- the country where the data is processed,
- the country where the alternative provider is based (finding an alternative provider will be part of the exit strategy for critical or important functions).
The country in which the supplier operates and where it processes and stores data will then also need to be considered by the institution in its strategy for using ICT suppliers for services supporting a critical or important function. And this geographic consideration will also play a role in the due diligence of a new provider – particularly to assess operational risks, reputational risks and the risk that the provision of the service will preclude the imposition of sanctions.
Summary: GDPR, NIS 2 and DORA risks from a geography perspective
DORA risks, NIS 2 risks and GDPR risks: these (not only) banking regulations are linked by, among others, the obligation to think about the geographical location from where the supplier provides its services. For GDPR, the adequacy decision for the US helped, but for NIS 2 and DORA, banks will have new obligations.
National borders continue to play a big role in regulation. While the Adequacy Decision has made it easier to use US suppliers, nothing has changed for other non-EU/EEA countries. In addition to the GDPR, NIS 2 and DORA introduce new requirements regarding the country from and where the supplier operates.
This is a machine translation. Please excuse any possible errors.