Have you noticed that different institutions issue different recommendations for the transfer of personal data to the US? Are you grabbing your head (like many GDPR experts) from some of the supervisory authorities’ decisions? Schrems II and its aftermath are still driving data protection in IT. Let’s see who’s thinking, what’s being discussed – and whether the new transatlantic data protection agreement between the US and the EU will put an end to all the controversy.
Transfer of personal data to the US under Schrems II
Since 2020, the Schrems II ruling has been in force, in which the Court of Justice of the European Union ruled on what needs to be met when transferring personal data to a country outside the European Economic Area – for example, when deploying cloud services.
If the European Commission has not issued a decision on the appropriate level of protection for a country, a sufficient level of protection must be ensured through measures. This includes against foreign public authorities (e.g. intelligence services), which are allowed by local law to request personal data from the processor.
The Schrems II decision has been applied by EU supervisors over the last year. And they apply them in a way that adds wrinkles to companies using digital services from US companies. This includes, for example, the use of Google Analytics (to analyse web usage), which the authorities have agreed does not comply with the GDPR in its current form.
The decisions and conclusions underlying Schrems II have drawn criticism from both privacy experts and public sector organisations. Some of them have even started to publish differing opinions.
Both the interpretation of the GDPR (should the transfer to third countries be risk-based or rights-based?) and the assessment of US regulations (when does Section 702 of FISA or the CLOUD Act actually apply, and what does it mean for the transfer?) differ.
We continuously monitor the recommendations of the supervisory authorities as well as differing opinions. It’s been a tumultuous development, and it’s worth taking stock of what’s happened in the last few months – and what we’re likely to see when it comes to the transfer of personal data to the US.
It started in Austria
The Austrian supervisory authority Datenschutzbehörde was the first to rule on a complaint to prevent the transfer of personal data to the US in 2022. The complaint by NOYB (to which the well-known personal data litigation champion Max Schrems is affiliated) concerned the transfer of personal data of a visitor to a website on which Google Analytics was enabled.
The crux of the problem is that Google, as a provider of electronic communications services, is covered by Section 702 of the Foreign Intelligence Surveillance Act (FISA). As a result, public authorities can order Google to provide them with users’ personal data. And these can be people in the EU.
What conclusions did the Austrian supervisory authority Datenschutzbehörde reach?
- IP address, other user identifiers (which come from cookies), browser and device data are personal data that can help foreign intelligence services identify a specific person. According to the Office, it is also necessary to take into account the realistic technical or financial possibilities that intelligence services can spend on identifying a particular person (however, even the possibilities of intelligence services should not be considered unlimited).
- The personal data transmitted has not been sufficiently anonymised because the anonymisation takes place on the Google side. It is therefore able to access non-anonymised data that can identify a specific person.
- The condition for the transfer of personal data is therefore not fulfilled: the website operator has not ensured an equivalent level of protection of personal data.
Authorities in France, Italy and Denmark have made similar decisions… and others will follow.
Even standard contractual clauses (SCCs) are not sufficient because contractual arrangements do not bind state authorities, who may thus seek access to personal data. (I wrote more about SCC here.)
Google is going to implement changes in response to these decisions and launch a new version of Google Analytics that should be more GDPR compliant. However, it is not yet certain whether this will be the case.
What would be a sufficient additional measure for the transfer of personal data to the US?
According to the Austrian watchdog, this can be, for example, rigorous encryption that meets certain parameters – such that the US company cannot access unencrypted data (e.g. it must not have encryption keys). We wrote about cloud encryption options here.
However, experts warn that truly consistent, comprehensive encryption would complicate or completely block many cloud deployments.
The French supervisory authority CNIL subsequently recommended a proxy server as an alternative solution to ensure data pseudonymisation.
Transfer of personal data to the US (third countries): end of the risk-based approach?▼
Another important conclusion of the supervisory authorities related to Google Analytics has far-reaching implications: the risk-based approach does not apply to Chapter V of the GDPR (transfer of personal data to third countries). The lowest probability of access by e.g. intelligence services means that the transfer of personal data to the US (to third countries) cannot comply with the GDPR..
This conclusion has been strongly criticized by the privacy expert community:
- Swiss privacy expert David Rosenthal sees a risk-based approach as the only way to approach the transfer. It has therefore created a tool (in the form of an Excel template) that can be used to assess the risk of transferring personal data to third countries. According to Rosenthal, the Swiss public administration is positive about his instrument.
- The risk-based approach and its relation to the different parts of the GDPR is further explored, for example, by Lokke Moerel, Professor of Global ICT Law at Tilburg University. In her article, she argues that the core of the problem lies in the fact that the EDPB promotes a different concept of the principle of accountability than the one on which the GDPR is based.
Norwegian authorities go against the tide
Further stirring up the debate came after several dozen organisations in the Norwegian public administration decided to set up a working group to help others by making recommendations on the use of cloud services in the Norwegian public sector.
Organisations from the tax, health and security sectors have put their heads together – and recently published their recommendations. The Norwegian supervisory authority attended only one meeting, so the recommendations were made without it.
The Authority itself does not like it much that someone else makes recommendations in its area of competence. The creation and operation of a special working group was thus not considered by all to be a happy idea.
The Swiss federal administration subsequently joined the proponents of an interpretation different from that of the supervisory authorities. At the end of September 2022, it issued a report in which it also talks about the legal basis for the use of cloud services by public administration organisations.
Among other things, it advocates a risk-based approach for access by foreign authorities and intelligence services. A risk-based approach is said to be compatible with Swiss data protection law.
The report even states that it does not share the view of the Federal Commissioner for Data Protection and Information on this matter, and stresses that it is always necessary to assess each individual case. So again we see a contradiction between the recommendations of the data protection supervisory authority and other authorities, as in Norway.
Is a transfer already a mere theoretical possibility?
The recommendation of the Norwegian Working Party is towards a less stringent approach to the transfer of personal data outside the EEA. For example, it promotes the view that unless there is actually a transfer of data, then there is no transfer. Therefore, it is not enough just to have the theoretical possibility that the data transfer will occur.
As long as the data has not been accessed and transferred, there is no need to address the issue of international data transfer at all. However, this generous interpretation does not appear to be consistent with the related EDPB Recommendation, which defines such transmission broadly – mere disclosure is sufficient.
In its Guideline 05/2021, the EDPB set out three cumulative criteria that define cross-border transmission outside the EEA:▼
The GDPR applies to the controller/processor for the data processing in question.
That controller/processor (“exporter”) shall disclose by transmission or otherwise provide access to the personal data subject to that processing to another controller, joint controller or other processor (“importer”).
This “importer” is in a third country or is an international organisation, regardless of whether the GDPR applies to the “importer” through Article 3 for this processing.
Thus, it seems that, according to the EDPB’s interpretation, disclosure is sufficient.
When every recommendation says something different
If you want to use cloud services in your organisation without breaking the law, then conflicting recommendations are likely to leave you confused and disillusioned. The certainty about what is the correct interpretation is melting away. This is also the view of the Norwegian supervisory authority, which has expressed its displeasure at the different recommendations.
On the other hand, when someone offers an alternative view, it can be seen as a positive impulse to restart the debate. For example, what is the correct interpretation of the GDPR and related key decisions of the Court of Justice of the European Union.
Although it makes life difficult for a while, such a debate is healthy for the development of the legal system. An interpretation different from that of the supervisory authority opens up an opportunity for correction. Different interpretations eventually lead to litigation – which leads to clarification of the law in case law.
Even supervisory authorities can be wrong▼
We know that the supervisory authorities may not always be right. Sometimes their views are not really sustainable – that is why we should look at them critically. Here is a specific example that related to the very basics of GDPR – it was about the legal basis for processing personal data.
In order for the processing of personal data to be legally sound, we must have some legal authority for it. This may be consent, a legally imposed obligation or, for example, the performance of a contract. However, the broadest basis for processing personal data is legitimate interest. The following incident concerned a legitimate interest.
In its submission, the Dutch supervisory authority stated that a ‘mere’ business (commercial) interest cannot serve as a legitimate interest (and thus legal title) for the processing of personal data.
The European Commission responded with a letter rejecting this strict interpretation. She stressed that the right to data protection is not an absolute right. Therefore, we must always seek the right balance with other fundamental rights (we can also rely on the GDPR recitals, specifically recital 4). In this case, the other fundamental right or freedom is freedom of enterprise.
And because the Dutch authority rejected the legitimate interest based on this freedom out of hand, it made it impossible to strike a balance in specific cases.
Thus, commercial or economic purposes may be a legitimate interest of the controller and the controller may base the processing of personal data on them. Whether a particular purpose can be used depends on the other two steps of the test – i.e. the necessity of the processing and whether that purpose outweighs the fundamental rights and freedoms of data subjects (i.e. proportionality).
GDPR is a tool designed for pragmatic use. Data protection is not an absolute right and will therefore always be weighed and balanced against other rights and interests. The GDPR itself encourages such comparison and consideration. And it can sometimes happen that supervisory authorities, in the heat of the fight to protect the rights of data subjects, overdo it.
Schrems III on the horizon? And will it solve the transfer of personal data to the US?
In early October 2022, US President Joe Biden issued an Executive Order setting out a new process for federal agencies and departments to collect personal data.
The organization NOYB has already expressed skepticism about it – in its view, mass surveillance will probably not meet the principle of proportionality, and there will be no possibility to seek redress through the courts. Both are required by European law.
Thus, we are likely to see an adequacy decision by the European Commission under Article 45 of the GDPR in the spring of 2023. But then history will probably repeat itself: the decision will be challenged by complaint, subject to judicial review… and in a few years we will wring our hands over Schrems III.
If you’re interested in this article, visit our Cloud Encyclopedia – a quick guide to the cloud.