Transfer of personal data to the US (and other third countries): how to navigate the recommendations when they go against each other?
Have you noticed that different institutions issue different recommendations for the transfer of personal data to the US? Are you grabbing your head (like many GDPR experts) from some of the decisions of the supervisory authorities? Schrems II and its aftermath are still rocking IT data protection. Let's see what everyone thinks, what the debate is about - and whether the new transatlantic data protection agreement between the US and EU will end all the controversy.
Jan Kubicek
Transfer of personal data to the US under Schrems II
As of 2020, the decision is in force Schrems IIin which the Court of Justice of the European Union ruled on what needs to be met when personal data is transferred to a country outside the European Economic Area - for example, when introducing cloud services.
If the European Commission has not issued a decision on the appropriate level of protection for a country, a sufficient level of protection must be ensured through measures. This includes against foreign public authorities (e.g. intelligence services), which are allowed by local law to request personal data from the processor.
The Schrems II decision has been applied by EU supervisors over the last year. And they are applying them in a way that adds wrinkles for companies using digital services from U.S. companies. For example, the use of Google Analytics (to analyse web usage), which the authorities have agreed that in its current form is not GDPR compliant.
The decisions and conclusions underlying Schrems II have drawn criticism from privacy experts and public sector organisations alike. Some have even begun to publish dissenting opinions.
There are different interpretations of both the GDPR (should transfers to third countries be risk-based or rights-based?) and the US regulations (when does Section 702 of FISA or the CLOUD Act actually apply, and what does that mean for transfers?).
We continuously monitor the recommendations of the supervisory authorities as well as differing opinions. It is a turbulent development and worth summarising, what has happened in the last few months - and what we are likely to see in terms of the transfer of personal data to the US.
It started in Austria
Complaint to prevent the transfer of personal data to the US the first to rule in 2022 Austrian supervisory authority Datenschutzbehörde. The complaint by NOYB (with which the well-known personal data litigation champion Max Schrems is affiliated) concerned the transfer of personal data of a visitor to a website on which Google Analytics was enabled.
The crux of the problem is that Google, as an electronic communications service provider, is subject to Section 702 of FISA (Foreign Intelligence Surveillance Act). This allows public authorities to order Google to provide them with users' personal data. And these can be people in the EU.
What conclusions did the Austrian supervisory authority Datenschutzbehörde reach?
- IP address, other user identifiers (which come from cookies), browser and device data are personal datathat may help foreign intelligence services to identify a particular person. According to the Authority, the realistic technical or financial possibilities that intelligence services can have to identify a particular person must also be taken into account (however, even the possibilities of intelligence services should not be considered unlimited).
- The personal data transmitted were not sufficiently anonymisedbecause the anonymisation is done on the Google side. It is therefore able to access non-anonymised data that can identify a specific person.
- The condition for the transfer of personal data is therefore not fulfilled: the website operator has not ensured an equivalent level of protection of personal data.
Similar decisions have been made by the authorities in France, Italy and Denmark... and others will follow.
Even standard contractual clauses (SCCs) are not sufficient because contractual arrangements do not bind state authorities, who may thus seek access to personal data. (More on SCCs I wrote here.)
In response to these decisions, Google is preparing to implement changes and launch new version of Google Analyticswhich should be more in order from a GDPR perspective. However, it is not yet certain whether this will be the case.
What would be a sufficient additional measure for the transfer of personal data to the US?
According to the Austrian supervisory authority, this could be, for example consistent encryptionthat meets certain parameters - such that a US company cannot get access to unencrypted data (e.g. it must not have encryption keys). About encryption options in the cloud we wrote here.
However, experts warn that truly consistent, comprehensive encryption would complicate or completely block many cloud deployments.
The French supervisory authority CNIL subsequently proposed as an alternative solution recommended proxy serverthat would ensure data pseudonymisation.
Transfer of personal data to the US (third countries): the end of the risk-based approach? ▼
Another important conclusion of the supervisory authorities related to Google Analytics has far-reaching implications: for Chapter V of the GDPR (transfer of personal data to third countries), the risk-based approach does not apply. Thus, the lower probability of access by, for example, intelligence services means that the transfer of personal data to the US (to third countries) cannot comply with the GDPR.
This conclusion has been strongly criticized by the privacy expert community:
- Swiss privacy expert David Rosenthal sees a risk-based approach as the only way to approach the transfer. That's why he created the tool (in the form of an excel template), which can be used to assess the risk of transferring personal data to third countries. Rosenthal said the Swiss public administration is positive about his tool.
- The risk-based approach and its relation to the different parts of the GDPR is further explored, for example, by Lokke Moerel, Professor of Global ICT Law at Tilburg University. In his article, he arguesthat the core of the problem lies in the fact that the EDPB promotes a different concept of accountability than the one on which the GDPR is based.
Norwegian authorities go against the tide
Further stirring of the debate came after several dozen Norwegian public administration organisations decided to set up a working group to help others making recommendations on the use of cloud services in Norway's public sector.
Organisations from the tax, health and security sectors have put their heads together - and recently published their recommendations. The Norwegian supervisory authority attended only one meeting, so the recommendations were made without it.
The Authority itself does not like it much that someone else makes recommendations in its area of competence. The creation and operation of a special working group was thus not considered by all to be a happy idea.
The proponents of an interpretation different from that of the supervisory authorities were subsequently joined by Swiss Federal Administration. At the end of September 2022 issued a report, in which he also talks about the legal basis for the use of cloud services by public administration organisations.
Among other things, it advocatesa risk-based approach also for cases of access by foreign authorities and intelligence services. A risk-based approach is said to be compatible with the Swiss Data Protection Act.
The report even states that in this matter does not share the opinion of the Federal Data Protection and Information Commissioner, and stresses that each case must always be assessed on its own merits. Thus, once again, we see a contradiction between the recommendations of the data protection supervisory authority and other authorities, as in Norway.
Is a transfer already a theoretical possibility?
The recommendation of the Norwegian Working Party is towards a less restrictive approach to the transfer of personal data outside the EEA. It advocates, for example, that until there is actually a data transfer, then there is no transfer. So it is not enough just to have the theoretical possibility that data will be transferred.
As long as the data has not been accessed and transferred, there is no need to address the issue of international data transfer at all. However, this generous interpretation does not appear to be in line with the related EDPB recommendationwhere such a transfer is defined broadly - mere disclosure is sufficient.
EDPB in its 05/2021 set out three cumulative criteria defining a cross-border transfer outside the EEC:▼
The GDPR applies to the controller/processor for the data processing in question.
That controller/processor ("exporter") shall disclose by transmission or otherwise provide access to the personal data subject to that processing to another controller, joint controller or other processor ("importer").
This "importer" is in a third country or is an international organisation, regardless of whether the GDPR applies to the "importer" for this processing through Article 3.
It would therefore appear that, as interpreted by the EDPB, disclosure is sufficient.
When every recommendation says something different
If you want to use cloud services in your organisation without breaking the law, then you will probably be confused and disillusioned by the conflicting recommendations. The certainty about what is the correct interpretation is dissipating. This is also the view of the Norwegian supervisory authority, which has expressed its displeasure at the different recommendations.
On the other hand, when someone offers an alternative view, we can see it as a positive impulse to restart the debate. For example, on what the correct interpretation of the GDPR and the key related decisions of the CJEU is.
Although it does make life difficult for a while, such a debate is healthy for the development of the legal system. An interpretation different from that of the supervisory authority opens the opportunity for correction. Different interpretations ultimately lead to litigation - and that litigation leads to clarification of the law in case law.
Even supervisory authorities can make mistakes ▼
We know that the supervisory authorities may not always be right. Sometimes their views are not really sustainable - so we should look at them critically. Here is a specific example that concerned the very foundations of the GDPR - it was the legal basis for processing personal data.
In order for the processing of personal data to be legally sound, we must have some legal authority for it. This can be consent, a legally imposed obligation or, for example, the performance of a contract. However, the broadest basis for processing personal data is legitimate interest. And it is the legitimate interest that was involved in the following incident.
In its submission, the Dutch supervisory authority stated that the "mere" a business (commercial) interest cannot serve as a legitimate interest (and therefore a legal title) for the processing of personal data.
European Commission responded with a letterin which it rejected this strict interpretation. She stressed that the right to data protection is not an absolute right. Therefore, we must always seek the right balance with other fundamental rights (we can also rely on the GDPR recitals, specifically recital 4). In this case, that other fundamental right or freedom is the freedom to do business.
And because the Dutch authorities rejected the legitimate interest based on this freedom out of hand, they made it impossible to strike a balance in specific cases.
Thus, commercial or economic purposes may be a legitimate interest of the controller and may be the basis for the processing of personal data. Whether a particular purpose can be used depends on the other two steps of the test - i.e. the necessity of the processing and whether this purpose outweighs the fundamental rights and freedoms of the data subjects (i.e. proportionality).
GDPR is a tool designed for pragmatic use. Data protection is not an absolute right and will therefore always be weighed and measured against other rights and interests. The GDPR itself encourages such comparison and consideration. And it can sometimes happen that supervisory authorities, in the heat of the fight to protect the rights of data subjects, overdo it.
Schrems III on the horizon? And will it solve the transfer of personal data to the US?
U.S. President Joe Biden in early October 2022 issued Executive order (Executive Order of the President of the United States), which established a new process for federal agencies and departments to collect personal information.
The NOYB organization has already approached him expressed skepticism - In her view, mass surveillance is unlikely to fulfil the principle of proportionality and there will be no possibility of seeking redress through the courts. Both are required by European law.
So in spring 2023, we'll probably see European Commission decision on the adequacy of data protection in the US (But then history will probably repeat itself: the decision will be challenged by complaint, subject to judicial review... and in a few years we will be wringing our hands over Schrems III.
If you are interested in this article, please visit our Cloud Encyclopedia - a quick guide to the cloud.
