Head in the Clouds? A Brief Note on Transfers to the US in a Privacy-Absolutist World

Head in the Clouds? A Brief Note on Transfers to the US in a Privacy-Absolutist World

It’s been a busy few months in the world of data protection as several decisions have been made by supervisory authorities in Europe with implications on transfers of personal data to the US.

  • Denmark, Austria, France, and Italy have all limited controller’s use of Google Analytics due to absence of legal basis for cross border transfers of personal data. The decisions hinged on the fact that personal data (IP addresses and identifiers) were being sent to Google in the United States.
  • Denmark banned the use of Google Workspace for Education and Chromebooks for a municipality, due to absence of legal basis for cross-border transfers of personal data.
  • Meta Draft Decision – The Irish Data Protection Commission is expected to order the suspension of processing by Meta-owned Facebook and Instagram, on the grounds that Meta sends user data to the United States without adequate safeguards to protect the personal data of data subjects in the EU.[1] 

These decisions and follow-on guidance from the European Data Protection Board (the EU body responsible for ensuring consistent application of the GDPR by regulators) signal that organisations governed by the GDPR are likely to face a bumpy next few years regarding how they share and process data globally.

But before we get into that, we need to discuss a little history. Feel free to skip this section if the legal nerdery isn’t your thing and you just want to know how this affects the organisation and what to do next.

The Word from on High – Schrems II

In July 2020, the Court of Justice for the European Union (CJEU) decided in Data Protection Commissioner v. Facebook Ireland Limited and Max Schrems [2] (Schrems II), that the EU-US Privacy Shield does not adequately protect the transfer of personal data of EU data subjects to the United States. At the time, the EU-US Privacy Shield provided a self-certification procedure for transfers of data between the EU and US that was relied on by over 3,000 companies, including Google, Meta & Microsoft. 

The Court also cast into doubt whether other mechanisms, including Standard Contractual Clauses (SCCs), guarantee an “essentially equivalent” level of protection for personal data transferred outside of the EU/EEA. While the Court didn’t strictly kill SCCs, the Court’s approach stressed that where such protections could not be met contractually, the parties must ensure adequate protections are met by other means, so-called technical and organisational measures (TOMs). If the parties cannot meet those measures, supervisory authorities must suspend or prohibit the transfer of data to the third country.

Finally, the Court required that organisations governed by the GDPR who transfer data to third countries must verify on a ‘case-by-case basis,’ whether the law of the recipient country ensures adequate protections to those of the GDPR, or whether adequate protections could be met through other means, including TOMs.[3] This analysis is referred to as a Transfer Impact, or Transfer Risk Assessment (TRA).

It’s a Mad Max World

In August 2020, less than a month after the CJEU invalidated the EU-US Privacy Shield, Noyb, the nonprofit organisation founded by Mr. Schrems, filed 101 complaints with regulators in 30 EEA member states challenging the use of Google Analytics and Facebook Connect by EU websites.

In November 2020, the EDPB [4] provided some clarification on what “essential equivalence” means in practice. For a country’s legal system to be considered “essentially equivalent” to the EU GDPR, it must meet four EU “Essential Guarantees”:

  • Guarantee A – Processing should be based on clear, precise, and accessible rules 
  • Guarantee B – Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated 
  • Guarantee C – An independent oversight mechanism should exist 
  • Guarantee D – Effective remedies need to be available to the individual 

Without saying so explicitly, the EDPB strongly implied that the US does not meet these guarantees. Importantly, neither the Schrems II decision or the EDPB guidance considered the relative “risks” or nature of the personal data being transferred. It was enough that a) personal data of EU data subjects were transferred to the United States; b) the US laws could not meet EU Essential Guarantees; and c) contractual or other (non-technical) measures could not fully prevent US authorities from accessing the personal data of EU data subjects.

After the EDPB guidance, individual Data Protection Authorities began to act. The Austrian Data Protection Authority (DPA) was the first to issue a ruling against a website using Google Analytics in December 2021.[5] France’s CNIL then followed suit in February 2022.[6] In June 2022, Italy’s Garante also rejected a website owner’s use of Google Analytics.[7]

Perhaps the broadest interpretations have come from the Danish DPA, Datatilysnet, who published guidance calling into question whether US cloud providers could be used at all, and more recently issued a decision suspending a municipality’s use of Google Chromebooks and Google Workspace for Education.

A full summary of the cases would be too long for this note, but the essence of their arguments can be summarized as a failure by the US to meet the four EU “Essential Guarantees”:

1)    The US surveillance laws are broad and disproportionate[8] (A failure of Guarantees A &B);

2)    It should be assumed the US government can compel (almost) any US-based company operating on the Internet to turn over personal data (Guarantee B);

3)    No effective, independent oversight body exists in the US to keep this in check (Guarantee C);

4)    Data subjects outside of the US do not have effective rights or remedies to challenge abuses by the US Government (Guarantee D).

Due to the strict interpretation by the EU Court of Justice in the Schrems II decision, regulators are taking a broad, privacy-absolutist approach. They ignore the types of personal data at issue (for the Google Analytics cases, IP addresses and Unique User IDs), the likelihood or probability of a request by US authorities, or even the relative risk to data subjects. Every type of personal data is equivalent, as far as these decisions are concerned, because risk is no longer being considered. It’s a black or white approach: If you transfer personal data to a US entity, the transfer is almost certainly suspect.

While rulings have focused on transfers to big tech companies in the US, we at Castlebridge believe the zero-sum reasoning applied by regulators will likely be applied by most regulators (including the Irish DPC) to encompass any transfer of personal data to an inadequate country.

What Do the Decisions above Mean in Practice for EU Exporters?

By considering only the legal possibility of US surveillance and not the likelihood or risk to fundamental data subject rights and freedoms, there’s little reason to believe these decisions will end with Google Analytics or Facebook. Most infrastructure, software, and platform-as-a-service providers involve the transfer of personal data – IP addresses, email addresses, contact information, user identifiers, financial data, and often much more. And most of the platforms – including those used by EU organisations are headquartered in the US.

Due to the broad extraterritorial scope of US laws (notably the US CLOUD Act and FISA 702), US-based IaaS, SaaS, and PaaS providers may be compelled by a warrant from US law enforcement to turn over data of EU data subjects – even if that data is stored or processed in EU data centres by EU entities affiliated with the US provider. [9] This is true even if the providers are bound by EU Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). This means that in practice, only technical and organisational controls are likely to provide “adequate safeguards” for transfer. [10]

There is a real risk that every provider that an EU organisation may use who relies on SCCs or BCRs to transfer data to the US, may at any time become the target of regulatory ire, and regulators must demand that processing cease under the Schrems II decision. This has several implications for organisations across various business functions. Further assessments will need to be undertaken to determine not only the mechanisms relied on to justify the transfer (derogations, SCCs, BCRs, etc.), but what, if anything, can be done at to maintain compliance.

We’re currently in the process of doing this on behalf of our clients, and would be happy to advise on specific risks to your organisation.

Navigating the Uncertainty

Organisations should consider adopting two strategies going forward:

First: Assess the Risks and Plan for the Worst

At a minimum, organisations should conduct a transfer impact or transfer risk assessment (TRA), which considers the specific processing activities currently undertaken (or planned to be undertaken in the future). Castlebridge has a defined structure for undertaking TRAs on behalf of our clients.

A TRA is in many ways, similar to a Data Protection Impact Assessment (DPIA). While a TRA will not necessarily insulate an organisation against a negative outcome (i.e., an order to stop processing data), a good TRA can go a long way to demonstrate to regulators that in our uncertain times, the EU exporter has considered harms to the fundamental rights and freedoms of data subjects, and is, to the best of its ability, acting as a good steward of data. Until either a new EU/US adequacy framework is passed, the US amends its laws to be more in-line with the GDPR, or regulators and the Court of Justice re-evaluate their positions, a TRA can at least help document and evaluate their business decisions in a way that a regulator will appreciate.

Second: Think About Technical and Organisational Measures & Alternatives

The state of technology is ever in-flux, and we indeed live in exciting times. For some processing activities, it may be possible to consider technical measures including:

  • Returning to an on-premise hosted solution, or moving to an EU-based cloud provider with limited/no US affiliation;
  • Limiting “possession, custody, and control” of personal data by US importers (for example, by applying pseudonymization or encryption, sharing less data, and otherwise making data subjects less identifiable);
  • Use of end-to-end encryption and customer-managed or own-key encryption, where keys reside with the data exporter;
  • Switching to a digital “sovereign cloud” solution (e.g., Microsoft’s EU Data Boundary)

Depending on the situation, other more technologically-clever solutions may be available as well.

In addition to technical controls, there may be some operational mechanisms that can be implemented to limit governmental access requests or interference. These include:

  • Limiting or removing access to personal data by technical support, IT, marketing, engineering, HR and other ‘data-facing’ teams located outside of the EU;
  • Encouraging US-based importers to rely on EU-based sub-processors whenever possible;
  • Requiring US importers to immediately notify the EU exporter if they ever become subject to a governmental request for personal data of EU data subjects (sometimes called a ‘warrant canary’);
  • Imposing other mandates and controls in contract.

How Castlebridge Can Help

Fortunately, we at Castlebridge have been thinking a lot about this subject and have the skills and experience to assist our clients in handling this uncertainty. We also keep up to date regularly with the changing dynamics in the industry and changing perspectives of regulators.

If your organisation is currently struggling with these issues, we can help. Whether its undertaking the TRA process, assessing vendor risks, implementing technical and organisational measures, suggesting alternatives, or advocating on behalf of our clients to regulators, we’re in this together. Contact us for more information.

——

[1] However, this has been delayed, at least for now, held up by various regulators’ objections to the DPC draft decision.

[2] Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18).

[3] Unless a narrow derogation (or exception) applies under Art. 49.

[4] Recommendations 02/2020 on the European Essential Guarantees for surveillance measures, Adopted 10 November 2020 at: https://edpb.europa.eu/sites/default/files/files/file1/edpb_recommendations_202002_europeanessentialguaranteessurveillance_en.pdf

[5] DSB Austria – 2021-0.586.257 (D155.027).

[6] Décision n° […] du […] mettant en demeure […] at: https://www.cnil.fr/sites/default/files/atoms/files/med_google_analytics_anonymisee.pdf.

[7] Provvedimento del 9 giugno 2022 [9782890], at: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/9782890.

[8] In this case the U.S. with Section 702 FISA and Executive Order 12333. We here at Castlebridge also note that another law, the US Clarifying Lawful Use of Overseas Data (US CLOUD) Act also will fall into scope.

[9] The key considerations are whether the US company/provider is a “communication service provider,” and if so, whether they have “possession, custody, or control” over the data being stored or processed. For cloud providers headquartered in the US, the answer will almost always be yes to both questions. But it is possible in some circumstances that even an EU-based parent company who maintains a relationship with a US-based branch may also be subject to the US CLOUD Act. Additional risks may exist for countries where a bilateral agreement covering data disclosure exists between the US and another jurisdiction, notably, Australia and the UK. For more details, see: Application of the CLOUD Act to EU Entities, GreenbergTraurig Memorandum to the Dutch ministry of Justice and Security – NCSC, June 23, 2022 at: https://english.ncsc.nl/publications/publications/2022/augustus/16/memo-cloud-act.

[10] For example, the CNIL noted in its FAQ that the use of SCCs by Google was still insufficient to protect EU data subjects –

Google indicated that it had put in place additional legal, organisational and technical measures, which the CNIL however deemed insufficient to ensure the effective protection of the transferred personal data, in particular against requests for access to the data by US intelligence services. 

Q&A on the CNIL’s formal notices concerning the use of Google Analytics, 20 July 2022 at: https://www.cnil.fr/en/qa-cnils-formal-notices-concerning-use-google-analytics. The Datatilsynet reached a similar conclusion in its Guidance on the Use of the Cloud, March 2022 at: https://www.datatilsynet.dk/Media/637824108733754794/Guidance%20on%20the%20use%20of%20cloud.pdf.

Previous post I Think I Have Third Party Transfers Maybe Kinda Sorted?