Since 2015 we have seen the European Court of Justice (CJEU) invalidate the US-EU Safe Harbor Framework and the EU-US Privacy Shield Framework as a mechanism for EU and UK organisations to legally transfer personal data to the US. Adding further complexity, in the Schrems II case, the CJEU went a step further and determined that Standard Contractual Clauses in isolation were not enough to ensure the appropriate level of protection against US Government surveillance.
Following Schrems II, organisations have faced many challenges in ensuring they have assessed the entire data flow chain to determine if there is a US link somewhere in the processing activity. Transfer Impact Assessments (TIAs) have now become an integral part of due diligence processes but can be challenging and time-consuming to complete.
Will TIAs and additional safeguards to protect personal data, enable data flows to the US to continue? Or are we seeing a further regulatory shift in relation to the use of US Cloud Services?
Over the course of 2022, we have seen some interesting rulings on compliance with Chapter V of the General Data Protection Regulation, which relates to international transfers of personal data. For instance, the French data protection authority (‘CNIL’) confirmed it had issued an order to comply with an unnamed French Website operator for its transfers of personal data to the US via the use of Google Analytics. CNIL determined that whilst Google had adopted additional security measures to regulate the transfers, these were not sufficient to protect personal data from accessibility from US intelligence services. As a result, the French Website operator’s use of Google Analytics was deemed to contravene the GDPR.
In particular, CNIL highlighted the following:
- Standard contractual clauses alone cannot provide a sufficient level of protection in the event a foreign authority requests access;
- Encryption techniques adopted by Google were not sufficient;
- Google has an obligation to grant access or to provide the imported data, including encryption keys to US intelligence agencies;
- Adopting a risk-based approach is not acceptable for international transfers;
- Data transfers by website operators in a pseudonymised form did not align with the GPDR’s definition of pseudonymisation as universally unique identifiers have a specific purpose to identify users rather than act as a protective guarantee; and
- Derogations from Chapter V of the GDPR such as explicit consent of the data subject did not extend to the transfer of data, only that explicit consent was valid for the deposit of cookies and tracking technologies during the visit to the website.
This is a significant decision by CNIL as many organisations that are subject to the GDPR use Google Analytics on their websites in order to gain website traffic insights. Four EU data protection authorities have found the use of Google Analytics to be unlawful under given circumstances, with the Danish data protection authority (Datatilsynet) being the most recent to announce such a finding. In light of these decisions, EU organisations must now weigh up gaining these valuable business insights against potential non-compliance with the GDPR and worst case, enforcement action.
What if you use European affiliates of US cloud services providers where the cloud servers are located in Europe?
The German official watchdog for public procurement (Vergabekammer) took a stance on this and recently cancelled cloud bidding because, in its view, “it violates European Privacy legislation”.
A winner of a German tender wanted to use services from an EU company affiliated with a US cloud service provider, however, this was successfully challenged by another supplier who had invested in data storage in the EU with no reliance on suppliers in the US.
This change in stance by the German watchdog was due to The US Cloud Act, which allows federal law enforcement to force US-based technology companies to provide data stored on servers regardless of whether the data is stored in the USA or in another country. Whilst this is enforced via a warrant or other legal mechanism, it means it will take precedence over specific clauses on data protection between the contracting parties.
With the real risk of EU entities falling within the scope of US Cloud law, even if data is hosted outside of the US, along with EU authorities and watchdogs seriously considering the location of Cloud hosting parent companies, what are the possible changes to due diligence activities in the procurement process and continued assessment of current data processing? In view, it is likely there will be more focus on due diligence of parent companies and subprocessors before being awarded contracts or entry into procurement cloud frameworks.
These decisions, should the trend continue, have wide-ranging implications for the UK and EU-based organisations and those offering services as data hosting providers. Decisions such as whether to initiate a programme of work to migrate data back in-house rather than outsourced, hosting providers investing heavily in UK/EU data centres and distancing themselves from their US parents and more robust due diligence regimes to ensure data flows are fully risk assessed and assurance that suppliers are not relying on US suppliers or have US parent companies.
So, will the US/EU Trans-Atlantic Data Privacy Framework and the UK/US Data Access Agreement bring clarity and ease to transfers of personal data to the US?
In March this year, the United States and the European Commission issued a joint statement on the Trans-Atlantic Data Privacy Framework stating the framework will address concerns raised by the decisions of the Schrems II case. The White House stated that it marked an unprecedented commitment on the US side to implement reforms that will strengthen privacy and civil liberties protections. It also said that the US is to put in place new safeguards to ensure surveillance activities are necessary and proportionate and establish an independent redress mechanism with binding authority to direct remedial measures and enhanced rigorous and layered oversight of intelligence services activities to ensure compliance.
In July, the US and UK Governments announced their agreement on access to electronic data for the purpose of countering serious crime, The Data Access Agreement (Agreement). The Agreement is deemed to dramatically speed up investigations and demonstrate the strength of law enforcement collaboration. Due to barriers in law on both sides of the Atlantic, access to data from global communication services including social media applications, used by terrorists and criminals, was taking months if not years to access. The new Agreement when brought into force, will enable national security, law enforcement and prosecution agencies to make requests, using the appropriate legal process under the law of the country making the request, to the Communication Service Providers who hold the data, providing the requirements in the Agreement are met.
The requesting country will need authorisation from a court, judge, magistrate or independent authority before requesting data:
- to target only suspects who are not residents of the country from which the evidence is being gathered (i.e. neither the UK nor the US);
- to ensure compliance with data protection laws when disclosing data under the Agreement, interestingly, how this would happen is not addressed in the Agreement; and
- to obtain permission from the other in cases where data collected under the Agreement needs to be used during prosecutions that is of the specific interest of either the US or the UK. For example, where information is being gathered in the UK for death penalty cases in the US, or data is being gathered in the US in cases implicating freedom of speech in the UK.
The above requirements suggest there will be accountability and strict barriers in place to prohibit unfettered access by enforcement agencies. However, the question is, will frameworks such as the Trans-Atlantic Data Privacy Framework and the Data Access Agreement, along with more robust due diligence processes be enough for EU regulators and watchdogs to change their stance on the use of US cloud providers and their European affiliates? Only time will tell, and organisations should continue to build robust due diligence processes, fully assess and document their data flows through data protection impact assessments, transfer impact assessments and robust contracts with their suppliers.
As a specialist data protection consultancy, Evalian is well-placed to assist you with navigating the law governing your international transfers and assessing your data flows and supply chain. If you would like an informal conversation on how we can assist, please get in touch. We can steer you in the right direction or, if you need help, we can assist at every level to ensure that you are covered.