On Nov. 10, 2020, the European Data Protection Board issued a draft version of a recommendation on measures to supplement data transfer rules to ensure compliance with the EU General Data Protection Regulation. The measures aren't binding because the document is not final yet. The EDPB made the recommendation after the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield July 16, 2020, and found that organizations relying on the standard contractual clauses may need to implement "supplementary measures" beyond the SCC to legitimize transfers to third countries. 

According to the EDPB, Article 46 transfer tools, such as SCCs, must be "effective." A tool can't be effective if the data importer is prevented from complying with the transfer tools due to the laws of the third country. Those companies that export personal data outside the European Economic Area must assess the surveillance laws and practice of intelligence agencies of the third country that may impede upon the effectiveness of the SCC and, if such impediments exist, must implement supplementary measures. These supplementary measures may be contractual, technical or organizational, or more likely a combination of the three. From the practical perspective, technical measures, i.e., encryption and pseudonymization, are key to justify data transfers to the U.S. 

Where organizations cannot implement effective supplementary measures, the EDPB confirms the controller or processor should "suspend or end" data transfers. The "suspend or end" statement has caused much confusion and frustration for both data exporters and importers alike. It is worthwhile to review the reality of enforcement actions against data exporters situated within the EEA. With that, let us pick out Germany as an example to showcase a regulatory intervention against a company located in Germany, with a business model dealing with the transfer of personal data to a U.S. service provider.  

Case-by-case assessment of data transfers to US from German law perspective

When assessing the risk of exporting personal data to the U.S., data exporters should consider the litigation risk thoroughly: What happens if a German supervisory authority imposes a prohibition order under Article 58(2)(j) of the GDPR against a data exporting company located in Germany, according to which that company is not allowed to transmit personal data to its U.S.-based service provider anymore. From the German public law perspective, that order is contestable, and the company can file an appeal to the competent administrative court. In that lawsuit, the respective supervisory authority is a defendant, and the data exporting company is the plaintiff. 

It's not just the data exporters that must assess the permissibility of the envisaged data transfer to the U.S. (taking into account the surveillance laws and practice in the U.S.), but also the German supervisory authorities and, ultimately, the court that has to assess the legality of the prohibitory order in question. That assessment must include the respective facts of the individual dispute, i.e., whether the data importer has been or is currently subject to any surveillance or enforcement actions of U.S. intelligence agencies. Both the administrative court and the supervisory authority must adhere to the same assessment criteria that require specifics. For example, general references to the abstract danger of potential surveillance measures against data importing companies situated in the U.S. won't support an order. 

Even with specifics, prohibitory orders should be a last resort. When considering Recital 129 of the GDPR, it becomes apparent that supervisory authorities must ascertain that all sanctions they impose, be it a fine or order, are appropriate and necessary considering the circumstances of each individual case. 

When US surveillance laws come into play   

The requirements for banning data flow to the U.S. are strict and, when a lawsuit has been filed, the German administrative court has to sort out whether the data exporter has violated the law under Article 44(ff) of the GDPR while transmitting personal data to a U.S. data importer. Consequently, the German supervisory authority and the court must determine whether the SCC and, where applicable, the supplementary measures are sufficient to safeguard personal data so that an appropriate level of protecting personal data is ascertained. 

The court needs to assess whether an infringement of individuals' rights occurred in the past or is likely to occur. But some key evidence may be missing, hard to get, or subject to government secrecy and surveillance laws, like the U.S. Foreign Intelligence Surveillance Act Section 702. If the data subject can prove their rights are at risk due to a pending data access request based on a FISA Section 702 order, the German supervisory authorities might stop the data transfer to the U.S. data importer because the data exporter failed to safeguard the personal data appropriately before transmitting it to the U.S. 

On the other hand, the respective German data protection authority is not allowed to impose any sanctions on the data exporter if the personal data has been entirely encrypted and the encryption key is under the control of the EU data exporter exclusively or other safeguards have been put in place alike pseudonymization or double key encryption. In that scenario, it is apparent personal data is not at risk at all. The supervisory authority must investigate whether the U.S. data importer has been or is currently subject to a subpoena or any other enforcement action of a U.S. intelligence agency or whether a U.S. authority has unlawfully accessed personal data held by the data importer. This necessitates an in-depth analysis of the factual circumstances and, more importantly, a basic knowledge of the FISA rules to assess the legality of such data access requests.   

Two factors about the relationships involved will complicate this. The data subject, whose privacy is being considered, is unaware as they typically have no input into the decisions to transfer their data. The data subject may know of past or even ongoing surveillance. But the transaction is usually between two companies, and so important information is unavailable. Similarly, in most cases, the data processor or controller has no general means of determining whether any data subjects in the data set are subject to surveillance. Even if the data subject could demand information about ongoing surveillance of the data subject, there would be no lawful basis for the government to share that information with the processor or controller.

US surveillance law

U.S. surveillance law is governed by the Foreign Intelligence Surveillance Act, 50 U.S.C. Section 1801, et seq. Several presidential directives govern FISA's application (e.g., Presidential Policy Directive-Signals Intelligence Activities 28 (Obama 2014) (PPD 28) and Executive Orders (e.g., EO 12333 (Reagan 1981) and recent case law, e.g.,the United States v. Moalin, (United States Court of Appeals for the 9th Circuit 2020). 

FISA Section 702 requires a warrant issued by a special court. The permissible types of surveillance are limited and require threshold showing: 

  • Traditional court orders to intercept communications or obtain business records require:
    • Written certifications from specified executive branch officials regarding the nature, purpose and significance of the information to be sought.
    • The government must show probable cause that:
      • The target of the surveillance is a foreign power or an agent of a foreign power.
      • The target is using or about to use the facilities or places the search or surveillance is directed. 

In other words, FISA orders are generally limited to surveillance against foreign governments or their agents and their communications.

FISA surveillance may also reach some communications metadata. The collection is also limited both in the kind of data collected, only metadata — not the content of communications and targets. FISA Section 215 was amended by the USA FREEDOM Act to require the use of a "specific selection term" to "limit collection to the greatest extent reasonably practicable." The act defines SST as "a term that specifically identifies a person, account, address, or personal device, or any other specific identifier." These amendments also prohibited the government from targeting Section 215 orders at broad geographic regions, such as a state or ZIP code, or at communications service providers, such as Verizon or AT&T. 

PPD 28 further restricts the use of the bulk collection to:

  1. Espionage and other threats and activities directed by foreign powers or their intelligence services against the U.S. and its interests.
  2. Threats to the U.S. and its interests from terrorism.
  3. Threats to the U.S. and its interests from the development, possession, proliferation or use of weapons of mass destruction.
  4. Cybersecurity threats.
  5. Threats to U.S. or allied Armed Forces or other U.S or allied personnel.
  6. Transnational criminal threats. 

In response to the "Schrems II" decision, the U.S. Department of Commerce reviewed the scope of U.S. surveillance law. In short, the Commerce Department noted most cross-border traffic was simply not of interest to the intelligence community or out of scope for permissible surveillance or both. 

The Commerce Department notes:

Most companies doing business in the EEA do not, and have no grounds to believe they do, deal in any data that is of any interest to U.S. intelligence agencies. U.S. government commitments and public policies restrict intelligence collection to what is required for foreign intelligence purposes and expressly prohibit collecting information to obtain a commercial advantage. 

Never kill a mosquito with a bazooka

There is another aspect a German DPA must factor in: Public institutions must adhere to the principle of proportionality. That implies that any measure must be possible and appropriate in terms of achieving the envisaged purpose. In other words: It is not permissible to kill a mosquito with a bazooka. 

In that context, it is worthwhile to inquire whether the contractual supplementary measures as recommended by the EDPB are actually appropriate to safeguard personal data within the sphere of the data importing company situated in the U.S. These contractual supplementary measures come down to information duties or the agreement on compensation claims. Predominantly, the data importer is, according to U.S. laws, not allowed to notify the data exporter of any disclosure requests of U.S. intelligence services. This feature conflicts with the notice and transparency requirements in the standard contractual clauses. If, as a U.S. business, I am served with a FISA warrant, I probably can't tell the data subject, let alone a third party. Similarly, if a business in my supply chain is subject to a warrant or order, they won't be allowed to alert me.  

The data importer is well advised to stick to the gag order to avoid any sanctions imposed by the U.S. intelligence agencies. Furthermore, the data importer may be contractually obliged to take legal action against the disclosure request. That said, it's not clear what the impact of such a challenge would be; if successful, the victor could still be subject to a gag order. The compensation claim has little merit because the injured data subject may be unaware because of the complexities of proving causation and the questionable value of a U.S. order in a German court. 

The principle of proportionality also requires that the German DPA makes use of those instruments with the least intrusive effect for the data exporter. This implies that an injunction order to stop any data transfer to the U.S. can only be deemed as a last resort — ultima ratio. With that in mind, the DPA must first and foremost enforce equally appropriate measures to safeguard personal data without simply stopping the entire business activity. One action could be to request the data exporter to encrypt or pseudonymize personal data before transmitting it to the U.S. considering the recommendations of the EDPB. However, most processing requires decryption, hurting the legitimacy of this approach. 

On top of this, the related DPA must also consider the consequences when blocking any transfer of personal data to the U.S. Indeed, the odds of actual surveillance are tiny. Surveillance would only affect a handful of data subjects at most. In most cases, all of the data subjects are relying on the transferring parties to perform a service for them. All of these data subjects and multiple business entities will be impacted by an order blocking data transfers. So, we are talking about blocking international commerce because someone might be under surveillance. That sounds like killing a mosquito with a bazooka. 

Photo by Joshua Sortino on Unsplash