Just in case someone was thinking life would be boring with the advent of the Trans-Atlantic Data Privacy Framework, salvation is approaching. And, as often in privacy world, it is coming from Germany.

What is he talking about, you wonder? Well, the German supervisory authorities recently published a decision on extraterritorial access rights of public bodies in third countries. While this may not sound very exciting, it has potential wide-ranging implications for any data transfer to third countries.

You might have already seen a reference to such extraterritorial access rights in the final version of the European Data Protection Board Guidelines 05/2021 on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation. Commendably, the EDPB is giving some guidance on what constitutes a "data transfer," given the lack of a definition in the GDPR. In that context, the board briefly mentions that an EU-based controller uses an EU-based processor with a third-country parent to process its data exclusively within the EU — without any access rights by non-EU subprocessors or the third-country parent. Unsurprisingly, the EDPB concludes that Chapter V does not apply.

But this is not the end of the story.

The EDPB states, as a subsidiary of third-country parent, the EU-based processor might be subject to third-country legislation with extraterritorial effect, which could mean the EU-based processor may receive access requests from third-country authorities. Should the EU-based processor comply with the access request, such a disclosure would be considered a transfer under Chapter V according to the EDPB.

Although there is some "could" and "should," the EDPB concludes the controller in our example must be able to show, as part of its accountability duties, that such theoretical data transfers are ruled out so the EU-based processor sufficiently guarantees the processing is in line with the GDPR, as required by Article 28(1). Otherwise, the EU-based processor might lack the necessary "reliability" and can not be used.

What does this mean in practice?

This is where the German regulators come into play. In their above-mentioned decision, they essentially say that any EU-based processor with a third-country parent, such as the U.S., can only be used if the controller has conducted and documented a prior "reliability assessment" for the EU-based processor. Such a reliability assessment closely resembles the transfer impact assessments we all hope to get rid of soon and, not without reason, the German regulators’ paper repeatedly refers to the EDPB Recommendations 01/2020.

Without naming the elephant in the room, the paper and EDPB Guidelines 05/2022 are clearly addressing the U.S. Clarifying Lawful Overseas Use of Data Act. It means whenever an EU-processor falls within the scope of the CLOUD Act, or a similar law of another country, a burdensome reliability test is expected by German and potentially other European regulators.

The practical implications of this development could be significant if the following logic prevails: Even if there is no actual third-country transfer, there might be one in theory, which is why a reliability assessment is required. Only if such an assessment shows theoretical third-country transfers can also be ruled out, a processor with third-country parent can be used. When the EDPB Recommendations 01/2020, with their very narrow amount of use cases where transfers can go ahead, are added to the mix, it becomes clear U.S. service providers could face another challenge in particular.

Such an approach considerably invalidates any data localization efforts we currently see as a result of the "Schrems II" conundrum. Would it still make sense for a third-country cloud service provider to come up with an EU data boundary, or other solution, if customers have to overcome significant regulatory hurdles to use the service?

It needs to be seen how this plays out in practice. Let's hope processor reliability assessments do not become the new TIAs.