Fallout from the July 2020 Court of Justice of the European Union’s “Schrems II” decision has washed over privacy professionals in waves. The current wave — a host of recently launched investigations and enforcement actions related to data transfers — could be tidal. Whether it is or not will depend on how EU authorities approach the recently-released standard contractual clauses, the European Data Protection Board’s final recommendations on supplementary safeguards (expected to be adopted June 18) and ongoing negotiations to develop an EU-U.S. Privacy Shield replacement. For now, the wave of supervisory authority actions offers privacy pros insight into four things.
- Data protection authorities post “Schrems II” expectations.
- A sense of jurisdiction-specific enforcement risk.
- Organizations’ narrowing range of compliance options.
- The resulting need for governments to address surveillance concerns together.
The earlier waves: Guidance and uncertainty
In the first wave of reaction to the complexities of the “Schrems II” decision, supervisory authorities across the EU issued unique, sparse and sometimes divergent guidance on how companies should approach data transfers out of the EU. Companies scrambled, switched transfer mechanisms and squinted at the horizon, in hopes uniformity might emerge.
In the second wave, it did. The EDPB issued a set of frequently asked questions, making clear data could continue to flow, including to the United States, so long as companies adopted supplementary measures to ensure adequate protection. The EDPB promised future guidance on what exactly that might entail. Companies exhaled and waited.
The third wave brought much more detailed, albeit draft, guidance. Divergence again prevailed – this time between EU institutions more so than EU member states. The EDPB adopted draft recommendations on supplementary safeguards, which provide examples of the types of safeguards companies could adopt to thwart government surveillance when European authorities or companies find it ill-aligned with the EU General Data Protection Regulation adequacy standards. The draft recommendations also describe instances in which the EDPB could not identify workable safeguards. While stakeholders welcomed the concrete guidance, they criticized the EDPB’s suggestion that the likelihood of government access should not be considered and data should not be transferred in many instances. One day later, the European Commission issued draft new standard contractual clauses, now finalized, adopting some of the EDPB’s recommendations but favoring a risk-based approach to implementation, which industry deemed more pragmatic.
The current wave: investigations and enforcement
The fourth wave is now upon us. Supervisory authorities, with sometimes divergent interpretations of a challenging CJEU decision, began to enforce its provisions. The proactive and complaint-driven investigations related to public statements and enforcement actions sent privacy professionals as well as EU and U.S. diplomats scrambling yet again.
EU supervisory authorities’ actions and statements have raised a host of concerns regarding organizations’ post-“Schrems II” response. These range from simply suggesting there is an inherent need to investigate companies’ data transfers, particularly to the United States, to finding fault with companies’ failure to assess transfers, to adopt any supplementary safeguards at times even when U.S. service providers localize data processing in the EU. Each one of these actions adds to companies’ uncertainty regarding compliance options, their wariness concerning data transfers and their demands for a government-led solution.
Investigations of data transfers, particularly to the U.S.
Earlier this month, data protection authorities in Germany launched a coordinated effort to assess companies’ cross-border data transfers using a joint questionnaire. (Note that in Germany, each state has a separate DPA that has jurisdiction over data protection in the commercial sphere.) German DPA’s coordinated inquiries focus on the use of foreign (and specifically U.S.) service providers to send emails, host websites, conduct web tracking, manage applicant data, and exchange customer and employee data. With some variations depending on the type of service provider being examined, the questionnaires ask about the following:
- Where the service provider’s servers are located.
- Whether data will be processed in or remotely accessed from the U.S. or other non-EU third country.
- What the legal basis is for processing under the GDPR.
- Which data transfer mechanism is employed.
- Whether the questionnaire recipient has conducted an assessment of the third country’s legal system.
- Whether foreign legal provisions make it impossible for the foreign recipient to comply with the obligations of the chosen data transfer mechanism.
- Whether the recipient is subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act.
- Whether the relevant data is encrypted and for details on that encryption including who holds the encryption key.
- What evidence can be provided that the foreign service provider can comply with the obligations outlined in the chosen data transfer mechanism or what supplementary measures have been deployed where compliance with the obligations cannot be guaranteed.
- Whether a change in service providers is planned.
At the end of last month, the European Data Protection Supervisor, which has jurisdiction over EU institutions and bodies, launched two investigations regarding the use of U.S. cloud service providers. One focuses on the EU institution’s use of Amazon Web Services and Microsoft, and another on the European Commission’s use of Microsoft Office 365. These investigations follow EDPS’s October 2020 inquiries into EU institutions’ data transfers to non-EU countries, which showed, according to the EDPS statement, significant reliance on cloud-based software, cloud infrastructure or platform services from major information and communications technology providers, including some U.S. providers subject to legislation deemed inadequate in the “Schrems II” ruling. European Data Protection Supervisor Wojciech Wiewiórowski acknowledged both Amazon and Microsoft announced new measures aimed at complying with the judgment but added, “these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.” The EDPS news release points out “EUIs are well positioned to lead by example.”
The EDPS’s own actions to launch such investigations and any resulting action taken by EU institutions will undoubtedly inform, if not influence, steps taken by regulators and companies across Europe.
Failure to conduct a transfer impact assessment
In March 2021, Bavaria’s Data Protection Authority issued one of the first post-“Schrems II” rulings. The DPA found data transfers from a German company to the U.S. email marketing company Mailchimp to send newsletters were illegal because the German company failed to “examine” whether additional measures were needed to supplement the SCCs governing the transfers as a result of the “Schrems II” decision. The DPA suggested such an examination was necessary given there were “at least indications that MailChimp may in principle be subject to data access by U.S. intelligence services on the basis of the U.S. legal provision FISA 702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken.”
It is noteworthy that this early ruling rested on the lack of a transfer impact assessment itself. Now, as discussed above, German authorities themselves are launching such assessments.
Lack of supplementary safeguards
The Irish Data Protection Commission launched one of the first investigations into EU-U.S. data transfers following the “Schrems II” judgment. This is unsurprising given the “Schrems II” decision stemmed from the Irish DPC’s request that certain questions related to the legality of data transfers be referred to the CJEU. On August 28, 2020, the DPC sent Facebook Ireland a preliminary draft decision laying out its initial views on the legality of Facebook’s data transfers to the United States and soliciting targeted input to inform a draft decision to share with other concerned supervisory authorities. As part of those initial views, the DPC explained the CJEU found the U.S. privacy regime inadequate, SCCs alone could not compensate for such inadequacy, and “Facebook Ireland does not appear to have in place any supplemental measures” to remedy the deficiencies. As a result of the lack of such supplementary measures, the DPC shared the initial view, subject to Facebook’s future submissions, that Facebook’s data transfers to the U.S. were illegal and should be suspended. The DPC’s investigation was temporarily halted due to Facebook’s Irish High Court challenge of the timeline and process, but has since resumed.
Here, the DPC’s preliminary views call attention to the expectation that companies should immediately supplement SCCs with additional safeguards to ensure adequate protection under the GDPR, at least when data is transferred to the United States and could be subject to the types of government access requests discussed in the “Schrems II” ruling.
Insufficient safeguards
On April 27, Portugal’s data protection authority, the National Data Protection Commission, ordered its National Institute for Statistics (INE) to stop sending personal data from its 2021 census questionnaire to the United States or other countries without an adequate level of protection using Cloudflare (which it was using at the time to operationalize the questionnaire) or other companies.
According to the CNPD order, the complaint-driven investigation found both the INE’s assessment of the transfer risk and the safeguards provided in conjunction with the governing SCCs to be lacking. The CNPD order notes Cloudflare is an electronic communications service provider subject to Section 702 of FISA and further states allow disproportionate interference with EU data protection rights.
The order notes the INE’s assessment focused on security and not broader risks, Cloudflare has 200 servers to which data could be sent across many countries including the United States, Cloudflare itself held the encryption keys, and Cloudflare acknowledged the data could be subject to legal requests for government access. Finally, the order states the data processing agreement provided that Cloudflare would notify INE of government requests that result in a conflict of law, except where legally prohibited from doing so, which CNPD notes is the case in the context of relevant national security activity. For the above reasons, and due to the sensitive nature and large scale of the data transferred, the CNPD ordered the suspension of data transfers to take place within 12 hours.
The CNPD order is instructive because it goes beyond other DPA investigations by finding fault not with the lack of assessment or safeguards, but with each substance.
Use of U.S. service-provider problematic, even when processing localized in the EU
Given the limited range of failsafe safeguards outlined in the EDPB’s draft recommendations on supplementary safeguards, some companies elected to localize their data processing in the EU (an approach contrary to the EU’s historic digital trade agenda). In fact, “data residency” is a growing service line. But some European officials suggest even data localization does not provide adequate protection when pursued by service providers subject to foreign government access requests. The implication seems to be that EU-headquartered service providers should be preferred to ensure data protection compliance and support “data sovereignty.”
In October 2020, the French court, the Conseil d’Etat, issued a summary judgment weighing in on the application of GDPR data transfer restrictions when data processing is conducted on EU soil by a U.S. company that could be subject to U.S. government access requests. The case pertained in particular to Microsoft’s hosting of France’s Health Data Hub. France’s DPA, the Commission nationale de l'informatique et des libertés, submitted comments during the proceedings, which shed light on their views as well. The CNIL’s comments recognized the CJEU’s “Schrems II” decision focused on commercial data transfers subject to government access requests after the data leaves the EU but suggested the lawfulness of processing in the EU by companies subject to U.S. laws should also be considered. The CNIL concluded that hosting data with a company subject to U.S. law seemed incompatible with the CJEU judgment and EU data protection requirements. While the court agreed with the CNIL there was a risk Microsoft’s EU-based affiliate could receive a U.S. government access request, the court determined that EU law does not prohibit the use of U.S. service providers to process data on EU soil and chose not to suspend the processing, as requested by the complainants. Nonetheless, France’s secretary of state for digital affairs announced plans to transition the hosting of the Health Data Hub to a French or other European platform provider, a statement welcomed by the CNIL.
Several months later, in March of this year, the Conseil d’Etat issued a decision assessing the sufficiency of safeguards to thwart U.S. government efforts to compel access to data held by a Luxemburg-based subsidiary of Amazon Web Services that was hosting the relevant data in France and Germany. The court again found there was a risk of access by U.S. authorities given the data was held by a U.S. subsidiary, but sufficient additional safeguards were provided in this instance, including commitments to challenge government requests and encryption of the data, with the encryption key held not by AWS but by a trusted third party in France. The implication this time seemed to be that without such additional safeguards, localization itself might be insufficient.
At the end of May, the CNIL issued a public announcement directed at higher education and research institutions, calling for changes in the use of collaborative tools offered by U.S.-headquartered companies, which the CNIL said created the risk of illegal access to data by U.S. authorities. The CNIL noted that such tools also highlight important issues relating to the autonomy and digital sovereignty of the European Union. Recognizing the current uncertainty regarding appropriate safeguards following the “Schrems II” ruling, the CNIL indicated a transitional period was justified and it would provide institutions all the assistance necessary to identify possible alternatives.
Next steps
Taken together, these investigations, public statements and enforcement actions will undoubtedly make EU companies wary of transferring personal data out of the EU and potentially doing business with the U.S. or other foreign companies. Companies headquartered in the U.S. or other non-EU countries can expect to be grilled on their data transfer mechanisms, supplementary safeguards and the legal systems governing surveillance in their home countries. Stepping back, these actions demonstrate the “Schrems II” decision created challenges that neither companies nor DPAs can solve alone. A diplomatic solution is ever more urgently needed.
Photo by Calvin Hanson on Unsplash