News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | 'Schrems II' DPA investigations and enforcement: Lessons learned Related reading: The updated standard contractual clauses — A new hope?

rss_feed

""

""

Fallout from the July 2020 Court of Justice of the European Union’s “Schrems II” decision has washed over privacy professionals in waves. The current wave — a host of recently launched investigations and enforcement actions related to data transfers — could be tidal. Whether it is or not will depend on how EU authorities approach the recently-released standard contractual clauses, the European Data Protection Board’s final recommendations on supplementary safeguards (expected to be adopted June 18) and ongoing negotiations to develop an EU-U.S. Privacy Shield replacement. For now, the wave of supervisory authority actions offers privacy pros insight into four things.

  1. Data protection authorities post “Schrems II” expectations.
  2. A sense of jurisdiction-specific enforcement risk.
  3. Organizations’ narrowing range of compliance options.
  4. The resulting need for governments to address surveillance concerns together.

The earlier waves: Guidance and uncertainty

In the first wave of reaction to the complexities of the “Schrems II” decision, supervisory authorities across the EU issued unique, sparse and sometimes divergent guidance on how companies should approach data transfers out of the EU. Companies scrambled, switched transfer mechanisms and squinted at the horizon, in hopes uniformity might emerge.

In the second wave, it did. The EDPB issued a set of frequently asked questions, making clear data could continue to flow, including to the United States, so long as companies adopted supplementary measures to ensure adequate protection. The EDPB promised future guidance on what exactly that might entail. Companies exhaled and waited.

The third wave brought much more detailed, albeit draft, guidance. Divergence again prevailed – this time between EU institutions more so than EU member states. The EDPB adopted draft recommendations on supplementary safeguards, which provide examples of the types of safeguards companies could adopt to thwart government surveillance when European authorities or companies find it ill-aligned with the EU General Data Protection Regulation adequacy standards. The draft recommendations also describe instances in which the EDPB could not identify workable safeguards. While stakeholders welcomed the concrete guidance, they criticized the EDPB’s suggestion that the likelihood of government access should not be considered and data should not be transferred in many instances. One day later, the European Commission issued draft new standard contractual clauses, now finalized, adopting some of the EDPB’s recommendations but favoring a risk-based approach to implementation, which industry deemed more pragmatic.

The current wave: investigations and enforcement

The fourth wave is now upon us. Supervisory authorities, with sometimes divergent interpretations of a challenging CJEU decision, began to enforce its provisions. The proactive and complaint-driven investigations related to public statements and enforcement actions sent privacy professionals as well as EU and U.S. diplomats scrambling yet again.

EU supervisory authorities’ actions and statements have raised a host of concerns regarding organizations’ post-“Schrems II” response. These range from simply suggesting there is an inherent need to investigate companies’ data transfers, particularly to the United States, to finding fault with companies’ failure to assess transfers, to adopt any supplementary safeguards at times even when U.S. service providers localize data processing in the EU. Each one of these actions adds to companies’ uncertainty regarding compliance options, their wariness concerning data transfers and their demands for a government-led solution.

Investigations of data transfers, particularly to the U.S.

Earlier this month, data protection authorities in Germany launched a coordinated effort to assess companies’ cross-border data transfers using a joint questionnaire. (Note that in Germany, each state has a separate DPA that has jurisdiction over data protection in the commercial sphere.) German DPA’s coordinated inquiries focus on the use of foreign (and specifically U.S.) service providers to send emails, host websites, conduct web tracking, manage applicant data, and exchange customer and employee data. With some variations depending on the type of service provider being examined, the questionnaires ask about the following:

  • Where the service provider’s servers are located.
  • Whether data will be processed in or remotely accessed from the U.S. or other non-EU third country.
  • What the legal basis is for processing under the GDPR.
  • Which data transfer mechanism is employed.
  • Whether the questionnaire recipient has conducted an assessment of the third country’s legal system.
  • Whether foreign legal provisions make it impossible for the foreign recipient to comply with the obligations of the chosen data transfer mechanism.
  • Whether the recipient is subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act.
  • Whether the relevant data is encrypted and for details on that encryption including who holds the encryption key.
  • What evidence can be provided that the foreign service provider can comply with the obligations outlined in the chosen data transfer mechanism or what supplementary measures have been deployed where compliance with the obligations cannot be guaranteed.
  • Whether a change in service providers is planned.

At the end of last month, the European Data Protection Supervisor, which has jurisdiction over EU institutions and bodies, launched two investigations regarding the use of U.S. cloud service providers. One focuses on the EU institution’s use of Amazon Web Services and Microsoft, and another on the European Commission’s use of Microsoft Office 365. These investigations follow EDPS’s October 2020 inquiries into EU institutions’ data transfers to non-EU countries, which showed, according to the EDPS statement, significant reliance on cloud-based software, cloud infrastructure or platform services from major information and communications technology providers, including some U.S. providers subject to legislation deemed inadequate in the “Schrems II” ruling. European Data Protection Supervisor Wojciech Wiewiórowski acknowledged both Amazon and Microsoft announced new measures aimed at complying with the judgment but added, “these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly.” The EDPS news release points out “EUIs are well positioned to lead by example.”

The EDPS’s own actions to launch such investigations and any resulting action taken by EU institutions will undoubtedly inform, if not influence, steps taken by regulators and companies across Europe. 

Failure to conduct a transfer impact assessment

In March 2021, Bavaria’s Data Protection Authority issued one of the first post-“Schrems II” rulings. The DPA found data transfers from a German company to the U.S. email marketing company Mailchimp to send newsletters were illegal because the German company failed to “examine” whether additional measures were needed to supplement the SCCs governing the transfers as a result of the “Schrems II” decision. The DPA suggested such an examination was necessary given there were “at least indications that MailChimp may in principle be subject to data access by U.S. intelligence services on the basis of the U.S. legal provision FISA 702 (50 U.S.C. § 1881) as a possible so-called Electronic Communications Service Provider and thus the transfer could only be lawful if such additional measures (if possible and sufficient to remediate the problem) were taken.”

It is noteworthy that this early ruling rested on the lack of a transfer impact assessment itself. Now, as discussed above, German authorities themselves are launching such assessments.

Lack of supplementary safeguards

The Irish Data Protection Commission launched one of the first investigations into EU-U.S. data transfers following the “Schrems II” judgment. This is unsurprising given the “Schrems II” decision stemmed from the Irish DPC’s request that certain questions related to the legality of data transfers be referred to the CJEU. On August 28, 2020, the DPC sent Facebook Ireland a preliminary draft decision laying out its initial views on the legality of Facebook’s data transfers to the United States and soliciting targeted input to inform a draft decision to share with other concerned supervisory authorities. As part of those initial views, the DPC explained the CJEU found the U.S. privacy regime inadequate, SCCs alone could not compensate for such inadequacy, and “Facebook Ireland does not appear to have in place any supplemental measures” to remedy the deficiencies. As a result of the lack of such supplementary measures, the DPC shared the initial view, subject to Facebook’s future submissions, that Facebook’s data transfers to the U.S. were illegal and should be suspended. The DPC’s investigation was temporarily halted due to Facebook’s Irish High Court challenge of the timeline and process, but has since resumed.

Here, the DPC’s preliminary views call attention to the expectation that companies should immediately supplement SCCs with additional safeguards to ensure adequate protection under the GDPR, at least when data is transferred to the United States and could be subject to the types of government access requests discussed in the “Schrems II” ruling.

Insufficient safeguards

On April 27, Portugal’s data protection authority, the National Data Protection Commission, ordered its National Institute for Statistics (INE) to stop sending personal data from its 2021 census questionnaire to the United States or other countries without an adequate level of protection using Cloudflare (which it was using at the time to operationalize the questionnaire) or other companies.

According to the CNPD order, the complaint-driven investigation found both the INE’s assessment of the transfer risk and the safeguards provided in conjunction with the governing SCCs to be lacking. The CNPD order notes Cloudflare is an electronic communications service provider subject to Section 702 of FISA and further states allow disproportionate interference with EU data protection rights.

The order notes the INE’s assessment focused on security and not broader risks, Cloudflare has 200 servers to which data could be sent across many countries including the United States, Cloudflare itself held the encryption keys, and Cloudflare acknowledged the data could be subject to legal requests for government access. Finally, the order states the data processing agreement provided that Cloudflare would notify INE of government requests that result in a conflict of law, except where legally prohibited from doing so, which CNPD notes is the case in the context of relevant national security activity. For the above reasons, and due to the sensitive nature and large scale of the data transferred, the CNPD ordered the suspension of data transfers to take place within 12 hours.

The CNPD order is instructive because it goes beyond other DPA investigations by finding fault not with the lack of assessment or safeguards, but with each substance.

Use of U.S. service-provider problematic, even when processing localized in the EU

Given the limited range of failsafe safeguards outlined in the EDPB’s draft recommendations on supplementary safeguards, some companies elected to localize their data processing in the EU (an approach contrary to the EU’s historic digital trade agenda). In fact, “data residency” is a growing service line. But some European officials suggest even data localization does not provide adequate protection when pursued by service providers subject to foreign government access requests. The implication seems to be that EU-headquartered service providers should be preferred to ensure data protection compliance and support “data sovereignty.”

In October 2020, the French court, the Conseil d’Etat, issued a summary judgment weighing in on the application of GDPR data transfer restrictions when data processing is conducted on EU soil by a U.S. company that could be subject to U.S. government access requests. The case pertained in particular to Microsoft’s hosting of France’s Health Data Hub. France’s DPA, the Commission nationale de l'informatique et des libertés, submitted comments during the proceedings, which shed light on their views as well. The CNIL’s comments recognized the CJEU’s “Schrems II” decision focused on commercial data transfers subject to government access requests after the data leaves the EU but suggested the lawfulness of processing in the EU by companies subject to U.S. laws should also be considered. The CNIL concluded that hosting data with a company subject to U.S. law seemed incompatible with the CJEU judgment and EU data protection requirements. While the court agreed with the CNIL there was a risk Microsoft’s EU-based affiliate could receive a U.S. government access request, the court determined that EU law does not prohibit the use of U.S. service providers to process data on EU soil and chose not to suspend the processing, as requested by the complainants. Nonetheless, France’s secretary of state for digital affairs announced plans to transition the hosting of the Health Data Hub to a French or other European platform provider, a statement welcomed by the CNIL.

Several months later, in March of this year, the Conseil d’Etat issued a decision assessing the sufficiency of safeguards to thwart U.S. government efforts to compel access to data held by a Luxemburg-based subsidiary of Amazon Web Services that was hosting the relevant data in France and Germany. The court again found there was a risk of access by U.S. authorities given the data was held by a U.S. subsidiary, but sufficient additional safeguards were provided in this instance, including commitments to challenge government requests and encryption of the data, with the encryption key held not by AWS but by a trusted third party in France. The implication this time seemed to be that without such additional safeguards, localization itself might be insufficient.

At the end of May, the CNIL issued a public announcement directed at higher education and research institutions, calling for changes in the use of collaborative tools offered by U.S.-headquartered companies, which the CNIL said created the risk of illegal access to data by U.S. authorities. The CNIL noted that such tools also highlight important issues relating to the autonomy and digital sovereignty of the European Union. Recognizing the current uncertainty regarding appropriate safeguards following the “Schrems II” ruling, the CNIL indicated a transitional period was justified and it would provide institutions all the assistance necessary to identify possible alternatives.

Next steps

Taken together, these investigations, public statements and enforcement actions will undoubtedly make EU companies wary of transferring personal data out of the EU and potentially doing business with the U.S. or other foreign companies. Companies headquartered in the U.S. or other non-EU countries can expect to be grilled on their data transfer mechanisms, supplementary safeguards and the legal systems governing surveillance in their home countries. Stepping back, these actions demonstrate the “Schrems II” decision created challenges that neither companies nor DPAs can solve alone. A diplomatic solution is ever more urgently needed.

Photo by Calvin Hanson on Unsplash


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G
Credits: 1

Submit for CPEs

Author
Headshot Caitlin Fennessy, CIPP/US IAPP Staff Contributor
Tags
Europe
U.S.
Enforcement
Privacy Law
Surveillance
Transborder Data Flow
Westin Research Center
Comments

If you want to comment on this post, you need to login.

Related Stories
The updated standard contractual clauses — A new hope?
5
And so, at last, they’re here. Met with a level of anticipation — and, it must be said, apprehension — equal only to the announcement of a new Star Wars film, the new European Union standard contractual clauses for “the transfer of personal data to third countries” (that’s international transfers, t...
Read More queue Save This
DPA, government guidance on ‘Schrems II’
Last week's historic Court of Justice of the European Union ruling on the EU-U.S. Privacy Shield and standard contractual clauses has created uncertainty for organizations using these data transfer mechanisms. In response, data protection authorities and government agencies are publishing initial gu...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Enforcement
Privacy Law
Surveillance
Transborder Data Flow
Westin Research Center
Recent Comments