Last month, the Austrian data protection authority fired the starting gun by issuing the most impactful post-“Schrems II” enforcement decision to date.
Privacy professionals are racing – to assess, to comply, to enforce, and to find a more workable long-term solution for data transfers.
The many runners in our field will recall, perhaps with some nostalgic butterflies, that a starter’s pistol can signify three things: 1) the start of the race; 2) a fault and disqualification for one or many; 3) that the finish line is approaching — one lap left.
Privacy professionals must now help their CEOs, boards, and the senior-most government officials involved in data transfer talks understand these three possibilities and the potential impacts of each.
The race: “Ready. Set. Go.”
If we consider the Austrian decision the start of the race, we must acknowledge it’s been a long and grueling warm up. For more than 18 months, regulators, policymakers and companies have considered all possibilities to remedy the government access concerns identified by the Court of Justice of the European Union when it invalidated EU-U.S. Privacy Shield July 16, 2020 — the impetus for this case and decision — and implemented those they could. This could be the start of something much bigger.
Austria’s decision is the first of a cascade of likely similar decisions to come and is the first among 101 cases of similar substance that NOYB filed across the EU. In response, the European Data Protection Board established a task force and jointly considered how to address these 101 cases. The Dutch and Danish DPAs issued statements that they are considering the Austrian decision, while rumors flew early that France would issue a decision next. This suggests that the remainder of the decisions could follow a similar logic.
This decision is also the first test of the sufficiency of safeguards to remedy foreign government access concerns in practice in the commercial sector. Between July 2020 and January 2022, DPAs issued guidance on supplementary measures, launched investigations into the adequacy of data transfer protections, and issued decisions focused on the public sector and process failures — failure to conduct a transfer impact assessment for instance. They held off on deciding whether those protections met their test in practice outside the public sector and particularly sensitive areas.
Until now.
The 101 NOYB cases are also far from everything. Austria’s decision comes amidst a broader ramp up in GDPR enforcement and DPAs’ displayed willingness to bring cases that demand changes in business practices (the Belgian DPA’s recent decision against IAB Europe is a case in point). We know this decision will inspire additional complaints regarding Google Analytics and data transfers more generally. We already saw one such complaint in France. Other major investigations, such as the Irish Data Protection Commission’s Facebook case may also result in near-term and impactful decisions.
The disqualifying shot: “False start”
Whether you are watching from the stands or standing on the track, a disqualifying shot is gutting. It certainly could it be for data flows or the communications and business models that rely on them. The question is who or what is out. That depends on whether:
- Other DPAs take a similar approach in the immediate term.
- EU businesses back away from U.S. firms due to perceived enforcement risk.
- U.S. firms themselves localize services or exit the EU market.
We see evidence of all three already.
Privacy professionals should brief senior leaders on the increased material risks their businesses face and the need for greater due diligence to demonstrate to EU partners that they have mitigated the risks to data transfers in practice. They should conduct transfer impact assessments and implement and document the supplemental measures recommended by the EDPB where possible. They should also make senior leaders aware that risk will remain until a diplomatic solution is reached — a new trans-Atlantic accord and longer-term, more global solutions.
To fully understand how Austria’s decision shifts the risk calculus, privacy teams should consider its findings. For an in-depth analysis of the decision, see Gabriela Zanfir-Fortuna’s recent blog post. For the key takeaways, see below.
In short, the decision implements a broad view of what constitutes a transfer of personal data, a legal-only view of the risk that must be remedied and a narrow view of what qualifies as adequate safeguards to remedy identified deficiencies in foreign government access protections.
- What constitutes personal data transfers? The decision finds that “the Google Analytics identification numbers in question here can be personal data (in the form of an online identifier).”* It reaches this determination by considering “the uniqueness of the identification numbers,” the possibility that they can be “combined with other elements” and used by “certain bodies” to “distinguish website visitors” and determine “whether they are new or returning website visitors.” The decision makes clear that an identifier can be considered personal data even if the recipient itself cannot link that identifier to an individual so long as someone else could do so using “legally permissible means and reasonable effort.” This implicates far more than cookie IDs.
- What risks must be remedied? The DPA reasons that “it must be examined whether the ‘additional measures’ by the [recipient] close the legal protection gaps identified in the context of the (CJEU) ruling of June 20, 2020 – i.e., the access and monitoring options of U.S. intelligence services.” This follows from a reference to paragraph 70 of the draft rather than final EDPB recommendations, which provides that “[a]ny supplementary measure may only be deemed effective in the meaning of the CJEU judgment “Schrems II” if and to the extent that it addresses the specific deficiencies identified in your assessment of the legal situation in the third country.” While it is unclear why the decision cites the draft rather than the final EDPB recommendations, it is noteworthy that the decision focuses only on addressing legal gaps in the third country rather than on addressing deficiencies “in laws and practices applicable to your transfer,” which is the phrase used in the final EDPB recommendations. The decision focuses on the need to address gaps in legal protection, setting aside whether there are deficiencies in protection in practice.
- What qualifies as an adequate safeguard? The decision states that as long as the U.S. recipient “has the opportunity to access data in [] plain text [], the technical measures taken cannot be regarded as effective….” This follows from the decision’s finding that contractual and organizational measures, including transparency reports and “careful examination of every data access request,” may not be effective since permissible US intelligence requests for data were judged by the CJEU to be incompatible with fundamental rights. It also stems from the decision’s conclusion that technical safeguards, including protection of data in transit and encryption of data at rest, may not be effective since FISA 702 would allow the government to demand data in the recipient’s “possession, custody or control” including the cryptographic key. This suggests that only the technical inability to access personal data in plain text may be judged adequate when that data could legally be demanded under FISA 702 or other problematic foreign laws.
Since many business operations require access to data in the clear, the operative question is, who or what could be subject to FISA 702? While the U.S. government has attempted to help businesses address that question, what matters now is how EU authorities answer it. On Jan. 25, the conference of German data protection commissioners published an expert opinion by Stephen Vladeck on the scope of FISA 702 applicability. The questions Vladeck fielded and the answers he offered shed light on the broad swath of companies that face near-term risks of regulatory scrutiny, fines, and lost business if EU businesses fear either and shift to domestic service providers.
German authorities asked about the applicability of FISA 702 to businesses as diverse as banks, airlines, hotels and shipping companies, and Vladeck replied that in some contexts, yes, it could be applicable to each. German authorities also asked about data held by companies in Europe with some U.S. connection, in line with the reasoning in the interim German Wiesbaden decision. Here the answer is more nuanced, but, the line of questioning demonstrates that regulatory scrutiny and business risk is far-reaching.
The final lap: “Sprint”
U.S. and EU negotiators building a replacement for Privacy Shield have been jockeying for more than a year, but, it certainly seems they just heard the “one-lap-to-go” shot. They now seem to be sprinting toward the finish line.
For businesses and regulators, a diplomatic solution can not come fast enough. The EDPB’s recommendations on supplementary measures made clear that businesses could not address the CJEU’s and DPAs’ concerns with U.S. surveillance laws alone. The Austrian decision showed just how limited their practical options have become and how likely that businesses on both sides of the Atlantic will pay the price without a political solution.
The remaining question is how soon they will cross the line and how different the field might look by the time they do.
*All quotes are taken from the machine translation of the Austrian decision, posted on NOYB’s website.
Photo by Jacek Dylag on Unsplash
