Since the Court of Justice of the European Union's "Schrems II" judgment in July 2020, European data protection authorities in the EU have developed a "zero risk" theory in relation to Chapter V of the EU General Data Protection Regulation. They asked data controllers and processors that transfer personal data outside the EU to "eliminate" all risks of access to European personal data by the intelligence and law enforcement agencies of foreign countries whose legal systems do not include data protection safeguards that are essentially equivalent to those mandated by EU law.
At first, the "zero risk" approach concerned transfers of European personal data to such countries. As a result, there has been growing legal and commercial pressure for many non-EU companies to localize data in Europe and propose so-called "sovereign" solutions. However, this has often been deemed insufficient by DPAs and other authorities that have highlighted the risk of extraterritorial access to data stored in Europe and asked that any risk of such access by foreign authorities be "eliminated" as well.
The legal actions by DPAs have been combined with political action by European governments. Several initiatives have been undertaken in this respect, including the ongoing discussions at the EU Agency for Cybersecurity about the introduction of "sovereignty requirements" into the EU Cybersecurity Certification Regime for Cloud Services.
In an extensive study published today, I claim the DPAs' "zero risk" theory, which is very similar to the "immunity from foreign laws" political proposal, is overly restrictive, is not mandated by the GDPR and could have a number of adverse effects.
To be sure, the DPAs' stance on these issues is understandable. First, DPAs are obliged to enforce compliance with "Schrems II." Second, DPAs seek to fulfill their role as the ultimate guardians of European personal data in an age where government surveillance has attained a high level of sophistication. Third, DPAs provide oversight in an exceedingly complex area and, thus, are drawn to solutions that are as straightforward to comprehend as possible. Unfortunately, attaining simplicity regarding government access to data creates insurmountable challenges and unintended adverse effects in practice.
The notion that data controllers can take measures to entirely "eliminate" any risk of unauthorized access to European personal data by foreign governments is grounded on questionable assumptions, including the belief that companies headquartered in the European Economic Area are shielded from direct or compelled access. It is also marked by a lack of clarity surrounding terms like "sovereign solutions;" unverified claims suggesting ownership or staff requirements can confer "immunity" from foreign laws; questionable interpretations of the GDPR, such as automatically categorizing requests from foreign countries as "disclosures" not authorized by Article 48 of the GDPR; and unrealistic expectations, such as the idea that a social media company could provide its global services in the EU without transferring user posts and interactions to countries outside the EU. This line of thinking leads to impractical solutions that have significant costs.
The GDPR, the Charter of Fundamental Rights and EU law as a whole do not mandate such an absolutist approach to data transfer risks at the expense of innovation, economic growth and other rights guaranteed by the charter. On the contrary, they allow a more nuanced and risk-based approach to data transfers that envisions data protection measures proportionate to the risks at hand. This approach takes into account the nature of the data, the likelihood of access by foreign governments and the severity of the potential harm.
After an exhaustive analysis of all judicial and DPA decisions on these matters since July 2020, the 95-page study formulates 12 recommendations, six inviting a risk-based approach to international data transfers and six others concerning the critical issue of extraterritorial access to data localized in Europe.
Concerning the first issue, the study suggests the European Data Protection Board, DPAs, and ultimately the European Commission and other relevant European institutions should revisit, clarify and coordinate their views and the interpretation of rules on international data transfers in order to:
Enable consideration of past practice and empirical context in assessing risk
DPAs should acknowledge the significance of the "practice related to the transferred data," as highlighted in the final version of the EDPB Recommendations on supplementary measures.
Explore scalable transfer solutions for startups and SMEs
European authorities should explore, develop and promote transfer solutions tailored for startups and small to medium-sized enterprises that may lack the financial resources needed for extensive legal expertise and detailed transfer impact assessments.
Recognize that Chapter V of the GDPR does not mandate the degradation of services that inherently rely on global data flows
DPAs should acknowledge that a proportionate approach to Chapter V does not preclude data transfers that are initiated and sought by individuals themselves and are indispensable to enable the exercise of other rights in the EU Charter of Fundamental Rights, such as freedom of expression and information. Specifically, how can users share posts on social networks and interact with a global audience without transferring data beyond EU borders?
Should we contemplate geoblocking not only on social networks but also on communication platforms, video-sharing sites, online collaboration tools, forums, messaging services and even any EU website that contains personal data? Does Chapter V of the GDPR require the EU to be disconnected from the global internet?
Provide workable solutions for EU businesses that rely on cross-border data flows
Similar considerations arise for numerous EU businesses that depend on cross-border data transfers for their operations, such as to provide requested services like online bookings and travel agencies, detect and prevent fraud, and defend against cyberattacks. Crafting viable solutions necessitates a nuanced approach based on risk assessments and proportionate safeguards rather than stopping cross-border data flows that are essential to the functioning of the service.
Reassess the EDPB's supplementary measures and the practices of European DPAs under the prism of a risk-based approach
The EDPB should revisit its recommendations on supplementary measures and its practices and interpretation of the GDPR to clarify that it enables a risk-based approach to data transfers that ensures measures designed to protect the data are proportionate to the transfer risks at hand. Moreover, the EDPB should establish an expert group tasked with identifying and describing use cases necessitating cross-border data flows most commonly faced by organizations and the available and appropriate measures that might be applied to them.
Enable a more flexible interpretation of Article 49 derogations
DPAs have precluded, in theory, the use of derogations, further compounding the complexities of data transfers. In practice, though, DPAs have accepted the use of derogations in some cases to permit some EU institutions to continue to use tools that have "become indispensable to the daily functioning" of such institutions, as shown by the
European Data Protection Supervisor's decision on the video-conferencing tool used by the CJEU. It could be useful, then, to adopt a more flexible approach to derogations for all organizations wishing to use similar essential tools and services.
Concerning the use of cloud service providers or other companies that localize their data and services in the EU but are subject to foreign laws, it may be useful for DPAs and other authorities in the EU to reflect, among other things, on the following issues:
Determine the relevance of the proposed criteria for "immunity from foreign laws"
The study finds that data localization, headquarters, ownership and local staff requirements do not truly ensure "immunity from foreign laws." In reality the primary criterion is the personal jurisdiction of the foreign country as understood by that country, as well as its ability to "compel" the production of data by imposing sanctions. European institutions, such as the European Commission or DPAs, should study these questions more thoroughly before supporting the introduction of such strict requirements in the context of the EU Cybersecurity Strategy or the GDPR.
Clarify the meaning of "compliant EEA-sovereign cloud solutions"
The EDPB should explain the meaning of "compliant EEA-sovereign cloud solutions" or abandon ambiguous references to the politically connotated term "digital sovereignty."
Assess the impact of "immunity from foreign laws" requirements
The European Commission, in the context of the EUCS negotiations, should assess the impact that "immunity from foreign laws" requirements could have on issues such as innovation in Europe and ensuring high levels of cybersecurity, which is required by the GDPR.
Explore the relevance of adequacy decisions in addressing extraterritorial data access requests
The European Commission and the EDPB should clearly explain the significance of obtaining an adequacy decision when grappling with the issue of extraterritorial requests to access data situated within the EU. CSPs and other companies spend billions to localize data in Europe in order to offer better protections. Strikingly, these efforts seem to place companies in a more precarious situation compared to when they transfer the same data to the U.S. or other countries that benefit from an adequacy decision.
Consider trade-offs between encryption and functionality
Trade-offs should be considered when employing encryption as a safeguard for data at rest against unauthorized access, especially when weighed against the challenge of functionality loss that encryption may cause, significantly constraining the utilization of AI and cloud computing technologies.
Reflect on satisfactory solutions for the EU-US e-evidence agreement challenges
The privacy community in the EU could play a useful role in assisting the European Commission with constructive ideas on how the ongoing negotiations of the EU-U.S. e-evidence agreement could effectively address and satisfactorily resolve the conflicts of laws related to Article 48.
Moving away from a zero-risk approach in favor of a more flexible and risk-based interpretation of Chapter V of the GDPR appears legally justified. Such flexibility could offer pragmatic, feasible solutions to the day-to-day challenges organizations face and provide relief to data controllers and processors throughout Europe. The EDPB and DPAs, however, lack the capacity to provide definitive solutions in relation to these issues; only governments can do so. As the study concludes, democratic governments must intensify recent efforts at promoting "data free flow with trust" and advancing the concept of "trusted government access." International negotiations are emerging as the most viable, if not the sole, avenue for forging consensus on the protocols governing access to personal data that impacts the rights and interests of individuals in other countries.
This study will be interesting for data controllers, processors, practitioners, regulators, policymakers (especially amid EUCS negotiations), academics and all GDPR enthusiasts!