Austrian DPA practically bans US data transfers (again)
Co-Autor: Mag. Arne Greiner LL.M.
In ihrer Entscheidung vom April 2022 hat die Österreichische Datenschutzbehörde in einem weiteren Fall die Verwendung von Google Analytics als rechtswidrig eingestuft, da keine effektiven zusätzlichen Maßnahmen in den vereinbarten Standardvertragsklauseln enthalten waren. Darüber hinaus hat sie auch einem risikobasierten Ansatz bei der Beurteilung internationaler Datentransfers eine Absage erteilt und dies ausführlich begründet. Während dies bei einigen Praktiker:innen bereits befürchtet wurde, sind die Auswirkungen dieser klaren Entscheidung weitreichend und betreffen vermutlich die meisten US Anbieter von Cloud-Lösungen. Datenexporteure sind jetzt in der Pflicht, ihre Transfers zu re-evaluieren, effektive zusätzliche Maßnahmen zu vereinbaren, auf Anonymisierung oder Pseudonymisierung zu setzen sowie gegebenenfalls die Einwilligung der betroffenen Person zum Transfer einzuholen.
Hinweis: Dieser Beitrag wurde aufgrund der potenziellen Auswirkung auch auf andere EU-Mitgliedstaaten auf Englisch verfasst.
In April 2022, the Austrian Data Protection Authority (DSB) issued another decision in one of the Google Analytics (GA) proceedings initiated by the non-profit organisation noyb. It reiterated that this specific use of GA would violate the GDPR and held that the use of GA’s anonymizeIP function would not be an effective supplementary measure to guarantee an adequate level of data protection. This time, the DSB went even further and rejected the so-called “risk-based approach” to international data transfers that had been endorsed by some professionals for the past two years or so. Although the decision has not yet been confirmed by court, in practice, this view of the DSB has the potential to render an extensive number of transfers of personal data to third countries based on Standard Contractual Clauses (SCCs) unlawful; including the US. This poses serious challenges, particularly for companies using cloud-based solutions.
Background
The invalidation of the EU-US Privacy Shield by the ECJ in Schrems II required data exporters to rely on other legal grounds than an adequacy decision for data transfers to the US. The most widely used transfer tool since then has been the SCCs by the European Commission, which have been revised after Schrems II. The objective of appropriate safeguards, such as the SCCs, is to ensure a level of data protection essentially equivalent to the one guaranteed in the EEA. Following Schrems II, the European Data Protection Board (EDPB) also revised its provided Recommendation on possible supplementary measures and added various examples thereto.
A Transfer Impact Assessment (TIA) must be conducted to analyse the situation for the particular transfer. If a data exporter concludes that SCCs alone do not suffice to guarantee an adequate level of data protection, they must be supplemented by additional measures that effectively address the specific deficiencies identified for the transfer. Otherwise, the transfer is unlawful and must be ended by the data exporter. In cases of non-compliance, the exporter may be ordered by the competent supervisory authority to end or suspend the transfer.
While the EDPB stated that such a TIA should not be subjective, there are a few indications that it had adopted a so-called “risk-based approach” to transfers in its Recommendation: When conducting a TIA, it requires the consideration of practices of the third country and explicitly states that even in absence of effective supplementary measures, you may proceed with the transfer. However, only if ‘you consider that you have no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer’. Furthermore, it is included in a footnote of the Recommendation that the ‘categories of data transferred and their sensitiveness’ are relevant in the assessment of the appropriateness of the supplementary measures. Also the European Commission stated in its Implementing Decision on the new SCCs that ‘specific circumstances of the transfer (such as the content and duration of the contract, the nature of the data to be transferred, the type of recipient, the purpose of the processing)’ should be taken into account.
This, and other reasons, led many organisations, and even the French Administrative Supreme Court (Doctolib), to follow a ‘case-by-case’ objective approach. The likelihood of an actual access could be taken into account, whereby the transfer of, e.g., business card data, online identifiers or IP addresses, would pose a lower risk than, e.g., bank statements or employee data. In such low-risk cases, it was argued, data may still be transferred to the US based on SCCs despite a lack of effective supplementary measures.
Rejection of a risk-based approach to transfers
In its decision, the DSB maintained that the GDPR does adopt a risk-based approach for particular instances (e.g. in Article 32 GDPR), however, it is of the opinion that this does not stipulate a general principle or an application in the context of international transfers. The fact that there are numerous provisions in the GDPR clearly calling for a risk-based approach would conversely indicate that it must not be applied where a respective provision is missing. Furthermore, the DSB rejected the arguments that (i) the implementing decision on the new SCCs, (ii) the general principle of free-flow of data, or (iii) the ECJ itself in the Schrems II judgement would require the application of a risk-based approach to transfers. In the context of US data transfers, the mere possibility of disproportionate access by intelligence agencies would suffice for a violation of Article 44 GDPR, irrespective of the nature of the personal data transferred or the likelihood of actual access. Hence, a transfer could not be justified by concluding that, e.g., the data are of such nature that they would fall outside the scope of US intelligence agencies’ priorities and thus risk of access by US authorities is negligible.
What does this mean for your company?
The decision could bring to an end sometimes debatable TIAs in which organisations elaborate on the likelihood of US authorities requesting their data. However, it does not make life particularly easy for people intending to do business in the EEA. In fact, it can have far reaching ramifications for companies, extending way beyond the use of Google Analytics. The rejection of a risk-based approach to international data transfers by the DSB may render the vast majority of transfers to the US, or other non-EEA countries, on the basis of SCCs unlawful. Additionally, as there was a working group installed at the EDPB for coordinating the GA complaints across all member states, this is a strong argument for similar decisions in the near future by other supervisory authorities.
It poses a substantial compliance risk to countless primarily EEA companies which find themselves in an intricate situation. Some may be faced with the choice between a risk of substantial fines or abandoning the majority of their cloud services, or even closing down their business if their products are reliant on US companies‘ cloud infrastructure.
What can you do about it?
There are a couple of measures that, depending on the circumstances, can be helpful to increase compliance when using appropriate safeguards, such as SCCs, as a tool for transfers to non-EEA countries.
1. Reevaluate processing activities
The first step should be an assessment of whether all your processing activities are serving a defined purpose that adds value to your business. If not, you should consider ending them anyway in order to comply with GDPR core-principles – processing must be adequate, relevant and limited to what is necessary for a specific purpose. Also the selection of service providers might require re-evaluation.
2. Implement effective supplementary measures wherever possible
The objective here is to ensure a level of data protection essentially equivalent to the one in the EEA. This requires an objective assessment of the laws and practices in the importing country. If you discover deficiencies, and that the SCCs are not effectively addressing them, you are obliged to supplement the SCCs with additional measures. Thereby, you must remedy the previously identified shortcomings.
To define effective safeguards is challenging for many companies, which is why it may be helpful to also check, which measures the DSB considers by themselves ineffective, at least for transfers to the US in the light of its decision. From our experience, these are also typically included in the SCCs offered by most cloud service providers:
- Mere contractual measures
- Notification of data subjects about data access request
- Publication of transparency reports
- Policies for handling government request
- Protection of communication between services
- Protection of data in transit between data centres
- Protection of communications between users and websites
- On-site security
- Encryption of data at rest if the provider can access the data in clear text
Encryption
In its decision, the DSB also addressed the effectiveness of at-rest encryption. It reiterated that based on FISA 702, data importers may be required to provide authorities not only with access to data but also the cryptographic keys in the provider’s possession, custody or control. Hence, as soon as the service provider subject to FISA itself has the ability to decipher and access the data in plain text, the DSB will consider the encryption ineffective. The same applies, if the cryptographic keys are controlled by a data exporter within the EEA subject to the CLOUD Act.
The DSB however, indicated by reference to the EDPB Recommendation that encryption may suffice if the service provider, or its EEA-affiliates subject to the CLOUD Act, have no access to the cryptographic keys. In practice, this leaves bring-your-own-key systems (BYOK) as a supplementary measure with a high chance of being regarded as effective. The cryptographic keys stay with the data controller and only encrypted data can be accessed by the authorities. This additional service however is often not available, technically not feasible or may come with significant costs or a loss of service performance.
Anonymisation / Pseudonymisation
Alternatively, effective data anonymisation or pseudonymisation prior to a data transfer or prior to a transmission to a Controller or Processor subject to the CLOUD Act, could be a way forward as well. However, in many cases, already pseudonymisation will render the processing activity obsolete if the processor requires data referring to data subjects in order to conduct the commissioned processing. Also, the DSB held that the ‘anonymisation’ functionality in the respective case cannot be regarded as an effective additional measure for transfers to the US. Processing data within the EEA may not exclude all risks associated with data exporters subject to the CLOUD Act as they could be ordered to provide the data to US authorities.
Depending on the data transfer at hand, middleware employed by the data exporter that effectively pseudonymised personal data before being transmitted to the provider may be leveraged to overcome this issue. This is particularly applies to web-based applications where the technological implementation is simpler.
3. Obtain the Data Subjects‘ Consent
For some data transfers, obtaining the consent of the data subjects may be another solution. However, this option is not undisputed in all scenarios. It is sometimes claimed that consent cannot justify massive data transfers but must be limited to ‘occasional’ transfers. In any case, the high standard that the GDPR prescribes for obtaining legally valid consent and the practical difficulties associated with it, must not be underestimated. They range from far reaching transparency obligations, including informing about the possible risks of such transfers, to the level of choice the data subject actually had when providing it. Consent must be genuine and given freely, which is particularly doubtful where there is a significant economic or other imbalance of power between the controller and the data subject (e.g. in an employment context). Also, effective mechanisms for a potential withdrawal of consent must be implemented. It is therefore indispensable to carefully consider on a case-by-case basis whether consent is the right way to go.
What does the future hold?
The main takeaway from the Google Analytics cases before the Austrian DSB is that the supplementary measures in the vast majority of SCCs governing transfers to the US are considered ineffective, and that organisations cannot get away by claiming that the subjective risk of actual access by US authorities is negligible. Time will tell whether the courts share the DSBs restrictive view.
A promising development in this regard is that the US and the European Commission reached an agreement in principle on a ‘Trans-Atlantic Data Privacy Framework’ which is expected to provide the foundation for a new adequacy decision for transfers. Once in place, a case-by-case assessment of data transfers will become obsolete, at least for the US.
PwC Legal Austria keeps monitoring the situation and helps you navigate through the intricacies of international data transfers, from assessing your transfers to advising you on the implementation of compliant solutions. PwC Legal Austria is part of an international network of law firms to which it can take recourse for any analysis of the laws and practices of third countries.