The Court of Justice for the European Union (CJEU) was abundantly clear when it ruled in the Schrems II decision invalidating the Privacy Shield, the transfer mechanism by which data transferred from the EU to the US. The CJEU ruled as it did on the basis of pervasive surveillance by the intelligence community in the United States and the failure to ensure personal data was protected as it is Europe. The Court noted that transfers could continue using standard contractual clauses (SCCs) implementing legal and technical safeguards while acknowledging challenges ahead. Two recent cases in France and Germany highlight how Schrems II is being interpreted in Europe and demonstrates the path forward for using American data storage and cloud service providers and subsidiaries.
On 27th April 2021, Portugal’s National Commission for Data Protection received complaints regarding the census operation carried out by the National Statistics Institute. The Institute was forced to stop data transfers within 12 hours.
The personal data collection form the Institute used was accessed through the provider Cloudflare, Inc., a company based in the United States. Cloudflare could not guarantee that the data they collected was directed to servers located in the EU or in other parts of the world. The contract did provide for encryption, but the encryption key was held by Cloudflare distinguishing this case from the French case. The court also found that the contract foresaw the possibility that personal data could be transferred to any of Cloudflare servers, including in America where it could be accessed by US authorities. Finally, the court criticised the data protection impact assessment writing the Institute failed to consider the risks for the rights of data subjects and did not adopt additional measure to mitigate risks.
On 12th March 2021, France’s highest administrative court ruled that Doctolib, an e-health service provider that hosted their personal data on AWS Sarl in Luxembourg, had sufficient safeguards in place to manage access requests from US authorities. The plaintiffs in the case argued that the processor (Amazon) was a company bound by US law and the risk of access by US authorities was incompatible with the requirements of the GDPR and the Schrems II decision. The court acknowledged the risk of access but ruled in favour of Doctolib for three reasons:
(i) Sensitivity of the hosted data and limited data retention period:
The court noted that only the individual’s identity and information related to their appointment was processed and hosted. Any health data beyond the certification they were a priority case because of a pre-existing condition was excluded. The court also noted that the data was automatically deleted after three months and users could delete their online account at any time.
(ii) Legal Safeguards:
The court reasoned that the contract included specific procedures in the event of an access request and legal and financial resources to challenge an access request.
(iii) Technical Safeguards:
The court also noted the data hosted by AWS Sarl was encrypted and the key held by a third party in France and subject to EU law, not by AWS. The GDPR specifically mentions pseudonymisation and encryption along with assessing “the state of the art” of technology in Article 32. In this case, the court noted the importance of keeping the encryption key separate from the data with a trusted third party in the EU subject to EU law. There are other innovative solutions that organisations may want to consider further including synthetic data, differential privacy, and federated learning.
On 15th March 2021, the Bavarian Data Protection Authority (BayLDA) ruled on a decision in connection with the use of a US service provider “Mailchimp.” Mailchimp is a marketing automation platform and email marketing service based in the US. A Bavarian publishing company sent email addresses to the Mailchimp platform on two occasions to distribute a newsletter. A data subject lodged a complaint to the supervisory authority arguing the data transfer was unlawful. The supervisory authority ruled that the data transfer was unlawful because no technical safeguards had been implemented. Only SCCs had been used and Mailchimp qualified as an electronic communications service provider under section 702 of the Foreign Intelligence Surveillance Act and subject to data access requests.
The supervisory authority did not take enforcement action noting that the data (email addresses) was not sensitive in nature, the publishing company had only used Mailchimp twice and stopped using the service. The violation was minor in nature and constituted negligence at most.
The decisions highlight that it is still possible to use US cloud service providers so long as the legal and technical safeguards are in place ensuring a level of data protection that is essentially equivalent to the EU.
What is clear from the rulings is that legal and technical safeguards are critical for working with service providers based in third countries. This includes using the standard contractual clauses documenting processor agreements to challenge access requests from public authorities and encrypting data and storing the key with a trusted third party. Those safeguards also include managing your records of processing activities and conducted data protection impact assessments in line with the GDPR.
If you have any questions or want to discuss how we can help you overcome these challenges, you can book a call with us.