Firstly, it is important to have a clear understanding of the meaning of “data transfer”. While this term is not defined in the GDPR, the European Data Protection Board or “EDPB” has provided clarity on the term. According to the EDPB, a processing activity qualifies as a data transfers if the following three cumulative criteria are met:
- A controller or a processor is subject to the GDPR for the given processing activity
- This controller or processor (“data exporter”) discloses by transmission or otherwise makes personal data available to another controller, joint controller or processor (“data importer”)
- The importer is located in a third country or is an international organisation, irrespective of whether or not this data importer is subject to the GDPR in respect of the given processing.
Given the above, we conclude that the definition of “data transfer” is very broad. A scenario where a company with a branch outside of the EEA has access to or can have access to personal data of EU data subjects, would constitute as a data transfer. Furthermore, a data transfer would also exist in the event that personal data is transmitted from one EEA country to another EEA country, but is geographically routed through a third (non-EEA) country. The scope of the legal regime of data transfers is thus far-reaching in our current digital environment.
In the event that a processing activity qualifies as a data transfer, Chapter V of the GDPR offers different mechanisms in order to transfer personal data outside the EEA in accordance with the GDPR:
- Adequacy decisions of the European Commission;
- Standard contractual clauses or SCCs;
- Binding corporate rules or BCRs;
- Codes of conduct;
- Certification mechanisms;
- Ad hoc contractual clauses;
- International agreements or administrative arrangements.
The EDPB highlights that the mechanism relied upon by the controller, as well as the implementation measures thereto, must be customized depending on the circumstances of the data transfer. The underlying principle of the regime of Chapter V GDPR is the existence of an “adequate level of protection” in the third country or international organisation to which the data is transferred. This “adequate level of protection” is elaborated on in the Schrems II ruling.
1. Schrems II and its aftermath
The Schrems II ruling of the European Court of Justice, dating back to 16th of July 2020, has reshaped the legal regime of data transfers under Chapter V of the GDPR. We reviewed the landmark ruling and its impact in a previous newsletter, which can be consulted here: The impact of the Schrems II judgment on your data transfers under the GDPR – Monard Law.
In summary, the European Court of Justice has decided on the following elements:
- The EU-US Privacy Shield adequacy decision is nullified, creating a legal vacuum for all data transfers from the EU to the USA. This has a great impact for both EU-based as well as US-based companies, as most cloud services are hosted from or require access by US-based companies (e.g. Amazon Web Services, Google Analytics, Facebook Connect, etc.);
- While the legal mechanism of standard contractual clauses was not nullified, the European Court of Justice ruled that companies who wish to transfer personal data to third countries on the basis of the SCC mechanism, must assess on a case-by-case basis whether the third country offers an adequate level of protection.
The adequate level of protection of the third country or the international organisation to which the personal data transferred, must be assess on the basis of the legal framework that applies to that country or organisation (in particular the privacy and data protection framework), the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject and finally the international commitments and obligations of the third country or the international organisation.
If the third country cannot guarantee an adequate level of protection, companies must either take “supplementary measures” or suspend/terminate their data transfers.
The Schrems II ruling has raised a lot of legal questions for data protection practitioners and companies and has urged the EDPB to issues guidelines and recommendations on the implementation of the Schrems II ruling. In parallel, the Schrems II ruling has served as the stepping stone for the NGO noyb, an organisation founded and led by Maximilian Schrems, to file 101 different complaints against EEA-based websites. The EDPB in turn has created a taskforce to look into the complaints lodged by noyb and to ensure close cooperation amongst the EU and EEA Member States in their approach with regard to the complaints lodged by noyb. The decision of the Austrian data protection authority is the first of those complaints that has led to a decision by a data protection authority.
2. Decision of the Austrian data protection authority
The factual circumstances underpinning the decision of the Austrian data protection authority relate to Google’s analytics services and cookie practices. An Austrian company (data exporter) used Google’s analytics services and cookies on its website, which resulted in Google (data importer) being able to access personal data (IP address, unique online identifiers and cookie data) of EU data subjects.
The Austrian data protection authority held that the data exporter was not compliant with Chapter V of the GDPR, as the standard contractual clauses on which it relied did not offer an adequate level of protection. While Google had taken supplementary measures (pseudonymization) as required in accordance with the Schrems II ruling, the Austrian data protection authority stated that the measures that were implemented were not effective to fill to “protection gap”, as the US intelligence services would still be able to access the personal data of the EU data subjects since Google qualifies as a electronic communications service provider.
As for Google, the Austrian data protection authority held that the provisions of the GDPR on data transfers are imposed on the data exporter (the website provider) and not on the data importer. However, the data importer still needs to comply with the other principles and provisions of the GDPR.
The impact of the decision by the Austrian data protection authority is threefold:
- The authority reaffirms that the USA does not provide an adequate level of protection as US intelligence services always have the option to access and monitor data transfers, as previously held in the Schrems II ruling
- Companies that wish to transfer personal data to the USA must choose a mechanism and must take supplementary measures that close the “protection gap”
- Chapter V of the GDPR applies to data exporters, not to data importers
The consequences of the decision may be far-reaching, as the decision in essence creates a de facto prohibition for all EU companies to use cloud services hosted by a company with a US-based branch. As most cloud services are hosted by companies with at least a branch in the US, the decision (and the Schrems II decision) have made it very difficult for companies to use cloud services in compliance with the GDPR. This conclusion is supported by a comment from Max Schrems: “the bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”
Given the strict sanction regime of the GDPR, non-compliance with the data transfer regime in Chapter V GDPR poses significant (financial) risks for companies. According to article 83 (5) of the GDPR, non-compliance with the provisions on data transfers may be sanctioned with an administrative fine of up to 20 million EUR or 4% of the total worldwide annual turnover of your company of the preceding financial year. Other sanctions may include a ban on processing of personal data, an order to suspend data flows to a recipient in a third country and the withdrawal of GDPR certification.
3. Practical steps for companies
Under the strict data transfer regime of the GDPR, it has become burdensome for companies to conduct their business activities in compliance with the GDPR. In this paragraph, we aim to provide you with practical steps towards compliance, taking into account the guidelines and recommendations of the European Data Protection Board:
- Map your processing activities and data transfers outside of the European Economic Area. While this process may require effort, time and extensive analysis, it is an essential steps towards compliance.
- Once you have mapped your data transfers, a data transfer impact assessment needs to be performed, consisting of following elements:
- Determination of the mechanism under Chapter V which you rely upon for the data transfer
- Identification of any deficiencies as to the adequate level of protection in the third country or international organisation to which the personal data are transferred to
- Implementation of customized supplementary measures that fill the “protection gaps” in the third country or international organisation
- Frequent monitoring of compliance in accordance with the accountability principle of the GDPR
It may be clear that your data transfers require a lot of attention, analysis and a customized implementation approach in order to comply with the complex and strict legal framework of the GDPR. Monard Law’s privacy and data protection team has extensive experience in all matters related to data transfers and data transfer impact assessments and can assist you in developing a customized implementation approach and any other issues related privacy and data protection.
We conclude this newsletter with a quote from Andrea Jelinek, Chair of the EDPB: “However, the implications of the [Schrems II] judgement are wide-ranging, and the contexts of data transfers to third countries very diverse. Therefore, there cannot be a one-size-fits-all, quick fix solution. Each organisation will need to evaluate its own data processing operations and transfers and take appropriate measures.”