Finally legal cloud services?

English

Newsletter

Published 25 June 2021
News image

On Monday, the EU published the final version of its guidelines for the transfer of personal data to countries outside the EEA. This is a cornerstone in the assessment of what is a legal cloud service. It is good that this happened in the brightest week of the year, because, as usual, there is a lot to read and get acquainted with. Yes, it will be risk-based. Yes, there are a number of conditions to consider. And yes, not all criteria are clear.

By lawyers Eva Jarbekk and Inge Kristian Brodersen in Schjødt's data protection team.

On Monday, the EU published the final version of its guidelines for the transfer of personal data to countries outside the EEA. This is a cornerstone in the assessment of what is a legal cloud service. It is good that this happened in the brightest week of the year, because, as usual, there is a lot to read and get acquainted with. Yes, it will be risk-based. Yes, there are a number of conditions to consider. And yes, not all criteria are clear.

The draft from last year created a lot of debate and ambiguity related to what must actually be done in order for transfers of personal data to third countries to be legal. Whether the new version provides all the clarifications that many have wanted is doubtful. Much is the same as in the previous version: The same six steps in the "roadmap" apply, contractual and organisational measures alone cannot compensate for problematic legislation, recommended technical measures such as encryption are the same, etc.

The most important innovation, and what many have lobbied for, is the third step regarding assessment of the third country's regulation and practice of data protection. It will now be possible with a risk-based approach, but what is an acceptable level of risk is not entirely obvious. We will revert to this in another article. It is still clear that the goal for EDPB is to ensure essentially equivalent protection in the receiving country. But the type of data transferred, will in some cases play a larger role than in the draft guideline.

The term "data exporter" must be added directly to your vocabulary going forward. It is all of us who send personal data out of the EU, it applies to those who are customers of the major cloud providers. According to EDPB's instructions, the relevant data exporter must not only assess the third countries' legislation and obligations under human rights treaties, but also the authorities' actual practice of data protection. Thus, a lot to deal with there, but we assume that some common assessments that can be used for this will crystallize. That will probably solve itself. In practical terms, there is reason to note that one must also consider any onwards transfer from a data processor to a sub-data processor. This is extremely practical. And transfers to the United States cannot necessarily be handled in the same way as transfers to, for example, India.

Paragraph 43 of the new guidelines contains an important clarification. It describes several different situations that can arise if the recipient country's data protection regime is problematic. It is stated that the data exporter then has several choices. The data exporter can:

  1. Stop the transfer
  2. Implement further measures, or
  3. Continue transfer without implementing further measures "if you consider that you have no reason to believe that relevant and problematic legislation will be applied, in practice, to your transferred data and/or importer"

Not many want to use option 1. Options 2 and 3 are the most relevant.

Of the relevant measures under option 2, encryption will be particularly practical. In the future, we will have to deal with different encryption options and their consequences for which services can be used. The better encrypted, the easier to transfer. But at the same time, it is difficult for a provider to, for example, scan for viruses if they do not have the key that can unlock encrypted data. So which services you can use are linked to which encryption solution you choose.

This is especially important, as the guidelines have kept the much-discussed "Case 6" largely unchanged from the draft. It still says that the EU has difficulty seeing how to use a cloud solution where the provider has access to "data in the clear", i.e. unencrypted data, when the provider is in a country where the level of protection is not good enough. At the same time, Case 6 contains a passage that may indicate that it is the actual agreed services that are to be considered, and not other hypothetical services. This in turn can mean that completely hypothetical access options do not count that heavily. Some have said that Case 6 is the nail in the coffin for SaaS. It does not have to become true, but it is conceivable that you will have to be more conscious as to which functions you want to use in a SaaS delivery. In addition, the implementation of so-called split processing between actors in several jurisdictions can also be a relevant measure. This is described in more detail in "Case 5" in the guidelines. It is also important to note that pseudonymization may be a relevant measure. Complicated? Yes, but the mix of law and technology is fascinating as well.

Option 3 will be a tempting option for many. This is also a risk-based approach, at least in the meaning that the type of data exported, is relevant. However, the threshold for being able to use it is high. According to the EDPB, the data exporter need to make a thorough assessment that can be documented: "You will need to have demonstrated and documented through your assessment, where appropriate in collaboration with the importer, that the law is not interpreted and/or applied in practice so as to cover your transferred data and importer, also taking into account the experience of other actors operating within the same sector and/or related to similar transferred personal data and the additional sources of information [...]."

EDPB also emphasizes the seriousness in its "executive summary" as follows: "You should conduct this assessment with due diligence and document it thoroughly. Your competent supervisory and/or judicial authorities may request it and hold you accountable for any decision you take on that basis."

In this context, it is good to know that the EU, via the European Data Protection Supervisor, has started investigations into its own use of services from Amazon Web Services and Microsoft O365. It is reasonable to believe that the conclusion of this work will be central to what will be acceptable for other actors as well. This work was started in May 2021, we guess that it is no coincidence that this happens close in time with these new guidelines.

The EU's guidelines for the transfer of personal data are closely linked to the EU's new Standard Contractual Clauses, which were published on 4 June. It is most definitely a fluid legal situation in the area. We are still pondering how much of this should be practiced. Together, these EU documents constitute important and brand-new starting points for companies that transfer, or are considering transferring, personal data to third countries. They are guaranteed to be the subject of many interpretations in the future. We are also waiting for a FAQ related to the new SCC about third countries, because it lacks crucial clarification on when to use it. It is not apparent that the SCCs may be used if the data importer must respect GDPR.

For many of us, the work now starts with creating a toolbox with checklists and templates for companies that would rather follow the rules of the game. Do contact us, should you have any questions.