New rules for cloud from the EU – bigger impact on business than GDPR itself?
By Eva Jarbekk & Thomas Nygren.
Background – how could the EU set out these guidelines?
Two weeks ago, the EU, via the European Data Protection Board (“EDPB”), published their guideline on how to transfer personal data outside the EU. It is a consequence of the ECJ's so-called Schrems II judgment. Those who hoped that the guideline would simplify third country transfers, were not satisfied. It is tempting to say that these guidelines are causing more stir and change of business models than the introduction of GDPR itself.
The EU is actually saying that many cloud set-ups have been designed and sold in a way that was not compliant with GDPR (nor the previous regulation). This is the simple reason Schrems has won the cases he started, and the reason for these new guidelines from the EU. The commercial background for the set-ups that have been used, is that they have been cheap, practical and easy to accept.
The ECJ ruling and the new guidelines, are in reality saying that this needs to change now. The view is that if European users stand united, the cloud service providers will change. It is not only transfers to the US that are affected, so are transfers to India and all other countries outside the EU, and soon also to the UK. The reason the new guidelines does not "pre-approve" certain countries, is that EU regulation specifically states that this is the task of the Commission, not the EDPB.
The guideline is presently a draft, which all may comment on until the 30th of November. However, there is no reason to believe that significant changes will be made, so organizations and companies should implement the necessary routines as soon as possible. We hear that this is the topic of many boardrooms onwards, and here are some viewpoints that may be relevant to discuss.
The guideline sets out that both controllers and processors are clearly responsible for ensuring legal transfers and an equivalent privacy level in the receiving country. There is no solution that fits all. Transfers that do not comply, are illegal and such transfers may be stopped by the DPA, with all contractual implications that may have.
One may choose to accept non-compliant transfers for one's company, but that is at your own and your shareholder's risk. You may be instructed by a data protection authority to stop such transferrals and implement other ICT-systems but that will probably be costly. You also risk to be sanctioned for being non-compliant with GDPR. This why this topic is high on the agenda in many board rooms at the moment.
Even though it is true that the GDPR is so-called risk-based, the question of whether or not one is compliant, is in itself not a risk-based question. It is a binary question: do we follow the rules or do we not? If the answer is "No, sorry, we do not follow the rules.", then one may choose to continue as non-compliant, but that is acceptance of not being compliant and the risks that bring. Remember also that the threshold for sufficient privacy in the third country, is that the protection shall be "essentially equivalent", not "good enough" for the actual personal data. This also follows from GDPR recital 104 and is a high bar. Many countries used in cloud-set-ups will probably fail that test, not only the US. The data protection authorities even state that you then must report non-compliant transfers to them. Not under the breach articles, but under the transfer articles. This does have major implications.
Some direct consequences of the guideline:
- if personal data is stored in the EU and there is no remote access from a third country and no transfer of metadata – and (third party) audits are conducted to ensure the agreements are respected, then the cloud set-up should be compliant. This is probably a set-up we will see more often onwards
- if a cloud service provider in a non-EEA country has access to open, readable personal data, there are only three possibilities: 1) process the personal data in a country that has equivalent privacy legislation as in the EU, 2) process the personal data in a country that has an adequacy decision from the EU Commission, or 3) process the personal data within the EU. And – as one DPA-employee recently phrased it – remember that metadata is also personal data and make sure no metadata is "dripping into" third countries without good privacy protection
- service 24/7 will be more expensive onwards, when the cloud service providers must use staff in Europe
Does this have consequences for existing and new contracts? Absolutely. It is time to rethink your cloud set-up, look into your existing agreements and consider what new ones you are to enter into.
The Norwegian Datatilsynet have set out further guidance on the interpretation of the guideline, and state the following [office translation]:
- postpone entering into new agreements with third country suppliers until you are absolutely sure that you are fully able to comply with all of the European Court of Justice's terms. If in doubt, agreements should not be entered into
- one must be prepared for the fact that new agreements involving the illegal transfer of personal data to third countries, may be considered more severely than existing agreements. Old agreements were entered into before the additional terms of the European Court of Justice were known, and in the first months after the ruling, it may take some time to adjust to the new rules. New, illegal agreements, on the other hand, can be seen as a violation committed against better knowledge from the outset, and there is no excuse for having entered into such agreements
We do not know how the DPAs will enforce this, but they are clear that there is no moratorium. There are currently 101 new transfer complaints filed throughout Europe by NOYB, the privacy-organization behind the Schrems-case that started this matter. The EDPB has a special task force on how to handle these cases and it is probably no reason to believe they will be lenient in their views on this, either.
For whom is the guideline relevant
The guideline provides a detailed overview of the data protection authorities' expectations for how organizations shall handle the transfer of personal data to countries outside the EU. It is highly relevant to cloud service providers, for those who build services on cloud services, for corporations with internal international transfers, for the private sector and for the public sector, to all companies, actually.
The text also makes it clear that the rules also apply to international intercompany transfers. Most international groups transfer information about their employees and customers. It is also important for the valuation of companies. Companies that comply with the new guidelines, may be valued higher than those that do not.
EU’s view on privacy in countries outside Europe
EU privacy legislation takes the view that many countries outside the EU have less privacy protection than within the EU, and this is often true as well. Most often, it is the governmental mass-surveillance of communication that is criticized. EU therefor requires that companies must implement extra safety by adding technical or contractual measures, to ensure that such surveillance does not infringe the fundamental rights of a person protected by the GDPR.
This means that a company has to know how surveillance is done in countries they transfer data to, and in what way a service provider in a third country is affected by such surveillance legislation. Assessing this is not an easy task. The guideline therefor consist of two main parts. First, it has a number of recommendations concerning supplementary technical, organizational and contractual measures that may be set up to increase privacy. In practice, this section is a cookbook on how to go forward and deserves more attention than what can be accommodated here. Secondly, it sets out recommendations for how to decide whether the surveillance level in a third country is in accordance with fundamental European rights. We believe one will soon see overviews and analyses of the privacy legislation and levels in different countries.
For services rendered from the USA, the Schrems II judgment has already determined that the US surveillance level is in breach of the fundamental rights granted to a person residing in the EU, somewhat depending on what kind of transfer it is. However, the assessment must be made also for other third countries that data is transferred to or accessed from. For cloud agreements, this is often India as well as other countries.
If appropriate measures are implemented or if the receiving party is unaffected by surveillance legislation, one may transfer the personal data to third countries. If the relevant measures are not taken, either because it is not possible or one does not prioritize it, then the company cannot commence transfers or will even have to stop ongoing transfers. This has large consequences for existing agreements concerning cloud services.
Are necessary transfers unaffected?
There are transfers to third countries that may fall out of the scope of the Schrems II judgment. The most common derogations are i) consent, ii) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request and iii) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person. This will for example allow for a person residing in the EU to purchase good from a supplier in a third country, or to book a hotel stay or an airplane ticket in the USA. But there are conditions to such transfers that does not always make them very practical.
What to do – the six steps – and will contractual remedies help?
EDPB's guideline sets out six steps that European data exporters are urged to follow:
- Know what countries you transfer data to;
- Know what transfer tools you are using (SCCs, consent, other?);
- Assess if the third country has essentially equivalent privacy rules (use the EDPB guideline on EUs Essential Guarantees);
- Identify and adopt supplementary measures;
Implement technical measures (encryption, anonymization, pseudonymization),
Implement contractual measures and possible organisational measures
- Consider possible formal procedural steps (e.g. consult the DPA);
- Re-evaluate at appropriate intervals.
The content of step 4 above deserves further attention. But first a word on the effect of contractual remedies: The aim of the remedies EDPB requires to be put in place, is that foreign governmental surveillance shall be essentially equivalent to what is found within the EU. Terms and conditions entered into between two private parties, will not legally bind any other countries' surveillance authorities. This is the reason why the guide sets out that contractual measures "should be combined" with technical measures. There is little reason to believe that any contractual measure will help, if not the right technical measures are in place.
Cloud services and measures taken according to the forth step
The supply chain in cloud services is often long, for both technical and commercial reasons. In many cloud services, employees from a large number of countries will assist. Today, many of these transfers rely on EUs Standard Contractual Clauses, a transfer tool that we now know is legally insufficient for third countries without equivalent privacy regulation. One then must consider additional measures, ref step 4.
What measures that are adequate in each specific case, must be decided on a case-by-case basis and may include contractual, technical or organizational measures. It is interesting to see that the EU have the greatest confidence in the technical measures: "Indeed there will be situations where only technical measures might impede or render ineffective access by public authorities in third countries to personal data, in particular for surveillance purpose."
EDPB discuss various examples of relevant technical measures. They list five use cases, where they find that it is possible to implement technical measures that can lead to adequate protection and therefore qualify as adequate "additional measures". Then they list two other user cases, where they do not find any adequate additional measures.
Below we attach some comments to user cases of particular interest for customers and suppliers of cloud services.
According to Case 1, a data exporter may use a cloud provider for storage services for backup purposes in the third country, provided several conditions have been met. The data must, among other things, be strictly encrypted prior to transfer, the encryption algorithm must be state-of-the-art and the encryption key must fully be under the data exporter's control. The example assumes that the processing of personal data carried out by the data importer does not require access to readable data, i.e. that the cloud provider does not have access to unencrypted personal data.
Corresponding assessments lie behind Case 2, Transfer of pseudonymized data. Pseudonymization can be an adequate technical measure, as long as the key to identify the individuals is under the data exporter's control.
Case 1 has its counterpart in Case 6, in the way that the latter applies when the data importer has access to unencrypted, readable data. EDPB write that they cannot see any technical measures that can counteract this, provided that the surveillance level in the recipient country is not in accordance with basic European rights. In such cases, they will actually not allow transfer to a provider of cloud services that must have access to unencrypted personal data to perform the service.
The EU also specifies that if the supplier needs to have access to unencrypted personal data, it does not alleviate the situation to implement transport encryption or "at-rest" encryption. This is not surprising.
Final word of advice
It is evident that all parties have to look into what cloud agreements are in use, and what terms and measures are in place. If your company have many cloud agreements, prioritize the most important agreements and those where there are sensitive personal data. And – it is time to assess how existing agreements may be best amended and what technical measures can be taken to secure the data from unauthorized access.