In this blog I’m kicking off August with a review of the summer’s EU and UK international transfer developments, and my top 10 practical tips. The ground is shifting quite quickly here, so I’d recommend tea and biscuits or perhaps a hard hat…
First let’s look at the EU.
The EU position continues to harden, with the headline: there is (almost) no “risk-based” approach for international transfers.
Big tech and public sector bearing the brunt
The predominant recipient of enforcement action continues to be the advertising giants Google, Meta and Amazon. However, regulators have a growing interest in public sector use of other US providers and products, e.g. Microsoft Teams, and there is growing anticipation of private sector enforcement.
Harder enforcement cases – Google Analytics & public sector procurement
Following the AustrianDSB, French CNIL, and DutchAP, the Italian Garante is the latest supervisory authority (SA) to decide that using Google Analytics (GA) without further safeguards is not compliant with GDPR.
To reiterate this, the CNIL has published two documents in the last few weeks: (1) an English translation of its Q&A on its GA decisions and (2) suggestions for using an EU proxy as a supplemental measure for GA. There are a few unsurprising points:
GA does not offer any security measures that make it compliant with GDPR.
A “risk-based” approach is not acceptable for international transfers.
Use of an EU proxy server could be a suitable supplementary measure to permit GA use (CNIL diagram below).
…and a few more surprising(!) ones:
A Transfer Impact Assessment (TIA) must consider whether access to data is “possible”, not just “likely”.
In assessing the effectiveness of anonymisation as a supplemental measure, the controller should consider the “considerable means available to the authorities likely to carry out [any] re-identification”.
If engaging an EU entity, the engager must review whether the EU entity has “capital or organisational links with a [third country] parent” and, if so, perform a legal order review of that third country – even where there is no transfer.
Meanwhile, the GermanPublic Procurement Chamber of Baden-Württemberg has gone even further – stating in July that the mere possibility of third country access is a transfer under Article 44. The decision stemmed from a challenge by an unsuccessful (EU) bidder in a procurement process: while the (cheaper) successful party’s servers were in Germany, it (a) had a US parent and (b) was permitted under the confidentiality and data transfer terms to disclose personal data in third countries to comply with the law or a binding order. The presence of a US parent may therefore continue to be used as an instigator for challenge by similarly unsuccessful bidders in public procurement processes.
Denmark – an alternative interpretation for global CSPs?
However, the approach above contrasts with the Danish DDPA’s March Guidance on Cloud Service Providers (CSPs) and associated FAQs, reiterated recently on 1 August in its CSP due diligence questionnaire for controllers. Under that guidance (see 3.6) – “It is not in itself unlawful to use a CSP whose [third country] parent company is subject to [domestic] laws… giv[ing] law enforcement authorities the competence to request information held by other group members, including those in the EU/EEA.” Numerous pages to also repeat that a controller can transfer personal data to a CSP that falls within FISA without supplemental measures, if the controller can demonstrate that it will not be accessed in practice – for example the CSP has not received any requests (see e.g. page 25). This seems to therefore advocate a risk-based approach. (I also refer to Examples 7 and 14, which clearly permit use of an EU subsidiary of a US-based provider and transfers where there is a “LOW” residual risk.)
In the same CSP guidance, citing from its guidance on third county transfers, the DDPA obliges controllers to implement controls, regularly audit and (if aware of unauthorised transfers) terminate arrangements, but any unauthorised transfer by the processor is “considered as “unintended” on part of the controller”, in respect of which (a) the controller is not obligated to comply with the [international transfer] provisions” and (c) the processor is deemed a controller.
For now, therefore, it looks like Danish controllers can take comfort that the DDPA is taking a more pragmatic approach than those above – permitting both a “risk-based” approach and (subject to a TIA) use of “third-country-parented” CSPs.
(For completeness, there are some (erroneous) headlines reporting a hardening by the DDPA in the first “hardware” decision on Google Chromebooks and Workspace. However, the decision centres on an inadequate DPIA and public comments from the decision’s author (Allan Frank) advise that it should not be more widely interpreted)
Ireland – no more EU Insta(?), but two more Commissioners
The lead SA for most of Big Tech and the instigator of the CJEU referral resulting in Schrems II – the Irish Data Protection Commission (DPC) remains at the eye of the storm.
Earlier in July, the DPC confirmed to Reuters that it had (finally!) issued a draft decision to the other EU SAs ordering Meta to cease EU-US data flows for Instagram. Subsequently referred to the EDPB following several SAs’ objections, a non-public binding decision was adopted by the EDPB at its plenary on 28 July. The DPC now has one month to issue its final decision to Meta – and we’ll be taking a close look when it does!
In the same week, the Irish Minister for Justice announced that it would be appointing two further Data Protection Commissioners, chaired by current Commissioner, Helen Dixon. This aims to alleviate the “working burden” and “investigative complexity” – however, some privacy groups have objected to Dixon continuing to lead given her enforcement record.
Where does this leave the EU governmental party line? Well, it’s unclear.
Most recently on the DPC, EURACTIV’s Luca Bertuzzi reports MEPs will visit Ireland in September to meet with stakeholders including the Irish Council for Civil Liberties (ICCL) and the DPC (the DPC having previously refused to appear before the European Parliament), and the European Ombudsman continues to investigate whether the European Commission has insufficiently monitored DPC enforcement.
Privacy Shield 2.0/Transatlantic Data Privacy Framework
A draft is expected soon!
According to Politico’s Mark Scott, EU officials spent three days at the end of July in Washington reviewing the draft Executive Order amending US surveillance powers and remedying the Schrems II deficiencies. Once the draft is published, we expect around 6 months of approvals before the European Commission can issue an adequacy decision – and that’s if it’s not way-laid by Schrems or other NGOs.
Switzerland – no risk based approach either?
Bonus (EFTA) point here – the Swiss data protection regulator (FDPIC) appears to be aligning itself with the general EU SA “no risk-based” approach. In a letter to the Swiss National Accident Insurance Fund (Suva) published in June, the FDPIC noted that there was no basis in law for Suva’s “risk based” TIA for Microsoft Office 365 based on the Rosenthal/IAPP template. (Suva has issued a strong rebuttal and we are awaiting developments.)
Now let’s turn to the UK.
Conversely to the EU, the UK Government and ICO appears to be softening the UK’s international transfers position, including (i) pushing forward with several adequacy decisions, including the USA, and (ii) permitting a “risk-based” approach on international transfers.
The new UK Commissioner’s outlook seems to be converging with the Government’s “pro-innovation” one. As the Government’s preferred candidate, it is unsurprising that his recent supportive commentary differs in flavour from his predecessor’s – particularly on the Government’s proposals to reduce the ICO’s independence and diverge from the EU GDPR (see below) – but this lack of independence seems to be upsetting both business and civil society, especially when risking adequacy (see below).
No news here – the ICO has kept conspicuously quiet on GA and we consider it unlikely to take any enforcement action, particularly if it continues down the road below.
At the ICO’s July Data Protection Practitioner’s Conference (DPPC), the ICO presented its draft response to its consultation on the published (and already in force) IDTA and the (still in draft) Transfer Risk Assessment (TRA) and associated guidance. The presenters stressed that attendees should not yet rely on the content, as while it gave a “strong flavour”, the precise wording hadn’t been finalised. (Interestingly, they had also not yet discussed their proposals with the EU SAs.)
Therefore, with those health warnings, key points were:
Only the exporter is responsible for the TRA (whether processor or controller) – controllers will need to impose contractual restrictions if they want a say in their processors’ TRAs.
Exporters can rely on a risk-based approach and data can flow where there is a low risk of harm.
EU processors do not need to carry out a TRA for transferring data back to non-EU controllers.
A TRA can either: (i) follow the EDPB approach or (ii) compare the position of the data subject if the data stayed in the UK versus if the transfer went ahead (see 4).
The proposed scope of investigation under (ii) should be “reasonable and proportionate” according to the risk of the transfer. The new TRA will set out the resources to review, but generally this is a much slimmer review than the EDPB TIA. The examples given were, for a lower risk transfer – the FCDO human rights and democracy reports, DfID’s Doing Business guides and some human rights reports from reputable charities – and for “riskier” transfers – a detailed review of local laws and practices, but focussing on data protection and human rights.
Final versions of the TRA and guidance were promised in the following order:
Shortly: the ICO response to the consultation.
Next: updates to their broader international transfers guidance.
Summer: an updated TRA.
Autumn (hopefully before 21 September): guidance on the IDTA/UK Addendum.
(Surprised? You’re not alone. By the flood of comments on the day, it’s safe to say that the session caused a good deal of confusion(!).)
On 18 July, The Government published its Data Protection and Digital Information Bill (DPDI Bill) aiming to reform the UK GDPR, DPA and PECR. (We’ll be publishing a longer review of the changes.)
For international transfers, the DPDI Bill introduces a “data protection test” for assessing the standard of protection for processing of personal data in a third country. This should be based on the “outcomes” for data subjects, and transfers will be permitted if the standard is not materially lower than under UK GDPR. Some of the other relevant reforms include:
Reducing the independence of the ICO by (a) requiring them to “have regard” to a “Statement of Strategic Priorities” published by the Government and (b) giving the Secretary of State final approval of codes of practice and statutory guidance.
Increasing the threshold for SARs (it is worth noting that “access” is a right enshrined in the EU Charter of Fundamental Rights).
Removing the obligation for non-UK controllers and processors to appoint a UK representative.
Prescribing a series of “legitimate interests” under Article 6 that focus on “public interests”, such as national and public security and safeguarding.
Matt Warman, introducing the DPDI Bill in the House of Commons stated that it “could create around £1 billion in business savings over ten years”. While many of the proposed changes do not radically depart from the EU GDPR, they are enough to raise eyebrows in the EU, and by contrast to the estimated savings, the Government’s estimates around £2.5 billion in costs if we lose EU adequacy (see 566).
Both Truss and Sunak have also stated they will pursue these reforms (or greater) if appointed Prime Minister.
…so on that adequacy question?
Ok so, firstly, nothing seems to be threatening the adequacy decision under the UK GDPR permitting flows from the UK to the EU.
If you’ve read the above, it won’t surprise you that it’s not looking as rosy for the EU’s UK decisions. Publicly both the UK Government and the ICO state they don’t consider the above will affect the EU adequacy decisions. Indeed, the UK Government deemed it “highly unlikely” in their risk assessment, and the Commissioner used his DPPC speech to affirm that “it’s clear the UK can go its own way”.
However the EU doesn’t seem to agree. Speaking to Neil Hodge of Compliance Week, the European Data Protection Supervisor (EDPS) expressed interest in seeing the UK’s reforms as a “sandbox” for future reforms to the EU GDPR, and considered that the DPDI Bill, as opposed to the original proposals, are “professionally thought-out” and “not just political propaganda”. However, he also expressed concerns over the changes to the ICO, US adequacy and long-term divergence. Following the DPDI Bill’s publication, an MEP has already submitted questions to the Commission on whether it will review UK adequacy. (To which a response is expected by early September.)
In addition to the Data Protection considerations, it’s also worth noting that the broader political situation has continued to deteriorate. As the UK pursues its intentions to breach the Northern Irish protocols, the EU Commission has issued a further four infringement proceedings.
…and as we saw the first time around, adequacy decisions can certainly be political.
Right – now for 10 practical tips!
Standard Contractual Clauses – again, prioritising “high risk” areas:
Ensure you’ve got EU and UK SCCs – or, if using the old SCCs, account for replacing references to the EEA, lead supervisory authority and governing law with UK versions (the new EU SCCs cannot be used for UK transfers).
Start repapering old EU SCCs – we’ve got until 27 December to replace with the new EU SCCs.
Prepare a version of the new UK IDTA or Addendum for new contracts from 21 September – we won’t be able to use the old EU SCCs for new contracts after then.
TIAs and TRAs. For now, wherever you’re using SCCs, keep going with those EDPB TIAs – whether you’re in the EU or the UK. (Although use the human rights and business documents mentioned at the DPPC as a helpful pointer.) Focus on “high risk” areas – particularly transfers involving substantive or sensitive data.
Encryption. Wherever the EU SAs are landing on transfers, they’ve got a laser focus on encryption as a supplemental measure. Discuss with your InfoSec team which systems are encrypted and when (i.e. in-transit, at rest or in motion).
Access controls. Similarly – talk to your teams about access controls. Frequently lower hanging fruit, these can help prevent any “accidental” transfers and reduce the risks in the TIA.
CSP transparency reports and TIAs. Larger CSPs are publishing both (i) annual/semi-annual transparency reports setting out the number and types of surveillance requests, and (ii) their own TIAs. If you’re a customer, do check those out and use them in your TIAs, and if you’re a CSP, consider offering your own.
Article 28 processor clauses. Check if the specifics – is anything in there that can help reduce the risk – for example, data breach notification periods, restrictions on international transfers, audit and information rights.
Google Analytics. If you’re in the EU, or direct your website at the EU, seriously consider pausing your Google Analytics cookies. Particularly if you tend to receive more data subject complaints and enquiries. Start considering EU alternatives.
Other cookies. With many third-party cookies involving international transfers (e.g. social media) and cookie claims on the rise, take a quick look at your banner to make sure these cookies are not being dropped without explicit, opt-in, consent. Also consider if any historic cookies could be retired.
Watch our international transfers vlogs (links at the top of the page) for a quick back-to-basics refresher or get in touch to watch our international transfers seminar with DeMarco Law, PLLC for a comprehensive review.
Keeping on top of it. Watch this space for developments, follow us on LinkedIn, Twitter or sign up for updates on our mailing list: here.
Thanks for reading – do get in touch if you have any questions or you have any topics you’d like covered in future briefings, webinars or vlogs.