Transfer of personal data to the USA
What to do without Privacy Shield? Additional guarantees as a “must have”!
Transfer of personal data to the USA
What to do without Privacy Shield? Additional guarantees as a “must have”!
Since the European Court of Justice declared the invalidity of the EU-U.S. Privacy Shield agreement in its ruling C-311/18 of 16.07.2020 (“Schrems II”), there is no clear roadmap for the admissibility of data transfers from the EU to the USA. We would like to provide you with an overview of the background, recommendations for action and possible developments.
It follows from the General Data Protection Regulation that a data transfer to third countries must comply with the special requirements pursuant to Art. 44 et seq. DSGVO must be met. In this course, the EU-US Privacy Shield agreement was a suitable instrument to certify an adequate level of data protection for the transfer of personal data to Privacy Shield listed companies. This door has been closed by the ECJ.
Under U.S. law, there are far-reaching rights of intervention by U.S. authorities, which the European Court of Justice considers too comprehensive and disproportionate. The level of protection required by the GDPR for the transfer of data to the USA must therefore be met in another way.
At the centre of the discussion as to how the use of service companies based in the USA can now be structured in a way that is permissible under data protection law are the “further guarantees” required by the ECJ as part of the EU standard contractual clauses. Additional contractual terms and conditions are to be agreed between the customer and the contractor to find a solution for effectively preventing the powers of the U.S. authorities to access personal data from U.S. companies.
Contractual agreements may consist of stipulating that in the event of a court order to provide information to a contracting party, the contracting party shall inform the other contracting party of the request for information before disclosing the data and shall take all measures to prevent unlawful access to the data by third parties.
The European Data Protection Board does not consider organizational and contractual measures to be sufficient as additional conditions. According to its 6-step plan for private-sector companies, technical measures must be taken first and foremost, and their effectiveness must be evaluated on a case-by-case basis.
The additional technical guarantees that come into question are many and varied depending on the scenario.
Scenario 1: Encryption during transmission
Full encryption of the data prior to transmission to the U.S. can prevent access by the U.S. service provider and thus also by the authorities, although the key authority must remain in the hands of the data exporter.
This raises the question of the extent to which it can be ensured
• that, the encryption protocols withstand the active and passive attacks of the third country authority;
• that, the data can only be decrypted outside the third country;
• that a trusted public key certificate authority is used for communication;
• that, in addition, personal data is encrypted end-to-end; and
• that backdoors in the software or hardware are excluded.
Scenario 2: Data storage at the U.S. contractor as backup or for other purposes – without access to plain texts
If companies want to store their backups on servers at U.S. data centers, for example, the data should be encrypted in such a way that neither the service provider nor the authorities could recognize the plaintext.
It would have to be ensured
• that, encryption with an encryption algorithm and parameterization that is state of the art and considered robust given the resources and technical capabilities of the cryptanalysis of the authorities in the recipient country;
• that, the encryption strength is adapted to the period of storage;
• that, the encryption algorithm has been implemented without errors using proper and, if applicable, certified software;
• that, keys are reliably stored and managed in the EEA or appropriate third country and only the data exporter or the entity entrusted with it has access to them;
• that the personal data must be encrypted to an appropriately high level prior to transfer.
Scenario 3: Transfer of pseudonymized data
A third scenario describes the possibility of pseudonymizing personal data in the country of origin (e.g., by converting it into key figures) and only then transferring it to the USA. As the additional information for the pseudonymized data remains with the data exporter, neither the U.S. company nor the respective authorities have the possibility to allocate this data.
It would have to be ensured
• that the data exporter only transmits personal data in such a way that it cannot be assigned to a specific person without having access to additional information;
• that the additional information is stored in the EEA or in a country for which an EU adequacy decision is available;
• that this additional information is protected by appropriate technical and organizational security measures and that the exporter has sole control;
• that, the exporter ensures that the authorities in the recipient country cannot attribute the pseudonymized data to any person on the basis of their information.
Scenario 4: Additional measures for the transfer of data with a special level of protection (data of professional secrecy holders, e.g., health data).
Sensitive data such as health data is entitled to a particularly high level of protection under European data protection law. The provision of additional guarantees by the U.S. data importer for the protection of the data is therefore all the more important.
In this context, it would have to be ensured
• that national law protects the data importer from having to disclose the data;
• that, this exception extends to any information that can be used to circumvent data protection (passwords, cryptographic keys);
• that, the data importer does not use a processor to provide access to the data to the authorities or the data importer transfers the data to an unprotected entity;
• that, the data is encrypted according to the state of the art and is also encrypted end to end;
• that the key is reliably stored in the EEA or in a country for which an EU adequacy decision has been issued;
• that only the data exporter or the entity entrusted with it has access to the key;
• that the data exporter reliably determines that the encryption key corresponds to the decryption key of the data importer (verification during transmission).
Scenario 5: Two-party or multi-party agreement.
As a final scenario, the European Data Protection Board argues that the parties to the agreement could split and distribute the data among different data importers prior to transfer to the United States. This would result in neither the respective companies nor the authorities having access to the total amount of data and thus not being able to create an overall picture of the data received.
In this regard, it would have to be ensured
• that, the data exporter processes personal data in such a way that it is split into two or more parts and thus can no longer be interpreted and assigned to any person;
• that, each part is transferred to an independent processor located in a different jurisdiction/legal system;
• that, the processors can optionally process the data under a multi-party computer basis without disclosing the information and the common algorithm is secure against attacks;
• that, there is no evidence of administrative cooperation between the two jurisdictions that would allow access to the data sets and reconstruction of the personal data;
• that, through an analysis of all the information, the controller has ensured that the authorities of the recipient countries cannot establish a link between individuals and personal data.
The extent to which the technical measures put forward by the European Data Protection Board can be implemented in practice is subject to case-by-case examination. The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, for example, offers guidance for this examination. Initial reactions from large U.S. companies can be seen. Amazon Web Services, for example, offers an encryption management system called “KWS,” while Microsoft has extended the protection of data subjects’ rights beyond the scope of the SCC by means of an “Additional Safeguards Addendum” in the standard contractual clauses (SCC).
What to do?
Companies that transfer data to contractors in the U.S. as principals that do not offer additional safeguards have several options for action:
1. They can accept the risk and continue to engage contractors for their operational purposes. Provided that, apart from the lack of guarantees, the underlying order processing contract is to be evaluated in a data protection compliant manner. The nature and scope of the data processed should play a key role in this assessment.
2. They can switch to alternative service providers that do not transfer data to the U.S., thus circumventing the need for separate subjects of agreement.
3. They can contact their contractors to coordinate possible additional safeguards to ensure data transfers comply with data protection requirements.
The voices in the business community calling for clear instructions on how such additional guarantees can be designed are becoming louder. In particular, the applicability of the proposed encryption techniques to cloud services, the use of which requires that the data can be processed in decrypted form, is being called into question. In a position paper on March 3, 2021, representatives of major German corporations addressed the German Chancellor’s Office with the demand to find legally secure and practicable solutions for data transfers to the USA. According to the Federal Ministry of Economics and Technology, the round table with representatives from politics and business proposed by the groups is to take place in June 2021. It remains exciting to see whether this will provide for new developments.
Until more specific requirements of legislation or case law become apparent, we recommend documenting the decision-making process for a U.S. service provider and being able to verify that suitable additional guarantees have been contractually agreed. Otherwise, prohibition orders could be imposed by data protection supervisory authorities such as the Bavarian State Commissioner for Data Protection and Freedom of Information for the use of Mailchimp.
As soon as we receive news from the legislator, case law or from supervisory authorities, we will evaluate and inform again.
Friday, May 7, 2021