The cloud services that you use may well be compromising your GDPR compliance

Using Survey Monkey, Mailchimp or other cloud services in your business? The data transfers that you make may well be compromising your GDPR compliance

The United States Foreign Intelligence Surveillance Act (FISA) and the powers this legislation provides to the US intelligence service and the FBI, is a problematic issue in the world of data protection. FISA confers wide powers, allowing interception and monitoring of communications involving non US individuals. Exercise of the powers is known to lead to the capture of vast amounts of intelligence through all forms of digital communication systems - telephone, email and web based. Surveillance activities of this kind are problematic in the context of GDPR and the ability to compliantly transfer data out of the European Economic Area (EEA), into territories where governmental bodies have powers of this kind. Transfers must be undertaken on a basis that, other than in the case of a few limited exceptions, the transfer maintains the integrity of GDPR data subject protections. Travel across to Europe now, and we see the impact FISA and similar surveillance powers have when privacy campaigners pitch against some of the most innovative tech businesses in the world. The outcome is, inevitably, a headache for European lawmakers. GDPR was implemented to a background of some positive work previously carried out to ensure that it was okay to transfer data to countries such as the United States. A project known as the Privacy Shield was implemented to provide a high level of assurance around data protection - this involving the European Commission and the US Department of Commerce setting out, together, a certification procedure that could be adopted by US businesses who wanted to trade within the EEA. The EU has also, for many years, promoted a standard contractual clauses approach to protecting personal data (SCCs) - adopting these clauses in your agreements, where they are accepted unamended has also formed an important basis for transferring data out of the EU. They place contractual obligations on the data importer that mirror requirements of EU data protection legislation. But clearly, no contractual agreement can override the powers of governments and their agencies. So, almost inevitably, July 26th 2020 brought a landmark decision by the European Court of Justice in a case mounted by leading privacy campaigner Max Schrems, based upon the existence of FISA and other surveillance powers available to US authorities. Manifestly, GDPR protection of data subjects just could not be upheld as providing the essential guarantee that must exist when data is transferred to a third country (where that third country has not satisfied the scrutiny of the EU as having adequate data protection laws).

Why is this important?

There will be very few businesses that do not, one way or another, rely on service providers located in territories where data protection legislation does not meet GDPR standards. The business community has become dependent upon the plethora of cloud

What is the Commission now saying?

First and foremost, there has been a modernisation exercise associated with the SCCs. A new version has been published for consultation. These can be found here.It will be expected that the many service providers who use these as the basis upon which they work with EU customers, will update their terms and conditions of business to incorporate the new clauses within the next 12 months. Secondly, the Commission advises that any business exporting personal data even where a service provider commits to the new SCCs, should take more steps to assure itself of GDPR compliance before continuing the relationship with that service provider, or taking a service for the first time. The steps that should be taken are explained in a series of recommendations produced by the EDPB that may be found here. These recommendations have the status of guidance to the data exporter. Documenting the exercise undertaken will be important under the GDPR accountability duty. The five steps recommended can be summarised as follows:

• To protect your data flows, identify where your data processor is processing your data. Then consider the data you propose to provide for processing. You must determine whether your transfers of data are adequate, relevant and limited to what is necessary for the purpose for which you are transferring the data from the EEA
• Has the EU Commission deemed the third country to which you are transferring data to have adequate data protection laws? If not, you need to select a mechanism to legitimise your transfers. These mechanisms could include (for example) using SCCs, entering into intra-group Binding Corporate Rules, or relying on the exemptions available under the GDPR
• You should evaluate whether the third country's legislation, particularly in relation to surveillance measures, adversely affects your transfer, especially in relation to the ability of public authorities in that country to access the data.  Are the local laws clear, precise and accessible? Are they necessary and proportionate? Is there independent oversight mechanisms? Do individuals have effective rights under the local law? You should also document your due diligence in this area
• If it is possible that the third country's laws impinge on your data transfer, the EDPB's guidance sets out a number of potential supplementary measures, which you can use alone or in different combinations. These range from technical measures (eg: encryption of data), to contractual clauses, to organisational measures (i.e. policies and procedures governing the data transfer). If none of the measures or combinations of measures bring the transfer into line with EU law, then you must suspend or terminate the arrangements involved.
• If you are relying on SCCs (as many businesses do), you do not need to undertake further steps unless your chosen supplementary measures impact the terms of the SCCs themselves
• As a general point, you should keep your measures under review, in case circumstances in the country you export to change.

based service providers, many of whom hold their data in the United States. There are also known to be service providers of this kind in Eastern Europe - beyond the boundaries of the EEA. The European Commission has, inevitably, had to follow the lead of the European Court of Justice and, ever so quietly, declare that existing practices should cease whilst at the same time, racking its collective brain to produce another approach - having now done this in conjunction with the European Data Protection Board (EDPB).

If your immediate reaction is that the above is a big ask.... you will not be alone!

Were the EU required to publish economic impact assessments alongside guidance of this kind, this would lay bare the potentially huge dilemma that businesses face. Here in the UK, ICO is currently assessing the guidance and has yet to publish its views on how UK businesses should react. In principle, as of 1st January 2021, a UK modified GDPR will apply and, therefore, ICO will find it hard to suggest any deviation away from guidance of this kind. What is overlooked, however, is that for many businesses the reality is that they secure their cloud services on the service provider's terms. The coming weeks will see the Survey Monkeys and Mailchimps of this world give their response. Relocating data servers to within the EU footprint or that of a country regarded as adequate in its data protection law will be an option but may well compromise the business model adopted. The issue of an EU/US trade deal is relevant, as in modern times, trade deals are difficult to achieve without mutual recognition of the lawfulness of data transfers. On the other hand, we may see a rise of alternative service providers located within the EU able to provide the same cloud based services to the same standards.

And there are other implications for the United Kingdom

Briefly, we need to remember that we await a determination from the EU as to the adequacy of UK data protection laws post 31st December 2020. We will become a third country and, importantly, the processes described above may well become processes your customers need to apply in their dealing with you, if they transfer personal data to you from within the EEA for processing. For businesses where ownership lies with entities in other territories such as the United States, your reliance on the parent company for data processing services requires you to take all of this new guidance into account and apply it as necessary. Existing binding corporate rules that you may have in place should be revisited at this time.

---

Author: Frank Suttie