The Implications of a Recent Decision May Have a Domino Effect for Cloud Service Providers that Rely Upon Standard Contractual Clauses for EU-U.S. Transfers
Article Highlights: Conversations have never been hotter regarding EU-U.S. transborder flows. Here are the highlights.
The Austrian data protection authority (Austrian DPA) ruled that the use of Google Analytics cookies by an Austrian website violated GDPR data transfer regulations.
The French data protection authority (CNIL) followed the same decision, ordering French companies to cease data transfers to U.S. servers hosted by Google LLC.
Statements from the Danish and Norwegian data protection authorities (DPAs) indicate other European DPAs are likely to take similar views.
Google was fined a 150 million euros, and Facebook was fined 60 million Euros by CNIL for unlawful data flows.
The implications of these decisions are expected to be far-reaching, likely creating a domino effect with other cloud services that transfer EU data to U.S. servers such as Microsoft, Amazon, Salesforce and others.
A GROUNDBREAKING DECISION BY AN AUSTRIAN DATA PROTECTION AUTHORITY (DPA) may have a domino effect for transborder flows of data from the EU to the U.S. The Austrian DPA recently ruled that using Google Analytics violates Chapter V of the GDPR. Following this, the Danish and Norwegian data protection authorities indicated that other European DPAs will likely take similar views. Then, on 10 February 2022, the French DPA (CNIL) ruled the use of Google Analytics is non-compliant with Chapter V of the GDPR, and ordered website operations to comply, giving a deadline of one month.
The decision has implications beyond the collection of data by cookies; the principal concern challenges the legitimacy of Standard Contractual Clauses (SCCs) for lawful EU-U.S. data transfers, especially those related to electronic communications providers. This means companies such as Microsoft and those offering electronic communications services fall within scope. For instance, the CNIL (France’s data protection authority) highlighted that its investigations—as well as those of its EU counterparts—extend beyond Google Analytics and are expected to encompass other tools used by sites that result in the transfer of EU data to the United States.
As a forerunner to this announcement, Meta, the parent company of Facebook and Instagram, warned how the recent Austrian court decision may result in the potential shutdown of its services to European users. In its statement, Meta disclosed it may be unable to continue offering its "most significant products and services" if the EU and the U.S. cannot hash out a Privacy Shield replacement.
Like a heavy stone thrown into deep waters, these announcements create a transatlantic splash of turbulence in two directions: EU entities that export data to U.S. processors, and U.S. processor that import EU data. One question that comes to mind is this: how did we get here?
REWINDING TO 17 AUGUST 2020 AND BUILDING UPON THE CJEU SCHREMS II DECISION, 101 identical complaints were filed by Max Schrems’s organisation called NOYB (aka, None Of Your Business) across 30 EU/EEA DPAs regarding the use of Google Analytics and Facebook Connect by various companies. In response to these complaints, the Austrian DPA performed an exhaustive cross-border investigation into Facebook and Google’s practices. On 13 January 2022, the Austrian DPA released a partial decision based on one complaint concerning an Austrian website operator that employed Google Analytics, mainly how cookies collect data from visitors which are transferred to United States Google servers for processing.
Both the website operator and Google had entered into Standard Contractual Clauses, augmented with Google’s technical and organisational measures (TOMs) in the form of certifications such as ISO/IEC 27001. Yet the Austrian DPA’s investigation found the following issues:
Google qualifies as an electronic communications service provider and is therefore subject to surveillance by U.S. intelligence agencies under U.S. surveillance law (i.e., FISA 702 warrants); and
Google’s additional safeguards were not effective in closing the legal protection gaps noted by the Schrems II judgment.
The Australian DPA made the following relevant points:
Despite the TOMs and SCCs, the combination is not effective because they do not eliminate the possibility of surveillance by U.S. intelligence agencies.
The Austrian DPA rejected the idea that cookies did not directly identify an individual, noting the IP addresses qualify as personal data; immediate identification is not necessary.
The Austrian DPA rejected the argument that Chapter V of the GDPR and the SCCs follow a risk-based approach and that risk to data subject is low because the likelihood of government access to the relevant data is low.
It was concluded that because no other transfer mechanisms available under Chapter V of the GDPR could be employed by the website operator, there existed no adequate level of protection for personal data to be transferred to Google in the United States, which resulted in a violation of Article 44 of the GDPR.
The first decisions are beginning to impact organisations around the world, even while other decisions are expected to unfold soon throughout the bloc. The outworking of these decisions will extend far beyond Google and Facebook (now Meta), and are expected to impact transfers to third countries, especially destinations in the United States.
SO WHAT’S NEXT? STAY TUNED AS THIS MATTER UNFOLDS AND DPAs make decisions affecting other EU/EEA territories. Long term, from this writer’s viewpoint, there are two immediate choices: U.S. service providers will need to host foreign data outside the United States, or the United States government needs to modify it’s laws and regulations to include baseline protections for foreigner’s personal data.
Written by Dr. Scott Allendevaux
Principal, CISSP, HCISPP, CIPT, CIPM, CIPP/US
Data Protection Law & Cybersecurity Practice Lead