European data protection law classifies countries outside the EEA as insecure. Personal data may only be processed in these countries where appropriate safeguards are in place to ensure that the personal data is secure there. This applies to many US service providers whose services are a natural part of the IT infrastructure of many companies, such as AWS, Microsoft, Mailchimp, Cisco and many more. It is difficult to set up the deployment of these services in a data protection-compliant manner. Violations are now to be increasingly investigated and possibly sanctioned.

Background

With the so-called Schrems II decision (C-311/18), the ECJ overturned the Privacy Shield. This means an important justification for transatlantic data transfers no longer exists. In addition, the ECJ has questioned whether personal data may at all be transferred to the US and processed by US service providers. Background to this are potentially far-reaching possibilities of US authorities to access personal data. As a result, controllers in Europe only have the option to (i) implement so-called EU Standard Contractual Clauses and (ii) additional technical and organizational safeguards preventing US authorities to access personal data.

German regulators are now planning coordinated measures to review and prohibit the use of services from the US (and other third countries, including Russia and China) where these requirements are not met. According to the Hamburg Commissioner for Data Protection and Freedom of Information (Professor Caspar), German regulators have developed 5 questionnaires for this purpose. These questionnaires are to be systematically sent to companies. Companies must then provide extensive information on deployment of US service providers. The questionnaires cover

  • Tracking tools
  • Mailhosters
  • Intragroup Data Transfer
  • and two further questionnaires.

The regulators assume that it is possible to operate in these fields without US service providers and plan to enforce this assumption ultimately by means of administrative enforcement actions. Fines are apparently not yet in their focus. It may still be prudent not to rely on this.

How can I reduce the risk to my company?

German companies are well advised to check whether they use US service providers and whether or not they have adequate measures in place. More or less helpful advice on measures that German regulators consider appropriate can be found in these regulatory opinions:

  • EDPB: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted 10 November 2020. PDF
  • LFDI BW: Orientierungshilfe: Was jetzt in Sachen internationaler Datentransfer? PDF (German)

The following checklist may help to identify and mitigate related risks.

  • Are US service providers used?

As a first step, make a risk inventory and check for US service providers used. Even if processing by the US service provider takes place in the EEA, for example hosting in a European data centre, there may still be relevant data transfers to the US.

  • Are there alternative service providers within the EEA?

The most efficient measure to reduce risk is to refrain from using US and other third-country based service providers. Therefore, carefully check whether there are equivalent alternative offers from service providers in the EEA. You should deploy them with priority.

  • Is there a contractual basis for the involvement of US service providers?

Deployment of US service providers should only take place on the basis of appropriate (contractual) foundations. These are in particular the so-called EU Standard Contractual Clauses. Binding Corporate Rules can also take over this function for deployment of intra-group service providers. Make sure to check whether corresponding agreements are in place.

  • Are there additional technical and organizational guarantees (so-called supplementary measures)?

Beyond the existence of a contractual basis, additional safeguards must be put in place to effectively prevent US authorities from accessing personal data. These guarantees cannot be created with contractual assurances alone. This also applies to so-called “warrant canaries” with which service providers commit to disclosing requests from authorities. In the end, supposedly secure guarantees are probably only technical measures such as anonymization, pseudonymization and encryption, which prevent US authorities from reading relevant information. Whether the specific service may still be used with these technical measures must be assessed on a case to case basis.

Conclusion

The Schrems II decision (C-311/18) crystallises an international political conflict about the powers of (secret) services and the importance of fundamental rights, in particular the right to privacy of information. For companies that (have to) use US service providers, this results in conflicts between operational necessities and legal requirements that are hardly ever resolvable for them. A solution can only be found on an international political level. Until then, this article is intended to provide orientation for a risk-minimizing approach.