Regulators take action against unauthorized use of U.S. cloud service providers
SECURITY INSIGHTS | 27 Oktober 2021
Numerous German companies are getting letters from the data protection authorities asking them to defend their use of U.S. cloud service providers. These companies must explain what they are doing to ensure that their data transfer to non-EU countries, such as the USA, is in compliance with the GDPR.
Since the demise of the Privacy Shield agreement as a result of the ECJ ruling on “Schrems II,” the use of American cloud services in compliance with the GDPR has become virtually impossible in practice. American laws such as the CLOUD Act, which gives authorities in the U.S. access to data processed by American companies, are incompatible with the GDPR. However, companies that cannot guarantee compliance with the GDPR when transferring personal data to the US need to terminate the transfer of data or otherwise switch service providers.
Sebastian Hoegl, Senior Manager and Head of IT and Data Security Law at KPMG Law Rechtsanwaltsgesellschaft mbH, regularly deals with this issue. In this interview, he gives companies tips on how best to respond.
Sebastian Hoegl is a lawyer and specialist in information technology law at KPMG Law Rechtsanwaltsgesellschaft mbH, where he is responsible for the IT and Data Security Law Department, in which more than 15 lawyers are currently active. The particular focus of his work is on advising the public sector and on providing comprehensive advice to data and technology-driven companies. Sebastian Hoegl studied in Freiburg, Cologne, and Wellington (New Zealand) and was admitted to the bar in 2011.
In April, the data protection authorities announced that they would be ramping up their investigations into data breaches caused by the use of U.S.-based cloud services. What does the situation look like six months later, and have the authorities followed up on their announcement?
Sebastian Hoegl: In its ruling on “Schrems II”, the ECJ established a clear expectation for supervisory authorities to suspend or prohibit unauthorized data transfers. The supervisory authorities are taking this expectation very seriously. The data protection authorities of several German states, including Berlin, Brandenburg, Bavaria, Lower Saxony, Baden-Württemberg, Bremen, Hamburg, Rhineland-Palatinate, and Saarland, are currently conducting a “Coordinated Review of International Data Transfers.” As part of this, the supervisory authorities are writing to selected companies and, as a first step, require them to fill out a questionnaire on the topics of job application portals, intra-group data traffic, mail hosting, tracking, and web hosting. It is up to the authorities to decide what they want to focus on. It is also becoming clear that the supervisory authorities areincreasingly focusing on third-country data transfers in their regular audits.
In its ruling on ‘Schrems II’, the ECJ established a clear expectation for supervisory authorities to suspend or prohibit unauthorized data transfers.”
Is Germany an isolated case, or is data protection oversight also taking hold in other countries?
Hoegl: German supervisory authorities generally take a firm stance on third-country data transfers and their auditing thereof. However, data protection authorities in other countries are also stepping up their efforts to control international data transfers. The supervisory authorities in Denmark and Finland, for example, have announced that they will be more intensively monitoring the transfer of personal data to third countries by a number of companies and government agencies, and have already asked the latter to provide information on the measures they have taken as a result of the “Schrems II” ruling. Regulators in Sweden have already opened investigations into companies, too. The supervisory authority in Portugal has prohibited a government agency from using Cloudflare due to a perceived lack of an adequate level of protection.
What industries are most affected?
Hoegl: To date, no information has been published on the industries that are the focus of particular attention in connection with the cross-border monitoring of data transfers. In principle, any company from any industry can be subjected to such an audit. However, the supervisory authorities are primarily responding to complaints and input from concerned parties. Therefore, it can be said that consumer-facing industries are the ones most “at risk” of being audited.
What specifically are data protection authorities asking of companies when it comes to data transfers to other countries such as the USA?
Hoegl: The supervisory authorities’ questionnaires are very extensive and go into great detail. In addition to the strictly formal requirements (e.g., use of standard data protection clauses), supervisory authorities are specifically asking about the additional technical and organizational measures being taken to ensure an “adequate level of data protection.” That is where the big problem for companies lies: For one thing, there are hardly any feasible measures that can be implemented in practice to satisfy the supervisory authorities. For another, companies rely on their service providers for information. The latter are often reluctant to provide information, in no small part because they themselves know that the measures are inadequate for the authorities. Companies are basically required to be aware of their data processing operations, to have concluded new standard data protection clauses already or to have amended existing standard contractual clauses (SCC) accordingly, and to have taken the appropriate organizational, contractual, and technical measures to protect personal data in the best manner possible.
There are hardly any feasible measures that can be implemented in practice to satisfy the supervisory authorities.”
What consequences do companies face if they are unable to demonstrate GDPR-compliant data transfer to the USA? Will fines available under the law actually be imposed?
Hoegl: The State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg, Stefan Brink, has stated that the purpose of the audit is to enter into dialogue with the companies. However, it is expected that the companies affected by the third-country issue have already made a genuine effort to find viable solutions. The Office for International Data Traffic at the Bavarian State Office for Data Protection Supervision (BayLDA) also emphasized that the question as to whether fines will be imposed has not yet been decided but will depend on the specific case. More importantly however, companies transferring personal data to third countries without implementing the requirements of the “Schrems II” ruling and the requirements of the GDPR must stop such transfers immediately.
In our experience, however, potential fines are not the worst-case scenario. A fine will hurt once, and the responsible parties may have to explain themselves internally. However, it is much worse if a certain processing activity or the use of tools that are critical to the company get prohibited by the supervisory authorities. Companies should be prepared and have a plan B at hand, especially when using international service providers.
Companies transferring personal data to third countries without implementing the requirements of the ‘Schrems II’ ruling and the requirements of the GDPR must stop such transfers immediately.”
How much time do affected companies have to respond to the demands of the data protection authorities?
Hoegl: The deadline for implementing the specific requirements of the data protection authorities will likely vary from case to case. However, the supervisory authorities are emphasizing that companies have already had a year to respond to the legal situation following the “Schrems II” ruling. The deadlines for implementation that we are aware of are often rather tight, especially when taking into account that complex and critical processing activities are usually involved.
What advice do you have for affected companies on how to comply with the GDPR requirements on third-country data transfers?
Hoegl: The transfer of data to the USA and other third countries is still possible under certain conditions. However, the requirements are very strict. Companies must take a wide range of organizational, contractual, and technical measures to meet the requirements for third-country data transfers. Companies should thoroughly review their use of service providers with a third-country connection and, if necessary, conduct appropriate transfer impact assessments (i.e., what are the data protection risks and consequences of third-country transfers?).
If possible, agreements should be concluded to process data exclusively in the EU. In addition, appropriate technical measures should be taken, such as anonymizing data to the greatest extent possible, appropriate encryption during transmission, and the use of secure key lengths and ciphers based on the recommendations of the German Federal Office for Information Security (BSI).
Companies should enter the new standard contractual clauses with their service providers or, until these have been finalized, agree on amendments to the old SCC, particularly in terms of the obligations to pay damages, provide information, and appeal. It should be noted, however, that simply agreeing on the standard contractual clauses does not create an equivalent level of data protection. The SCC are not binding on the authorities in the recipient country, which means that even if they are concluded, access to the data and hence interference with the rights of data subjects cannot be ruled out. Therefore, the contracting parties must take the additional measures previously discussed to exclude such access. The transfer of data will otherwise not be possible in a legally secure manner.
Simply agreeing on the standard contractual clauses does not create an equivalent level of data protection.”
What else should companies expect in the future with regard to this topic? Do you expect more stringent monitoring by the data protection authorities?
Hoegl: The supervisory authorities will likely continue to take the auditing of third-country data transfers seriously and continue to expand their audits. If nothing else, there is also a whole range of organizations that have taken up the cause of data protection through complaints and are, for their part, pressuring the authorities to act. Companies should properly prepare themselves for this and closely monitor any further responses from the supervisory authorities and possible court rulings.
Companies should look into the extent to which their service providers are subject to surveillance laws in non-EU countries.”
What do you recommend to companies that have not yet received a letter from the data protection supervisory authority but have concerns about whether they are violating data protection provisions by using American cloud providers?
Hoegl: Companies should check their data processing procedures for a possible third-country relationship and make sure that they have concluded the necessary contracts, specifically standard contractual clauses or standard data protection clauses. In addition, companies should analyze to what extent their service providers are subject to surveillance laws in non-EU countries and what additional measures are therefore required. Because of the wide-ranging technical inquiries made by supervisory authorities, companies should check where their data is stored and what encryption is used, including all technical details such as the protocols used, ciphers, and key lengths. Finally, companies should prepare a “contingency plan” should the supervisory authorities prohibit their current data processing arrangements.