Cloud Act, FISA, ... why the Privacy Shield is now invalid?
On July 16, 2020, the Court of Justice of the European Union ruled that the Privacy Shield that regulated transfers between the European Union and the United States does not comply with the General Data Protection Regulation, making it illegal to transfer personal data to the United States without strict precautions.
The GDPR stipulates in Chapter V that a transfer of personal data outside the European Economic Area may only be made if appropriate safeguards are put in place and on the condition that data subjects have enforceable rights and effective remedies.
To facilitate transfers to the United States, an adequacy decision (as defined in Article 45 of the GDPR) was taken after the negotiation of the Privacy Shield to ensure these safeguards and to give data subjects these enforceable rights and effective remedies.
However, following a legal proceeding brought by Maximilian Schrems in 2013 against Facebook, the CJEU ruled that the Privacy Shield did not provide these safeguards because U.S. law grants its intelligence agencies the right to access data without any European proceedings.
A "transfer" under Article 46 of the GDPR is broader than one might imagine. It is any transfer of personal data to an entity :
🟢 which does not operate within the EEA;
🟢 with a subcontractor which does not operate within the EEA;
🟢 in which persons outside the EEA have the ability to access the data (e.g., to perform support).
The third item is particularly restrictive: if a US-based employee of your hosting provider has the technical ability to connect to your servers hosted in the EEA, this constitutes a "transfer".
FISA 702, Cloud Act, ... ⚖️
There are several different pieces of legislation that regulate the controversial capabilities of the American justice and intelligence services. The one used by the CJEU in this decision is section 702 of the Foreign Intelligence Surveillance Act as amended in 2008.
FISA 702 📄
50 USC § 1881a (introduced by Section 702 of FISA added by the 2008 amendment) requires cloud hosts to provide U.S. intelligence agencies with the data they control, store, or manage, as well as the encryption keys to decrypt that data, relating to non-U.S. persons to be monitored.
FISA Section 702 is not extraterritorial, i.e. it is only applicable to companies operating in the United States.
However, if those companies have the ability to remotely access servers hosted in the EEA, then the data stored there can be seized under FISA Section 702. This is why the definition of "transfer" covers this eventuality.
CLOUD Act ☁️
The CLOUD Act passed in 2018, amends the Stored Communications Act to allow for its extra-territorial applicability. It allows US courts to issue a search warrant compelling US cloud providers (even if the data is hosted outside the US, e.g. in the EU) to provide all data of an individual, without any authorization from the courts of the country where the individual or the data are located.
No decision by European authorities on the consequences of the CLOUD Act on the GDPR has been issued yet, but it is arguable that subcontracting to companies subject to the Cloud Act constitutes a transfer, even if the hosting is done within the EEA. Supplementary measures should therefore be implemented to ensure compliance of the "transfer".
SCC & supplementary measures 💪
The European Court of Justice has confirmed that the use of Standard Contractual Clauses (SCC) between the exporter and importer is valid.
However, these SCC alone are not sufficient to ensure the compliance of the "transfer". Additional measures must be taken to ensure that the "transfer" provides equivalent safeguards to data subjects as it would without the transfer.
That is why the European Data Protection Board has issued recommendations for such additional measures to be applied, such as encryption.
If no combination of supplementary measures can ensure guarantees equivalent to an intra-EEA subcontracting, the transfer must be stopped.
In concrete terms 🔥
A European company cannot naively subcontract to American companies, it must for each one:
- Use SCC as a legal tool for transfer;
- implement supplementary measures to achieve a level of data protection equivalent to intra-EEA subcontracting.
If you are looking to implement additional measures such as encryption in your company, contact us!