Published by The Lawfare Institute
in Cooperation With
Some EU decision-makers have adopted a radical and unreasonable interpretation of EU data protection law that lacks a limiting principle. The ultimate result may be that EU customers lose access not only to cloud services offered by U.S. providers but also to almost any software from the United States. One can only hope that the EU Court of Justice rejects this interpretation and adopts the more pragmatic view shared by the European Commission and many EU governments.
In the wake of the EU Court of Justice’s July 2020 Schrems II decision, there has been significant uncertainty surrounding the legality of transatlantic data transfers. That ruling invalidated the “adequacy” decision adopted in July 2016, which had previously provided a legal basis for the flow of personal data between the United States and European Union within the framework of the EU-U.S. Privacy Shield. The Privacy Shield included a set of commitments from U.S. authorities and a framework for U.S.-based data importers to self-certify compliance with data protection principles. In Schrems II, the EU Court decided that the shield was not sufficient to ensure that transfers of personal data to the U.S. are compliant with EU data protection law.
In the absence of the Privacy Shield, EU-U.S. data transfers generally have had to rely on standard contractual clauses (SCCs), which EU law permits in cases where certain model language has been preapproved by the European Commission as providing appropriate data protection safeguards. This solution has several significant disadvantages, however, including the risk that either national authorities of EU member states or the EU Court of Justice itself may soon start invalidating SCCs.
The risk is amplified by the lack of clarity regarding the legal framework and because organizations engaged in data transfers to the United States are potentially liable for matters that are largely outside of their control. Moreover, firms incurring this liability may face fines under the EU’s General Data Protection Regulation (GDPR) of up to 4 percent of their annual global revenues.
This post considers two key aspects of the problem. First, it looks at the burden imposed on data importers and exporters to assess how likely it is that U.S. authorities would use their powers to access the personal data in question. Second, it examines the technical measures that EU authorities consider appropriate to safeguard EU data in cases where there is some risk of access by U.S. authorities.
Schrems II and Legal Bases for EU-U.S. Data Transfers
In Schrems II, the EU Court found that provisions of U.S. national security law and the surveillance powers it grants intelligence agencies do not sufficiently protect EU citizens’ data for the European Commission to deem U.S. laws as adequate (known as an adequacy decision).
An adequacy decision—like the one just adopted for the United Kingdom—certifies that a given country’s level of data protection is essentially equivalent to EU standards, thus allowing EU firms to transfer data to that jurisdiction without having to conduct their own assessments. In addition to relying on national adequacy decisions issued by the European Commission, firms seeking to export data from the European Union can rely on SCCs or on the narrow exceptions from Article 49 of the GDPR.
However, SCCs can be used only if the firms involved in the data transfer conduct due diligence of “the laws and practices” of the receiving country (such as the United States) and conclude that they can provide a level of data protection essentially equivalent to that guaranteed under EU law. According to the European Data Protection Board (EDPB), this assessment:
must contain elements concerning access to data by public authorities of the third country of your importer such as:
- Elements on whether public authorities of the third country of your importer may seek to access the data with or without the data importer’s knowledge, in light of legislation, practice and reported precedents;
- Elements on whether public authorities of the third country of your importer may be able to access the data through the data importer or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and of reported precedents.
Crucially, firms may be liable if the authorities conclude that this assessment of foreign laws and practices was erroneous. As mentioned earlier, under the GDPR those fines may be as high as 4 percent of annual global revenues.
In principle, if SCCs cannot be used, firms could rely on other mechanisms from Article 46 of the GDPR, including binding corporate rules (BCRs), and on derogations from Article 49 of the GDPR. However, BCRs and other options from Article 46 may be even more onerous for firms than SCCs, or they simply may not be applicable. Moreover, the EDPB interprets Article 49 derogations very restrictively.
Technical Measures: The Radical Interpretation of EU Law
The EDPB recommendations distinguish between two kinds of data transfers to a non-EU country without an adequacy decision, such as the United States:
- Fully end-to-end encrypted transfers (purely for data-hosting purposes) or transfers of pseudonymized or split (sharded) data.
- Transfers where there is a possibility of personal data being processed on the receiving end “in the clear.”
On the EDPB’s guidance, only the first kind of data transfer to the United States may be lawful, and only where Section 702 of the Foreign Intelligence Surveillance Act Amendments Act of 2008 (permitting the U.S. government to conduct targeted surveillance of foreign persons located outside the United States) could be applied in practice to that specific transfer.
The EPDB guidance did not specifically mention Executive Order 12333, the 40-year-old dictate that U.S. federal agencies must cooperate fully with requests for information from the CIA. But given that the EPDB recommendations speak of access “with or without the data importer’s knowledge” and access not only “through the data importer” but also “through the telecommunication providers or communication channels,” it seems clear that the risks of compelled and even direct access would render the first kind of data transfer the only potentially permissible option.
Some cloud services—those that offer pure hosting and provide for end-to-end encryption—could be classified as belonging in the first category. However, the hosting services offered by U.S. providers such as Amazon AWS, Google Cloud or Microsoft Azure would struggle to deliver the EDPB’s envisioned safeguards, and doing so would likely come at an unacceptable cost of usability and functionality to the company and user. The solutions of pseudonymization or sharding are also unlikely to be workable in many real-world situations.
The EDPB’s contemplated safeguards essentially would preclude a cloud provider that has any technical capacity to access the data. In other words, the cloud provider could not store the cryptographic keys necessary for decryption of data. That not only drastically limits the functionality of web-based applications but also places a heavy burden on the customer to develop a security infrastructure. Among the biggest benefits of using the kinds of cloud services offered by the major providers are that customers have access to state-of-the-art authentication solutions without having to develop them or source them elsewhere (which may come with its own security risks). Such solutions, however, rely on storing the encryption keys within the cloud provider’s control.
One example of a solution that may satisfy the EDPB’s reading of the law is Microsoft Azure’s “hold your own key” (HYOK) functionality. Notably, HYOK is expressly billed “as suitable only for a small number of documents” as “the content can be accessed only by on-premises applications and services.” Hence, users would not be able to access documents protected in such a way through web-based interfaces, and Microsoft could not even scan emails protected in this way for malware.
The EDPB’s worry appears to be that, if cloud providers based in the United States retain technical means to access such data (even if stored with EU-based subsidiaries), then it may be possible for the U.S. government either to compel access or to somehow gain direct access using the U.S. provider’s infrastructure. This concern is implicit in the EDPB’s requirement that encryption keys not be transferred to a country like the United States as part of transfers of encrypted data for pure hosting purposes. Similarly, in a decision upholding the legality of using Amazon AWS’s cloud-hosting service, France’s supreme administrative court noted as important that the encryption keys were held not by Amazon’s subsidiary, but by a trusted third party in France.
But if retaining the technical capacity to access unencrypted data is the worry, the EDPB’s reasoning leads down a slippery slope to disallowing a U.S. business from having any control over software that processes data—not just cloud software. In principle, a software provider could include something like telemetric functionality in their products—even products meant to be used as desktop applications—that would allow exfiltration of what EU law considers to be personal data. Such functionality could be included in software either before the user installs it or later as part of an update. In other words, one would find that almost no software produced outside of the EU could be used in the EU if there is a risk that some foreign government would potentially be interested in data processed using such software.
Consequences of the Radical Interpretation
The radical approach of data localization promoted by some EU decision-makers risks imposing significant, problematic and otherwise unnecessary changes to digital services. It may be very difficult for a U.S.-based service provider to provide absolute assurance that it could not access user data stored in an EU data center or on the user’s computer. A developer that has control over software that will process unencrypted (or decrypted) user data in the cloud (or even on the user’s own device) also has a theoretical capacity to access and exfiltrate the data.
A more pragmatic approach to regulating data transfers would involve a set of clear and reasonable safeguards that would not go so far as to effectively foreclose U.S. firms from providing cloud services in the EU, not to mention foreclosing the use of U.S.-made software in the EU.
The costs associated with EDPB-envisioned compliance may render such services inaccessible to European companies, and especially to startups and small and medium-sized enterprises. It is unrealistic to expect that, for every valuable U.S.-produced service, there will be an equally good and as quickly developed fully European alternative. Moreover, major U.S. cloud providers offer entire ecosystems of services that European engineers already accept as technological standards. To force a wholesale transition would require engineers to devote significant time to learning how to use non-U.S. services. Those costs would result in no perceptible benefit for users, relative to a more pragmatic approach to data protection.
In its June 2021 implementing decision on SCCs, the European Commission attempted to find a more pragmatic solution that would not amount to halting transatlantic data flows (or, as argued here, trade in software). The commission’s solution requires private organizations to assess “the laws and practices” of the receiving country, as discussed earlier. But most firms are likely ill suited to undertake such assessments, particularly in light of the potentially crippling liability burden they would face for getting it wrong.
SCCs are currently the only solution, but that situation is untenable. Despite the political will the European Commission and many EU national governments have shown to find a workable solution, there remains a significant risk that national EU courts or other national authorities will soon begin to find SCC-based data transfers to the United States illegal, accompanied by heavy fines. Given that the absolutist interpretation of EU law has no limiting principle, it can be extended to all software—not just to cloud services. Hence, adverse enforcement actions could reach even those who merely use U.S.-made software and do not think of themselves today as transferring personal data to the United States or who rightly consider the risk of compelled or direct access by U.S. authorities to be insignificant.
A lasting solution will probably have to include further concessions from the United States on oversight of intelligence activities, but the effort to extract those concessions will be for naught if the EU Court of Justice does not adopt a pragmatic approach. Some decision-makers in the EU appear opposed to pragmatism. The EDPB recommendations discussed above are an improvement in comparison to an earlier, even more absolutist draft, which was closer to the position taken by the European Parliament in a May 2021 nonbinding resolution. The original position would have stopped data transfers to the United States based on SCCs, even if it were extremely unlikely that data in question would be accessed by U.S. authorities.
Despite these realities, a more pragmatic interpretation of EU law is available and hopefully will be adopted by the Court of Justice in future challenges. It should be noted that the Schrems II decision did not directly assess the U.S. law and practices at the time; it only considered the European Commission’s findings, as reflected in the 2016 Privacy Shield decision. Hence, it is possible that a future assessment of U.S. law and practices would lead (especially if the United States agrees to further changes) to the conclusion that the United States provides an essentially equivalent standard of data protection.
Moreover, aside from the issue of whether U.S. data protection is adequate, EU law can be interpreted more pragmatically regarding technical and other measures that can be used to safeguard data flows, even in cases where there is a nonnegligible risk of interest from U.S. intelligence authorities. Requiring absolute assurance that data could not be exfiltrated is disproportionate and unrealistic—such absolute assurance cannot even be provided by data processors operating entirely within the EU. The EDPB should engage in technically informed dialogue with relevant stakeholders to find a compromise that reflects an appropriate balance between the right to privacy and other values protected by EU law.