For countries in the European Union, finding a way to legally transfer personal data to the US is a problem with no easy answers.
There has been much talk, legal advice, technical fixes and short-term solutions, but none can address the underlying problem – that EU and US laws are fundamentally incompatible.
There is little appetite in the US right now to spend money and political capital reforming US surveillance laws to protect the privacy of non-US citizens.
A study commissioned by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs has set out a roadmap for how reforms might be achieved in the future.
But for now, companies are left with two choices – either carry out expensive risk assessments in the hope of showing that they are making genuine efforts to comply with Europe’s General Data Protection Regulation (GDPR), or ensure they keep their data within European datacentres that are free from the extra-territorial reach of US law.
Many medium-sized companies are choosing the latter option, said Max Schrems, the Austrian lawyer whose complaints against Facebook led to the European Court of Justice striking down the EU-US data sharing agreement, Privacy Shield, a year ago.
Getting to grips with the world’s surveillance laws is an almost impossible task, said Ustaran.
Thousands of academics and activists have spent years studying US surveillance laws and have yet to square them with EU data protection requirements.
But the US is just one country. “What about the rest of the world?” he said. “What about the countries where we don’t speak their language and where we don’t have the academics analysing the law?”
In reality, most countries that organisations in the EU might want to share data with will have laws that allow governments to access data. The starting point, said Ustaran, is figuring out a way of protecting data better when it is transferred.
Big tech and cloud service providers are turning to creative legal ways to protect the privacy of data when it is hosted or shared outside the EU.
The European Data Protection Board (EDPB) published recommendations in July 2020 advising companies, for example, that can they share data with countries with “problematic legislation” if they have no reason to believe that they will be affected by it in practice.
And the European Commission (EC) published updated standard contractual clauses (SCCs), which gave greater legal certainty to European businesses that want to use these contractual agreements to share data overseas.
“The EDPB has been, I believe, very helpful in providing a huge menu of measures to undertake and the new SCCs have specific provisions stating what organisations need to do to deal with these issues,” said Ustaran.
As a result, tech companies are setting up transparent processes for how to deal with requests from governments for their customers’ data.
This often involves putting the request on hold so that a judicial body can consider the matter, and giving as much information as they legally can to the customers affected.
“I see this happening all the time – deploy internal global policies dealing with how to react to government access requests,” he added.
Technical fixes or snake oil?
For Schrems, technical fixes cannot solve what is an intractable problem.
Microsoft or Google, for example, may provide services to encrypt data as it passes from the EU to the US, and are able to store the data in encrypted form on the US servers.
But if the US government asks to review the data under a FISA warrant, companies have no alternative but to oblige.
Ustaran said it’s all about tech companies going the extra mile to resist government requests for data.
“They will make best efforts to try to waive obligations and to challenge. So it’s all about the effort,” he said. “It may be possible to reject a request.”
Schrems argued that for most companies, the easiest solution – for now – will be simply to host their data in Europe.
It took his own campaigning organisaion, nyob, just a few minutes to assess its liability after the Schrems II decision which brought down Privacy Shield.
Nyob keeps all of its data in a datacentre in Germany and uses no subcontractors, so there was no risk of data leaving the country.
Schrems argued that for many companies, it will make financial sense to move their data to Europe rather than to pay lawyers’ fees for a work-around that will inevitably be overturned if EU-US data-sharing goes to the European Court of Justice for a third time.
“You can pay a law firm tens of thousands of euros to come up with papers that are going to be shredded the next time it goes to the court, or you can invest the same money into moving your systems,” he said.
For companies that are not likely to be subject to requests for data under FISA, SCCs could also be an answer.
For example, if a hotel company wants to send details of its customers to a branch in the US, then an SCC would meet EU data protection requirements.
There are certain situations where SCCs and similar measures can apply for particular industry sectors in particular situations, said Schrems.
“But that’s separate from the big companies that are simply the main drivers or the main aides to US government surveillance, where I think it’s clear that we don’t have an answer right now at least,” he added.
Ustaran said that for multinational companies, keeping their data local is not an answer. They want to store data locally so that it can be accessible quickly by customers in one part of the world, but also want to have the same data available worldwide.
Read more on Privacy Shield
- EU Committee on Civil Liberties, Justice and Home Affairs study calls for reform of US spying laws to pave the way for an EU-US data-sharing agreement to replace Privacy Shield.
- The European Commission has granted the UK data adequacy, allowing data sharing between the EU and the UK, but warns it may yet be revoked.
- Organisations have 18 months to update data transfer agreements, known as standard contractual clauses, or SCCs, to continue sharing data outside the European Union.
- Talks begin on a successor to the Privacy Shield EU-US data-sharing agreement declared unlawful in July 2020 – a decision by the European Court of Justice that left thousands of businesses facing legal uncertainty.
- The European Court of Justice has struck down Privacy Shield, the EU-US data-sharing agreement, creating uncertainty for European countries that share data with the US and pressuring the US to reform surveillance laws.
While US technology companies are offering to host their customers’ data in European datacentres, whether this is enough to protect their data to the standards required by GDPR is a moot point.
Tech companies may be able to go further by creating legal structures that ensure their operations in Europe are not subject to US FISA warrants because the parent company is a US company.
“You need some legal factual barrier where you simply, as a US company, can say, I’m very sorry, US government, that data is somewhere in Europe, and I cannot reach it,” said Schrems.
For Ustaran, it’s not a matter of “playing legal games” by hosting a server in one country or another, its about taking practical steps to protect privacy.
The issue at stake is not whether governments can access data in their jurisdiction, but whether they do so in a way that is mass and indiscriminate.
“We all deserve to be protected from the excesses of the state,” said Ustaran.
But the way to achieve that is multifaceted – partly through legal solutions, partly through the way organisations manage data, and partly through innovative technology.
One idea under discussion, for example, is to find a way to encrypt data and to ensure the encryption key remains in Europe when the data is exported to other countries.
If the data importer is at least one step removed from the encryption key holder, that may provide a more defensible tool to protect data from unwanted government attention.
Schrems said he has yet to see a technology that allows a cloud service provider to process data without having access to the encryption key, unless they are simply storing archive data.
“In the long run, we need some kind of ‘no spy agreement’ among Western countries – make sure there is free flow of data without having to worry if your data goes abroad,” he said.
For Ustaran, storing data locally can’t be the answer. After all, he said, US big tech companies have operations in Europe that make them subject to GDPR.
“Why should we restrict transfers to these organisations that are already subject to the very regime that we are trying to apply to them contractually?” he said.
There may be ways, through contracts or by setting polices, to resolve the tension between European data protection law and the laws of other jurisdictions that apply to multinationals.
Schrems said the debate over data transfers reminds him of the debate over climate change. “It’s like, you know, the reality is just that we all need a car, and we need to drive and there is oil, and that’s the how the world works,” he said. “And then there’s a little Greta Thunberg saying, guys, you know what, this is not gonna work that way for ever.”
Read more on Privacy and data protection
EU privacy chief investigates use of US cloud services
Updated standard contractual clauses will provide ‘legal certainty’ for transfer of data
Court to rule on Facebook data sharing after Schrems drops legal challenge against Irish regulator
Negotiating the complexities of international transfers of personal data