Update Data Protection No. 153
Differing views of German regulators on the effectiveness of the Data Privacy Framework (use of U. S. cloud services)
Since July 10, 2023, the EU-US Data Privacy Framework ("DPF") has been in force, which can serve as a legal basis for the third-country transfer of personal data – and thus for the use of U. S. cloud services such as Amazon AWS, Microsoft 365 or Google Cloud – by virtue of an adequacy decision of the EU Commission pursuant to Article 45 of the GDPR. In this respect, the DPF is the successor to the "EU-US Privacy Shield", which was declared invalid in 2020. This article provides a brief overview of the status of the opinions of German supervisory authorities on the DPF.
Statement from Bavaria
The Bavarian State Commissioner for Data Protection had already published a "Current Brief Information on the Data Privacy Framework" on August 1, 2023 (we reported). This was the first time that a German data protection authority had described the general background to the adequacy decision, explained details of the scope of application, and set out implementation requirements. In particular, the following recommendations were made when using U. S. providers
- Check whether the U. S. provider in question is already registered in the list of certified companies and, if applicable, also has authorization to process employee data (HR)
- Ensure that there is also a legal basis according to Art. 6 or 28 GDPR at the first stage
- Ensure appropriate commitment when using sub-providers in additional third countries
- Revise the processing directory and its own privacy policies to make a clean separation to the joint responsibility according to Art. 26 GDPR.
Overall, the DPF was recognized as an effective tool for U. S. data transfer.
Statement of the DSK
On September 4, 2023, the German Data Protection Conference (DSK, an association of German state data protection authorities) also published application notes on the DPA. On a total of 32 pages, it explains in detail, describing the relevant U. S. legislation, the basis on which a U. S. data transfer will be possible for EU companies in the future. In addition, a large amount of background information is provided, in particular on the rights of affected private individuals to assert claims for access or deletion. While the EU-US Privacy Shield still only provided for a U. S. ombudsman as a point of contact for EU citizens, they can now turn to quite different bodies (relevant U. S. providers, U. S. Department of Commerce, U. S. Federal Trade Commission, EU data protection authorities, DPF arbitration court, and others). The individual legal protection options are described in detail.
Overall, the DSK also recognizes the DPF as an effective tool for U. S. data transfers. However, the application notes serve more as a guideline and background information, while the brief information from Bavaria provides for concrete implementation requirements.
Statement from Thuringia
Only one day after the publication of the DSK application notes, the Thuringian State Commissioner for Data Protection and Freedom of Information – TLfDI – published a press release on September 5, 2023 clarifying that it did not agree with the above vote of the DSK, i. e., that it had voted against the publication of the application notes.
The reason given for this is that the application notes left out important issues of criticism. For example, the application notes give the impression that EU companies only have to prove the certification of the respective U. S. provider according to DPF for the U. S. data transfer. In fact, however, a separate contract for data processing in accordance with Article 28 of the GDPR must be concluded in each case in order to document the necessary rights to issue instructions, among other things. Furthermore, the DPF contains contradictions that are not clarified by the application notes, for example, certain rights of data subjects under recital 178 of the DPF would depend on the unclear proof of one's own "affectedness".
In addition, justified criticism, even from non-profit organizations, had not been taken into account in the application notes of the DSK; in particular, the U. S. legal regulations on intelligence gathering (especially FISA) had not been significantly changed. These continue to allow largely unrestricted access to personal data of EU citizens.
Overall, the TLfDI's press release contains a list of the main issues of criticism against the DPF. In the final sentence, companies are advised to consider whether they should perhaps take the precaution of not transferring sensitive data and customer data to U. S. providers. The probability is high that the European Court of Justice will declare the DPF invalid in just a few years, as happened with the Privacy Shield and the Safe Harbour agreement.
EU companies are uncertain whether the new DPF can now actually be considered an effective legal basis for the use of U. S. servers of U. S. providers and therefore pending, operational decisions can be made in favor of the use of U. S. cloud software such as Amazon AWS, Microsoft 365, Google Cloud, Salesforce, Confluence, etc. The Data Protection Conference leaves little doubt about this in its application guide, nor does the Bavarian State Commissioner. Only from the perspective of the data protection supervisory authority in Thuringia are there doubts about the effectiveness of the DPF.
Companies should therefore take the above opinions of the data protection authorities into account when making their decisions. Companies in Thuringia will probably have to expect a critical assessment in the future when using U. S. cloud providers (e. g., in the event of an external complaint) and should, at best, maintain a corresponding risk assessment for each U. S. application. Companies in the other federal states, on the other hand, should follow the application notes of the DKS and additionally observe the concrete implementation specifications from the brief information of the Bavarian data protection supervisory authority.
The new agreement also benefits EU companies with regard to U. S. providers that have not been certified under the DPF. This is because if the necessary risk assessment (Data Transfer Impact Assessment) is carried out as part of the alternative use of EU standard contractual clauses (Art. 46 GDPR), the newly introduced safeguards (including redress mechanisms) can be referred to significantly with regard to data access by U. S. authorities (see FAQ of the EU Commission, section 7), which significantly facilitates a positive risk assessment.
For detailed questions, we are available to provide additional legal advice.