Update Data Protection No. 152
Supervisory authority provides guidance on implementing the new Data Privacy Framework
Some days ago, the Bavarian State Commissioner for Data Protection became the first German data protection authority to publish a detailed guide for companies on how to use the EU-US Data Privacy Framework, the successor to the EU-US Privacy Shield. This article provides an overview of the key implementation steps required by the authorities in terms of using US cloud services such as Amazon AWS, Microsoft Azure, Google Cloud, and Salesforce, etc.
The EU-US Data Privacy Framework
Since the previous versions Safe Harbor and Privacy Shield were declared invalid by the European Court, there has been uncertainty about how to use cloud services of US providers in the years following 2020. These two adequacy decisions by the EU commission each served as a legal basis for transmitting personal data to the third country USA and also legitimized the storage of this data on US servers. Since 2020, EU companies have had to rely on the other guarantees under Art. 46 General Data Protection Regulation when storage of their data on US servers takes place or cannot be ruled out. This especially applies to US cloud services such as Amazon AWS, Microsoft Azure, Google Cloud or also US tracking tools for websites such as Google Analytics or US SaaS services such as Salesforce, Dropbox, Facebook, etc. This is because, even if only the EU servers of these US providers were used, it could not be ruled out that certain personal (meta) data would be forwarded to US servers or that data would be accessed by US authorities. EU companies have therefore so far resorted to EU standard contractual clauses offered by US providers that provide for an obligation to comply with EU data protection rules. However, this was insufficient for the ECJ and, since 2020, the EU authorities, even after the new EU standard contractual clauses were published in 2021. Instead, the authorities demanded that extensive risk assessments (Data Transfer Impact Assessment) and additional technical measures such as encryption or pseudonymization should be used, which would involve considerable extra work to implement. The uncertainty amongst EU companies was therefore considerable until a few weeks ago.
However, since July 10, 2023, a new adequacy decision has been passed by the EU Commission – the EU-US Data Privacy Framework (hereinafter referred to as "DPF"). It provides that the above additional measures and also the EU standard contractual clauses are no longer necessary for using certified US providers. We had previously reported on this extensively (see our Update Data Protection No. 149).
The new guidance from the Bavarian Data Protection Authority
The adequacy decision by the EU Commission, however, does not make easy reading for non-lawyers. The 136-page document makes detailed reference to the legal position on data access by US authorities and derives why the new agreements with the US government may create an appropriate data protection level when using certified companies. The EU supervisory authorities had reported extensively on the adequacy decision, but have to date (as far as we know) not provided any concrete implementation guidance. The Bavarian State Commissioner for Data Protection has now remedied this in a “First Aid” guide.
In particular, there is the following implementation advice for the future use of US cloud providers:
- The use of US providers (and therefore the transfer of data to US servers) is only legitimized by the DPF if the US provider has self-certified beforehand and has been included in the list of certified companies. So far, the list has already included approximately 2500 US companies since July 10, 2023.
- US providers must renew their certification annually. To this extent, services by these providers would no longer be allowed to be used solely on the basis of the DPF in the event of non-renewal. Therefore, an annual review process of the relevant EU companies will have to be established.
- There are US companies who have not had themselves certified for the area of “personal data”. In this case, no personal data may be transmitted to these US providers on the basis of the DPF. It can be seen from the above list whether corresponding certification has been obtained for personal data (HR/Non-HR). EU companies must therefore carry out a corresponding preliminary check before posting personal data to any US cloud services.
- Even if the US provider is certified according to the DPF, a legal basis for data transfer to third parties as a whole must be established (generally Art. 6 GDPR or Art. 28 GDPR) and documented as part of the two-step test.
- If the US provider uses its own IT provider in other third countries (also outside the EU/EEA and USA), the EU company must determine before transferring data whether these subcontractors have been appropriately obligated in accordance with Art. 46 GDPR. The DPF does not apply to them.
- The EU companies’ own processing directory according to Art. 30 GDPR must be updated because the legal basis for using these US services has changed due to the adequacy decision.
- The companies’ own data protection guidance must be adapted in accordance with Art. 13 GDPR in terms of any transfer of data to US servers.
- When using social media platforms such as Facebook, certification according to the DPF cannot legitimize the existence of joint controllership with the EU operator of the relevant fan page in question, if applicable. These EU companies must therefore ensure, independent of the DPF, that a joint controllership agreement in accordance with Art. 26 GDPR is in place and that processing by both parties will also comply with these rules.
The new DPF will make it a lot easier for EU companies to use the cloud services of US providers for a legal point of view. The previous, very time-consuming test for appropriateness will no longer apply. However, it is important to note that not much has changed compared to the EU-US Privacy Shield, apart from a few concessions by the US government. Therefore, we expect that the European Court of Justice (ECJ) will put the new DPF to the test in a few years’ time and may then declare it invalid again. However, until then more legal certainty should return to EU companies if the above rules are observed.