A new ruling from the Austrian Data Protection Authority (DPA) traps EU/U.S. data transfers between a rock and hard place. The rock is GDPR. The hard place is FISA. And the two are fundamentally incompatible.
The purpose of GDPR is to protect the personal information of European citizens and residents. The purpose of FISA Section 702 (supported by EO 12333) is to ensure that U.S. intelligence agencies can collect data on foreign citizens for national security and cybersecurity purposes. GDPR is a consequence of the latter – a response to Edward Snowden’s revelations on the NSA’s global surveillance programs. Neither side will easily abandon its current position.
The Schrems II ruling in 2020 annulled the Privacy Shield agreement between the US government and the EC. This had been used to ‘legalize’ data transfers between the two trade blocs. The primary reason for the annulment was FISA 702, a statute that authorizes the collection of communications content stored by U.S. service providers such as Google, Facebook and Microsoft. U.S. telecom providers can be compelled to assist.
The Schrems II ruling effectively declares that so long as FISA 702 exists, EU personal data cannot be sent to the U.S. It does not rule out the use of standard contractual clauses to protect and legalize transfers, but insists that those clauses must solve the 702 issue. This is not possible.
Facebook has been relying on a version of SCCs for its data transfers, and has had some support from the Irish Data Processing Controller (DPC) – but it is thought the Irish ruling will not survive complaints from other European regulators. The result of this is still awaited.
The latest ruling, from the Austrian regulator, concerns data from a European company transferred to Google in the U.S. via Google Analytics. The decision states the standard clauses used by the EU company to transfer the data are inadequate because Google “is subject to surveillance by U.S. intelligence agencies pursuant to U50.S. Code§1881a (“FISA 702”); and… they do not eliminate the possibilities of surveillance and access by US intelligence services.”
Privacy activist and chairperson of the European None of Your Business (NOYB) organization commented, “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice. Many EU companies have followed the lead instead of switching to legal options.”
Schrems commented on the ruling, “This is a very detailed and sound decision. The bottom line is: Companies can’t use US cloud services in Europe anymore. It has now been 1.5 years since the Court of Justice confirmed this a second time, so it is more than time that the law is also enforced.”
For the moment, this is a ruling against EU companies that use Google Analytics rather than against Google itself – although that may be considered later. In a blog on the issue, Schrems wrote that it will affect almost all EU websites. “Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US.”
Interestingly, the European data protection supervisor (EDPS) came to a similar conclusion when it reprimanded the European Parliament on January 11, 2022. The Parliament had been using Google Analytics on a COVID-related website. Among its reasons for reprimanding the Parliament, the EDPS wrote that it had infringed, “Article 46 and Article 48(2)(b) of the Regulation, due to its reliance on the Standard Contractual Clauses in the absence of a demonstration that data subjects’ personal data transferred to the US were provided an essential equivalent level of protection.”
Very slowly, Schrems is tightening the noose around the misuse of European data as defined by GDPR. The Austrian decision is just the first ruling in 101 cases his organization has brought across Europe. “In the long run,” he said, “we either need proper protections in the US, or we will end up with separate products for the US and the EU. I would personally prefer better protections in the US, but this is up to the US legislator – not to anyone in Europe.”