No Risk too Small: Austrian Data Protection Authority Stands Firm Behind Data Transfer Roadblock
On April 22, 2022, the Austrian data protection authority (the “Datenschutzbhorde” or “DSB”) upheld its January 2022 decision, finding that transfers of personal data from the EU to U.S.-based Google could not be supported by Standard Contractual Clauses (“SCCs”) – even with supplementary measures in place.
Transferred Personal Data Could be Subject to U.S. Intelligence Requests
The April 22, 2022, DSB decision does not create an absolute bar on transfers of personal data to the U.S. It does, however, represent a significant roadblock when such transfers are based solely on SCCs. The DSB’s prior determination that transfers of personal information from the EU to Google based on SCCs were not valid was based on the potential for a FISA 702 request from U.S. intelligence agencies. Because any entity that is identified as an “electronic communication service provider” can be subject to a FISA 702 request, the DSB decision will have far reaching consequences for two reasons.
First, the definition of an “electronic communication service provider” is likely very broad.[1] For example, the U.S. Department of Justice (“DOJ”) has defined electronic communications service provider to mean “any company or government entity that provides others with the means to communicate electronically can be a ‘provider of electronic communications services’… regardless of the entity’s primary business of function.”[2] In doing so the DOJ referenced legal opinions finding employers that provided email service to employees and a city that provide pager services to police offices to be “electronic communication service providers.”[3] Under this definition, essentially any entity receiving digital personal information from the EU will likely be considered an “electronic communication service provider.”
It is unlikely that any EU data protection authority will take a more narrow view.
Second, the definition of data subject to FISA 702 is also likely very broad. Here, the DSB stated that “the scope of application of FISA 702 is to be understood very broadly and the powers of US authorities extend to all data in the company due to a minor activity within the scope of application of FISA 702.”[4]
Once an entity is determined to be an electronic communications service provider, therefore, U.S. intelligence agencies would be assumed to have access to any data within the control of that entity – even if that data is not otherwise connected to the electronic communication.
In short, if a U.S. entity can be identified as an “electronic communication service provider,” that entity cannot receive personal data from the EU based solely on SCCs because such information would be available to U.S. intelligence operations.
The Likelihood of a U.S. Intelligence Request is Immaterial
The April 22, 2022, DSB decision also provided additional analysis that may erode the most plausible defense for continuing to transfer personal data from the EU to the U.S – namely, that the data subject to transfer is unlikely to be subject to a request from a U.S. intelligence agency. Here the DSB determined that Article 44 of the GDPR did not allow data protection authorities to consider the likelihood of harm when determining whether the local laws of a third country provide adequate protection.[5] The decision is binary: either adequate protection could be provided, or it could not.
Because the United States does not have a current adequacy decision and the DSB had previously determined that SCCs that are not binding on the U.S. government cannot provide adequate protection, the DSB decision confirmed: (1) that it is unlikely that transfers of personal data to the United States can be supported by SCCs; and, (2) that transferring entities cannot disregard the DSB’s decision simply because the data is unlikely to be of interest to U.S. intelligence agencies.
Future Impact
The immediate impact of this decision is that transfers of personal data from Austria to the United States will be unlikely to survive scrutiny by the DSB. The DSB decision, however, should be viewed as a sign of what is to come and not as an outlier.[6] To be clear, absent an adequacy decision to replace the Privacy Shield invalidated by Schrems II, there are likely to be limited valid methods for the routine transfer of personal data from the EU to the U.S.[7]
The rationale for the April 22, 2022, DSB decision may also cast a shadow on any adequacy decision based on the recently announced agreement in principle on a new Trans-Atlantic Data Privacy Framework (a/k/a “Privacy Shield 2.0”).
Based on the April 22, 2022, DSB decision, as long as a data protection authority or the Court of Justice for the European Union (the “CJEU”) can identify at least some risk that personal data transferred to the U.S. could be accessed by U.S. intelligence agencies, the adequacy decision will likely be invalidated.[8]
Additionally, the April 22, 2022, DSB decision made clear that arguments regarding the economic and political impact of finding a transfer unsupported (or unsupportable) are untenable.[9] Even if the European Commission considers the economic impact of not giving the U.S. an adequacy decision based on the Trans-Atlantic Data Privacy Framework, therefore, nothing requires data protection authorities (or the CJEU) to abide by that consideration.
The net takeaway is that if the Trans-Atlantic Data Privacy Framework merely reduces the risk of access to personal data transferred from the EU to the U.S. without removing that possibility, the new framework will likely be seen to suffer from the same flaw as the Privacy Shield framework before it and be deemed invalid, and SCCs will continue to be found insufficient.
For additional information on this topic, please contact Matt Rotert at mrotert@redgravellp.com.
The views expressed in this article are those of the authors and not necessarily those of Redgrave LLP or its clients.
By Matt Rotert
[1] The DSB noted in its April 22, 2022, decision that stated it had “no doubts that [Google] qualifies as a provider of electronic communications services within the meaning of 50 U.S. Code § 1881(b)(4) and is therefore subject to surveillance by U.S. intelligence agencies pursuant to 50 U.S. Code § 1881(a) (“FISA 702”).”[1] As a result, the question of what type of entity should be considered an electronic communications service provider was not addressed.
[2] DEP’T OF JUSTICE, SEARCHING AND SEIZING COMPUTERS AND OBTAINING ELECTRONIC EVIDENCE IN CRIMINAL INVESTIGATIONS 117-18 (2009) at 117-18. (https://www.justice.gov/file/442111/download) citing, Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 114-15 (3d Cir. 2004), Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996).
[3] See, DEP’T OF JUSTICE, SEARCHING AND SEIZING COMPUTERS AND OBTAINING ELECTRONIC EVIDENCE IN CRIMINAL INVESTIGATIONS 117-18 (2009) at 117-18. (https://www.justice.gov/file/442111/download) citing, Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107, 114-15 (3d Cir. 2004), Bohach v. City of Reno, 932 F. Supp. 1232, 1236 (D. Nev. 1996).
[4] April 22, 2022, DSB decision re Google at 33 (emphasis in original).
[5] April 22, 2022, DSB decision re Google at 33. Note,the DSB recognized that legislators did provide for a risk-based approach in Art. 24(1) & (2), Art. 25(1), Art. 30(5) & (2), Art. 35(1) & (3) or Art. 37(1)(b) & (c) but did not include any such language in Article 44. (See, April 22, 2022, DSB decision re Google at 37.)
[6] The French data protection authority has already found transfers of personal data to US-based Google to be unsupportable by SCCs.
[7] Note, Derogations under Article 49 would still be viable but have may have other limitations to consider (i.e., what constitutes valid consent).
[8] April 22, 2022, DSB decision re Google at 33.
[9] April 22, 2022, DSB decision re Google at 22, noting, “data protection authority is not permitted to take economic or political considerations into account” leaving agreement on such matters to “other bodies.”