In August 2020, privacy activist organization NOYB – European Center for Digital Rights filed 101 complaints with the EU Supervisory Authorities (‘SAs’) in connection with the transfer of personal data from Europe to the U.S., by companies that had implemented “Google Analytics” and “Facebook Business Tools” on their websites.
Following these complaints, the European Data Protection Board (‘EDPB’) – which is composed of representatives of the SAs and the European Data Protection Supervisor (‘EDPS’) – created a special task force (‘101 Task Force’) to promote cooperation and exchange of information between the different SAs that were in charge of handling the complaints.
Almost three years later, the 101 Task Force has published a report reflecting the common positions that the SAs have taken in this matter (‘Report’), which have enabled them to adopt consistent enforcement decisions. These decisions include ordering website operators to comply with the data transfer requirements in Chapter V of the General Data Protection Regulation (‘GDPR’) and to stop specific data transfers.
There are a few lessons that can be learned from the Report, which are also relevant outside the context of the 101 complaints case:
- Before assessing whether a transfer of personal data outside of the EU meets the data transfer requirements of the GDPR, controllers must ensure that the processing activity complies with all other provisions of the GDPR. For example, if the controller has not identified a legal basis within the meaning of Article 6(1) GDPR, the data processing is unlawful, even if the controller has implemented a data transfer tool, such as the European Commission’s Standard Contractual Clauses.
- Entering into data transfer tools (like the European Commission’s Standard Contractual Clauses) with retroactive effect – as brought forward by one controller in the 101 complaints case – is not permissible. The requirements of the GDPR are clear in that appropriate safeguards must be in place before any personal data is transferred.
- Supplementary measures implemented as appropriate safeguards in support of data transfers outside of the EU must address the specific issues identified by the Court of Justice of the EU (‘CJEU’) in the Schrems II Case (C-311/18). This is necessary to make sure that the laws in the country of the data importer will not impinge on the safeguards that have been put in place. In this regard, the Report notes that:
- Encryption by the data importer is not a suitable measure if the data importer has legal obligations to provide the cryptographic keys, e.g., in case of a data access request by a government agency;
- Anonymization functions, such as the anonymization of IP addresses, are not suitable if the anonymization takes place only after all the data has been transferred to a data importer in a third country.
- Where a processor acts as data exporter on behalf of the controller whose processing is subject to the GDPR, the controller is also responsible for ensuring compliance with the GDPR’s data transfer restrictions. In addition, the controller has to ensure that the processor provides for sufficient guarantees in accordance with the processor obligations set out in Article 28 GDPR.
- Controllers that wish to use new tools for processing personal data must carefully examine whether the respective tools can be used in compliance with data protection law requirements. If such tools are integrated without a prior compliance check and the controller is not in a position to demonstrate compliance, this could lead to a breach of the GDPR’s accountability principle.
- Providers of tools that process personal data may need to ensure compliance with the GDPR, either because a) the provider of the tool is, at least concerning certain processing operations, considered as a controller under the GDPR, or b) where the provider acts as a processor, it must comply with the processor obligations specified in Article 28 GDPR.
- The allocation of (controller/processor) roles must be the result of a thorough analysis of objective factors, including the factual elements or circumstances of the specific case. However, the fact that, for example, a data processing agreement (per Article 28 GDPR) or a joint controllership agreement (per Article 26 GDPR) has been concluded does not restrict the SAs’ ability to assess and qualify the relationship between the parties differently. In other words, a data importer is not necessarily a controller or processor merely because it is stated that way in the agreement between the parties.