The Challenge of Data Transfer to the US

I wanted to share a recent study I was asked to research concerning the complex question of migrating data to AWS US cloud for a Belgian Telco company, including assistance of BSS Amdocs and analytics. This study looks at the state of the legislation, position of various European Data Protection Authorities and courts in Europe. Data flow between EU and the US has become a major ‘casse-tête’ as Europeans have become so dependent on US corporations including US clouds.

Since the?Schrems-II?decision invalidating the Privacy Shield agreement, ECJ has ruled that Standard Contractual Clauses and Biding Corporate Rules remain valid instruments of safe data transfer, they require supplementary measures of protection (see EDPB Final recommendations). Organisations must verify, on a case-by-case basis, whether the law of the destination country ensures a level of protection for the personal data that is essentially equivalent to that in the EU. The ECJ decision has ruled that U.S. law does not generally provide a level of data protection equivalent to EU law (No blanket data protection regulation, no data protection authority and above all, discrimination against non-EU data with lack of judicial review). As the US level of protection is not essentially equivalent, prior to any migration to a US Cloud, organisations need to assess the protection needed to allow such transfer. AWS like Google are Communication Service Provider, as such subject to the US surveillance program Stream Upstream, Fisa Sec 702, Cloud Act and EO 12333 (access to data in the hands of the US CSP wherever the server would be).?We can start by stating that data localisation is a myth.

It is therefore recommended to consider other options with an EU Cloud provider alternative. However, most telecom companies have already migrated to US cloud.

?I am not sure similar BSS services as Amdocs could operate on an EU Cloud? When contacting Amdocs to check their GDPR compliance, they had no idea what I was talking about. They promised me to be contacted by their legal department. That was more than a month ago.

?After consideration of EU cloud alternatives, to go ahead with a migration to a US cloud, supplementary technical, organisational, and contractual measures have to be deployed on a risk-based approach as at this point, the situation remains uncertain. If the project could be differed, the new US presidential Executive Order recently signed by President Biden could lead to an adequacy decision facilitating the free flow of personal data between EU and the US. (See various reactions to the US EO including NOYB unsatisfaction with the substitute of judicial review right for EU citizens. Also, a simple Executive Order, instead of a law, that could be replaced at any time has been deemed unsatisfactory).

Promises of scalability, flexibility, cost efficiency, must be balanced with the risks of non-compliance. Another issue to consider is data portability.

It might be an option to delay the project or prepare the migration before passing into execution. Meanwhile, all required preparations for a migration, verifying all points of compliance, starting by a data mapping could be taken.

?Moving data to AWS cloud, -equivalent to a data transfer to the US - will require to conduct a thorough Data Protection Impact Assessment, balancing the risks and advantages of moving data into the AWS cloud and benefiting from the services of BSS Amdocs.

If encryption with a key kept out of the reach of the US company is considered a valid measure, where data needs to be accessed for analytics purposes or other business services, homomorphic encryption could be an option. In France, the question arose around HealthDataHub processed by Microsoft. The French DPA CNIL advise was to temporarily authorise the transfer as Microsoft had the necessary technical skills that was not available in Europe. The Highest Administrative Court Conseil d’Etat requested an Addendum to Microsoft contract and the Health Minister Decree requested that the Microsoft servers would be based in Europe.

Other negotiations are underway with Microsoft in Germany for totally independent data servers based in Europe kept out of the reach of the US government. Would this happen is unsure.

Meanwhile, the transfer assessment will need to take account of the specificity of the customers including the level of sensitivity of the data processed. If customers are doctors, lawyers, or politicians the level of risk will be different that average people. UK ICO’s Transfer Impact Assessment tool suggests looking at the number of US requests made and how the organisation has challenged them.

AWS has published an addendum to its contracts with the promise of challenging the US requests. However, even if US corporations have started to publish annual reports of the requests received, in some cases, they are not allowed to disclose the most sensitive ones. This became an issue for Twitter at some point. How private EU companies can assess the political situation of the countries where they import, remains unclear. Is US is high risk just as China, Russia or India ? (See the EDPB report on countries access to data)

The position of several data protection authorities or EU executives such as the Dutch and French Ministries-especially concerning transfer of personal data in the context of Google Analytics or the use of Microsoft products- has been more absolutist rejecting the risk-based approach when assessing transfers of personal data to countries of non-adequate data protection such as the US, arguing that these transfers are prohibited if the possibility of foreign governmental access gives rise to?any?risk of harm. (See various positions expressed by DPAs, Courts and Public authorities)

Few cases have reached the EU courts

Several big law firms – see a recent joint publication by DLAPiper and Clifford Chance - are pleading a more balanced approach criticising the absolutist approach of the Data Protection Authorities, arguing the case for proportionality and a risk-based approach to international transfers.

?It is obvious that full compliance will be difficult to achieve. Necessary security measures will need to be taken to come as close as possible to compliance. Despite most Telecom companies’ adoption of US cloud solutions, that doesn’t mean compliance is achieved. The ultimate decision will have to balance advantages and risks in consideration of geographical specificities as not all data protection authorities are actively enforcing with a more absolutist approach.

For doing so, a Transfer Impact Assessment to evaluate the specific risks of data transfers to the US while there is no adequacy decision will put the light on the situation.

Clearly defining the relationships and the roles between the data controller and data processors, checking the lawful basis of data collection and processing. Where data has been collected based on consent, these need to be reviewed taken account of the transfers and the risks for the data to be unlawfully accessed. Transparency on the new situation and the risks of the data transfer to the US by using a US CSP will have to be provided.

Within the technical preparations, the backup and the encryption during the transfer mechanism are crucial to avoid any loss of data or security incident.

?If the data must be accessed by a BSS such as Amdocs, data will not be able to remain encrypted. like any processor, Amdocs guarantees have to be assessed and a data processing agreement article 28 signed.

?Additionally, staff have to made aware of the transfer with appropriate ongoing training.

?I wonder how many public institutions still use Microsoft products, if not what do they use?

I know French and UK Defence Ministries used Microsoft. This is a dangerous situation but what are the alternatives now that EU is walking up to claim digital sovereignty?

?As for the choice of analytics, the same way, although largely spread as the most popular option, Google Analytics -especially for its connections with Real Time Biding- has similar issues with data transfers to the US. Equivalents EU options exist.

GA cannot be GDPR compliant. Despite Google’s affirmation that no data has ever been accessed, the data is transferred to the US, it is combined with our data gathered by Google and part of the Adtech business. Several decisions have criticised the use of Google Analytics. EU compliant alternatives exist, not sure they give same results precisely for Adsense and Real Time Biding.

All this will need to be carefully assessed and recorded in accordance with the accountability principal.

?Finally, all that is said about the risks of transfers to the US are valid for transfers to other countries of non-adequate data protection. We don’t hear much about data transfers to China, India, or Russia.

?This analyse is only valid on the day of its publication as uncertainties remain while the situation keeps evolving.

You can access my full Mindmap here and please share your comments.

Recommended read : Douwe Korff Transfers of personal data from the EU to non-EU countries under the EU General Data Protection Regulation after “Schrems II”: not a “Mission Impossible”?