Īdditionally, the April 22, 2022, DSB decision made clear that arguments regarding the economic and political impact of finding a transfer unsupported (or unsupportable) are untenable. intelligence agencies, the adequacy decision will likely be invalidated. ![]() The rationale for the April 22, 2022, DSB decision may also cast a shadow on any adequacy decision based on the recently announced agreement in principle on a new Trans-Atlantic Data Privacy Framework (a/k/a “Privacy Shield 2.0”).īased on the April 22, 2022, DSB decision, as long as a data protection authority or the Court of Justice for the European Union (the “CJEU”) can identify at least some risk that personal data transferred to the U.S. To be clear, absent an adequacy decision to replace the Privacy Shield invalidated by Schrems II, there are likely to be limited valid methods for the routine transfer of personal data from the EU to the U.S. ![]() The DSB decision, however, should be viewed as a sign of what is to come and not as an outlier. The immediate impact of this decision is that transfers of personal data from Austria to the United States will be unlikely to survive scrutiny by the DSB. government cannot provide adequate protection, the DSB decision confirmed: (1) that it is unlikely that transfers of personal data to the United States can be supported by SCCs and, (2) that transferring entities cannot disregard the DSB’s decision simply because the data is unlikely to be of interest to U.S. The decision is binary: either adequate protection could be provided, or it could not.īecause the United States does not have a current adequacy decision and the DSB had previously determined that SCCs that are not binding on the U.S. Here the DSB determined that Article 44 of the GDPR did not allow data protection authorities to consider the likelihood of harm when determining whether the local laws of a third country provide adequate protection. The April 22, 2022, DSB decision also provided additional analysis that may erode the most plausible defense for continuing to transfer personal data from the EU to the U.S – namely, that the data subject to transfer is unlikely to be subject to a request from a U.S. entity can be identified as an “electronic communication service provider,” that entity cannot receive personal data from the EU based solely on SCCs because such information would be available to U.S. intelligence agencies would be assumed to have access to any data within the control of that entity – even if that data is not otherwise connected to the electronic communication. Once an entity is determined to be an electronic communications service provider, therefore, U.S. Here, the DSB stated that “the scope of application of FISA 702 is to be understood very broadly and the powers of US authorities extend to all data in the company due to a minor activity within the scope of application of FISA 702.” Second, the definition of data subject to FISA 702 is also likely very broad. It is unlikely that any EU data protection authority will take a more narrow view. Department of Justice (“DOJ”) has defined electronic communications service provider to mean “any company or government entity that provides others with the means to communicate electronically can be a ‘provider of electronic communications services’… regardless of the entity’s primary business of function.” In doing so the DOJ referenced legal opinions finding employers that provided email service to employees and a city that provide pager services to police offices to be “electronic communication service providers.” Under this definition, essentially any entity receiving digital personal information from the EU will likely be considered an “electronic communication service provider.” Because any entity that is identified as an “electronic communication service provider” can be subject to a FISA 702 request, the DSB decision will have far reaching consequences for two reasons.įirst, the definition of an “electronic communication service provider” is likely very broad. The DSB’s prior determination that transfers of personal information from the EU to Google based on SCCs were not valid was based on the potential for a FISA 702 request from U.S. It does, however, represent a significant roadblock when such transfers are based solely on SCCs. The April 22, 2022, DSB decision does not create an absolute bar on transfers of personal data to the U.S. Transferred Personal Data Could be Subject to U.S. On April 22, 2022, the Austrian data protection authority (the “Datenschutzbhorde” or “DSB”) upheld its January 2022 decision, finding that transfers of personal data from the EU to U.S.-based Google could not be supported by Standard Contractual Clauses (“SCCs”) – even with supplementary measures in place.
0 Comments
Leave a Reply. |