The first recommendation, titled “Delegating the Problem”, provides the following instructions to work around the problem of no additional safeguards when exporting data to the United States:”An antidote to this weakness is to let Google’s Irish subsidiary be the counterparty to the deal. Thus, the Norwegian controller will not transfer data outside the EEA, and the issue of the grounds for transfer is delegated to Google Ireland.”
We believe that choosing another counterparty, as Bull recommends, is too simple an approach and will not solve the problem. The Norwegian controller will be responsible both for its processor (the Irish subsidiary of Google) and for its possible sharing of personal data with its processor (Google LLC or similar units of Google in the United States). In other words, the Norwegian controller will be responsible for the transfer of data outside the EU/EEA, even if the transfer takes place lower in the value chain (here: between the Irish subsidiary of Google and Google LLC ).
Circumvention risk
The question of who is responsible for processing the actual transfer to a third country requires a concrete assessment and depends on a number of factors. In our opinion, any other measure would open the way to significant circumvention when it is known that transfers can or will take place in the future. The Norwegian Data Protection Authority has specifically addressed this team in its updated guidelines on transfers to third countries, see here.
It should be recalled that on 14 February this year, the EDPB/Personvernrådet proposed a much-discussed new guideline on “the interaction between the application of Article 3 and the provisions relating to international transfers in accordance with the chapter V” (see EDPS Guidelines 05/2021). They write, among other things, that if a controller based in the EU is a processor that is also based in the EU, but is a subsidiary of a company based in a third country, particular assessments must be carried out.
In itself, it is not a transfer to a third country. But there will be a transfer if the processor, whose subsidiary – for example the American parent company – is subject to the laws of the country where the parent company is established and can be ordered to transfer information to the third country in accordance with local laws. .
If the data controller complies with this and transfers the data to the authorities of the third country, the EDPS considers this to be a transfer to a third country. If the controller has prohibited such a transfer in the processor’s agreement, the processor acts contrary to the instructions of the controller and is itself considered the controller for this processing operation in accordance with the 28 (10) GDPR.
And perhaps the most important (and most difficult) thing is this: the controller must first check whether providers are subject to such access rights from foreign authorities and, if necessary , take the appropriate technical and organizational measures to ensure that this does not happen. Precisely at this point, many people need to carefully consider how their cloud services are put together and what access the provider has. And delegating responsibility is not so simple.
Briefly about the new data privacy framework
Kristian Foss and Tara Årøe’s fourth recommendation, titled “Take a break”, reads as follows:Within the year, the new EU-US data privacy framework will likely be approved as the basis for the transfer. The United States is thus on the white list of the European Commission. However, a whitelist of US companies is not necessarily the solution to all problems. It is clear from the notice of decision against Telenor that Google itself does not disclose from which countries access to data is granted”
It is not fair that the United States as such is on the European Commission’s white list. Only companies that have registered under the EU-US Data Privacy Framework (DPF), as was the case under Safe Harbor and Privacy Shield, will be covered by the whitelist.
Companies listed under the Privacy Shield and wishing to comply with DPF requirements must implement changes to their internal routines within three months of implementing the DPF in order to maintain their status. Companies among these who will not be able to comply with the requirements of the DPF must withdraw (and will then be, in a way, “blacklisted”).
New companies wishing to become part of DPF must perform self-certification in accordance with DPF. The transfer of personal data from Norway to a company in the United States that is not part of DPF should be considered as a transfer to a company in a third country without an adequate level of protection and without the prior approval of the Commission European. Google will likely be covered by the framework. But in general, there is every reason to concretely assess each individual transfer to the United States, even after the establishment of a possible DPF.