On 16 July, in a much-awaited ruling (C-311/18), the Court of Justice of the European Union (ECJ) dealt a serious blow to the practice of transferring personal data to countries outside the European Union.
A bit of history…
This case dates back to 25 June 2013, when Mr Maximilian Schrems, an European citizen, filed a complaint with the Irish Data Protection Commissioner seeking a ban on Facebook Ireland Ltd. from transferring his personal data to the United States.
This complaint pointed to American mass surveillance activities, which were brought to light at the same time by Mr. Edward Snowden. It highlighted that the regulations in force in the United States did not sufficiently regulate these programs and did not guarantee to data subjects, rights equivalent to those recognised in the European Union.
In a first judgment dated 6 October 2015 (C362/14), the ECJ ruled in his favour by invalidating the Safe Harbor, a protection mechanism implemented for data transfers to the United States, which the European Commission had considered adequate (decision 2000/520).
Following this decision, the Irish authority, which had initially rejected the complaint because of the existence of the Safe Harbor, opened an investigation during which Facebook Ireland Ltd then justified having put in place, not the Safe Harbor, but standard contractual clauses in line with those adopted by European Commission Decision 2010/87/EU, which should in principle provide adequate safeguards for individuals affected by transfers of personal data to countries that do not ensure an adequate level of protection.
This time, the ECJ was asked to rule on the validity of the above-mentioned standard contractual clauses on the one hand, and of the “Privacy Shield”, a new protection mechanism created in the meantime by the United States and the Commission to replace the Safe Harbor.
Invalidation of the Privacy Shield
In its judgment of 16 July, the ECJ decided to invalidate, with immediate effect, the Privacy Shield, or more precisely the decision (2016/1250) by which the European Commission had found that the Privacy Shield constituted a sufficient protection mechanism to regulate the transfer of personal data to the United States.
In its decision, the ECJ considered that the US surveillance programs are not limited to what is strictly necessary, since the authorities may, in particular, carry out large-scale surveillance operations which do not comply with the principles of necessity and proportionality in force in the European Union.
The ECJ also noted that the United-States, including the ombudsperson mechanism to which the Privacy Shield Decision refers, does not provide real possibility for data subjects to bring legal actions before an independent and impartial court as required under the Charter of Fundamental Rights of the European Union.
Valid, but not always sufficient standard contractual clauses.
Concerning the Standard Contractual Clauses, the ECJ confirmed that they remain a valid mechanism to secure transfers of personal data from the European Union to countries that do not benefit from an adequacy decision. However, it recalled that, pursuant to Article 46 of the RGDP, these clauses alone do not always by themselves constitute a sufficient protection, in particular in the case of data transfers to countries which, like the United States, do not sufficiently regulate the power of interference of their authorities.
In this respect, the ECJ essentially points out that the standard contractual clauses constitute a contract, established between a data controller exporter and a data importer, and that this contract is not enforceable against the authorities of the country receiving the data; the said authorities not being party to the contract.
Therefore, although valid, the standard contractual clauses do not constitute a sufficient guarantee to regulate transfers of personal data from the European Union to countries such as the United States. In this case,supplementary measures should be put in place in addition to these clauses.
Impact of these decisions
The impact of this 2nd opus is far from negligible.
Indeed, since 16 July, all economic operators who previously transferred personal data from Europe Union to the United States on the basis of the Privacy Shield have been obliged, if they wish to continue such transfers, to replace the Privacy Shield by valid alternative guarantees.
However, the alternative mechanisms that can be put in place – which are listed in Article 46 of the PGRD and which include the standard contractual clauses – are, for the most part, contractual mechanisms that the ECJ has found insufficient because of their unenforceability against the US authorities.
The implementation of these alternative mechanisms must therefore be accompanied by the adoption of additional measures to ensure the required protection.
The question then arises as to what types of measures can, in addition to the standard contractual clauses, constitute adequate protection against interference by the US authorities.
The ECJ has not ruled on this issue, and data protection authorities have not yet published information on the subject, which may make compliance a little bit difficult.
In concrete terms, it seems difficult to technically prevent the US authorities from accessing data transiting from the European Union to the United States, since, as the ECJ has noted, the US authorities intercept traffic on network cables, particularly in the context of Upstream programmes.
In this respect, even the implementation of end-to-end encryption solutions could be considered insufficient, due in particular to the decryption solution that are or may be available to authorities, notably as a result of quantum technologies. In addition some regulations may require operators to communicate their encryption keys to the authorities, or even prohibit some of them in the future. The United States are notably discussing the « Lawful Access to Encrypted Data Act ».
The use of solutions hosted within the European Union could be the alternative. However, it is not even certain that this would be sufficient in all circumstances, particularly in the case of processing being carried out remotely from the United States, for example in the context of administration, maintenance or support activities.
Indeed, some remote processing operations, such as accesses, technically imply a temporary transfer and therefore expose the data. This is moreover considered as a data transfer within the meaning of European regulation.
Some economic operators also question whether it is possible to adapt the additional measures depending of the risk to rights and freedoms, in particular to ensure that the use of data with a low risk to the privacy of individuals is not unduly impeded. Here, too, nothing is less certain, even though the risk-based approach, which is predominant in the RGDP and in the standard contractual clauses, may suggest this.
Beyond the United States, these questions arise whenever a transfer is operated, based the standard contractual clauses, to countries that have not been subject to an adequacy decision and for which it is not possible to establish with certainty that they provide equivalent guarantees than those recognised within the European Union in respect of interference by the authorities.
Uncertainty about the type of supplementary measures to be put in place creates insecurity, not only for data subjects, who may not benefit from appropriate protection when their data is transferred, but also for economic operators, many of whom still looking forward to have confirmation of compliance, particularly when they depend on third party service providers or solutions operating outside the European Union.
As such, the predominance – or near-monopoly – of GAFAM in sectors such as online research, social networks and advertising, makes it extremely difficult, if not impossible from a competitive stand point, to do without their services. And such services usually involve transfers to the United States for which it is not easy, due in particular to the uncertainties mentioned above, to ensure that appropriate additional safeguards have been put in place.
In this context, it seems essential that the data protection authorities continue to support economic operators so that the supplementary measures required in the event of transfers to the United States and other equivalent countries can be clearly identified and implemented.
What about using OVHcloud Services?
No transfers to the United States
Except for services ordered directly from OVHcloud’s US entity, in the course of performing its services, OVHcloud does not transfer its customers’ data to the United States.
Indeed, OVHcloud’s data centers located in the United States do not host any of the services marketed by OVHcloud’s non-U.S. entities; said US data centers being only used to host services marketed by OVHcloud’s U.S. entity. In addition, OVHcloud’s US entity is not involved in the provision of services provided by OVHcloud non-American entities. In particular, none of these services are administered from the United States, and therefore no related data processing can be remotely operated, and notably accessed, from the United States.
Therefore, the invalidation of the Privacy Shield has no impact here.
Regarding the services ordered from OVHcloud’s US entity, they are generally not used to process data subject to European regulations, in which case the above-mentioned European solutions are preferred. However, OVHcloud United States is nevertheless studying solutions for customers that could be impacted.
Limited transfers to other countries
When the customer chooses a service hosted in an OVHcloud data center located in the European Union, only the European and Canadian entities of OVHcloud have, within the framework of the administration and maintenance of the services, the possibility to carry out processing operations on the data hosted by the Customers.
With regard to Canada, it was the subject of an adequacy decision (2002/2/EC)
by which the European Commission notably noted that Canadian law « covers all the basic principles necessary for an adequate level of protection fornatural persons, even if exceptions and limitations are also provided for in order to safeguard important public interests. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the authorities, such as the Federal Privacy Commissioner invested with powers of investigation and intervention ». Furthermore, the provisions of Canadian law regarding civil liability apply in the event of unlawful processing which is prejudicial to the persons ».
Also, OVHcloud has never received any request from the Canadian authorities that was disproportionate with respect to the fundamental rights and principles of the European Union.
Therefore, even if the said adequacy decision is limited in scope to activities falling under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) – which led OVHcloud to adopt contractual clauses for certain processing operations outside the scope of PIPEDA – the foregoing findings about Canadian law make it consistent to consider that the implementation of standard contractual clauses for activities not subject to PIPEDA does not require any supplementary measure with respect to interference by the authorities.
Nevertheless, OVHcloud has implement supplementary measures according to its security policy, and is seeking to get confirmation, notably from the Commission, of the consistency of the foregoing findings. More generally, it would be desirable that the Commission review all the adequacy decisions that were taken especially before the ECJ judgements and the entry into force of the GDPR.
OVHcloud customers also have the option of choosing data centers located outside the European Union to host their services, particularly in Singapore and Australia. However, these data centers are generally not used to process data covered by GDPR; the European data centers being in this case preferred. However, for customers who wish to operate such transfer to Asia, OVHcloud has set up standard contractual clauses. In these cases, the Customer should conduct, if necessary with the help of OVHcloud, a compliance analysis of the solution that it deploys on OVHcloud Services.
Concerning the use of OVHcloud’s internal tools, some of which contain customer data (customer account data, invoicing, support tickets, data relating to the use of services, etc.), and which are used by other OVHcloud non-European entities, OVHcloud has put in place standard contractual clauses in addition to which various technical and organisational measures have been implemented to limit transfers as much as possible according to OVHcloud security policy.
In particular, OVHcloud systematically favours to host its IT system within the European Union. This makes it possible to avoid by design mass transfers, as transfers are only occasional and temporary in such a remote access case.
Furthermore, access is limited on the basis of the principle of least privilege, which ensures that only the data necessary to carry out legitimate business operations is accessible to operators. These accesses are systematically traced. In addition, in the event of recourse to third-party solutions, OVHcloud favours “on premise” hosting on its own infrastructure in order to keep control.
All these measures, combined with the implementation of a strict policy concerning the treatment of requests from authorities, appear to provide adequate protection against possible interference from authorities in non-adequate countries.
However, OVHcloud will continue to pay close attention to the recommendations of the authorities to ensure that its mechanism is appropriate.
In addition, OVHcloud Group is undertaking to reexamine the legal order of the countries in which it is present in order to assess their compliance in the light of this new ECJ judgment, and be able to support its customer in the best possible way.