In a decision dated July 14, 2022, the Danish data protection supervisory authority, Datatilsynet, commented on the use of Google products by a municipality and in particular on the transfer to the USA:
Background and prohibitions
The background was the use of Chromebooks from Google and Google Workspace by Danish municipalities, in this case the municipality of Helsingør. In September 2021, the Danish authority had instructed the municipality to conduct a risk assessment in this context, which, depending on the outcome, would lead to an actual data protection impact assessment.
The municipality had submitted a corresponding assessment in November 2021, which rated the risk of personal data being used in breach of contract, e.g. for marketing or other further purposes, as low.
The risk of transfer to the USA was also low. The contractual partner of the municipality was Google Cloud EMEA Ltd. and personal data was only stored in the EEA. It is clear from the considerations of the authority that the municipality thereby presumably relied on the TIA form by David Rosenthal has supported. However, remote access for support purposes by Google LLC in the USA was not excluded (whereby Google uses the SCC internally within the group – see our Contribution to the implementation of the SCC).
Based on this assessment, the Authority has now made the following disposition:
- of the municipality will Prohibited from processing personal data with Chromebooks and Google Workspace for Educationuntil this processing activity has not been brought into compliance with the GDPR;
- any Transfer of personal data to the USA is suspendeduntil the municipality proves that the GDPR is complied with in the process;
- the municipality had to deactivate users and rights and transferred Delete data, with an implementation period;
- a breach of these orders may be punishable by a fine or imprisonment of up to six months (this because Danish law does not allow fines under the GDPR but provides for individual fines or imprisonment; see Rec. 151 of the GDPR and Art. 41 f. of the Danish Data Protection Act).
Interestingly, the authority did not issue any fines, but only threatened them in case of non-compliance. As far as can be seen, the Italian, Austrian and French authorities also did not impose any fines in their post-Schrems decisions – perhaps a residual understanding that these prohibitions take only limited account of reality.
The authority’s stance can be described as extraordinarily strict in all respects. This applies not only to the issue of transfers to the U.S., where the zero-risk approach agreed throughout Europe is followed (see below), but also to other points, such as the requirements for documenting risks and conducting a data protection impact assessment.
It is striking that although the authority imposes far-reaching conditions (for example, the municipality should not simply rely on the contractual prohibition of misappropriation of data by Google, TOMs are also required – apparently the authority does not consider Google to be contractually faithful), it hardly justifies this in legal terms. It essentially contents itself with references to Art. 5(2) (accountability) and to the black box of Art. 24 GDPR, which circumscribes the “responsibility of the controller” in a general and therefore for every opinion connectable way.
As with many other decisions by data protection authorities, the impression arises that an authority is pursuing a maximum approach, which it legitimizes not dogmatically, but with its sense of mission. This turns a law-applying authority into a political one. If courts do not intervene and do not place the decisions – regardless of the outcome – on a legally sustainable basis, this can ultimately only be described as a breach of the constitution, namely a breach of the separation of powers. From this perspective, the FDPIC’s restraint, which has been noted on various occasions, is beneficial.
Findings on the management of risks
- Insufficient risk assessmentThe risk assessment of the municipality of Elsinore had generally not fully considered some scenarios, especially of a technical nature.
- No sufficient mitigation of the misappropriation riskWith regard to the risk of misappropriation of the data by Google, it should be noted that a misappropriation by Google was contractually excluded. Nevertheless, the municipality had not sufficiently documented that compliance with the GDPR was ensured by Google as an order processor. It was not enough to rely only on contractual guarantees (!). Rather, the municipality should have evaluated technical or organizational measures to mitigate the risk of misappropriation.
- No performance of a DSFA: Any risk that has a strong impact on the rights and freedoms of data subjects requires a data protection impact assessment, even in the case of a relatively low probability of occurrence.
For transmission to the USA
Duties of the person responsible
The starting point here was the fact that although Google stores the municipality’s personal data only in the EEA area, according to Google’s list can also use subcontractors outside the EEA and, among others, also in the USA.
Here, the authority takes the position that the The person responsible must have a legal basis for the transfer to third countries, including a transfer for support services.
In particular, be both, the person responsible and the order processor, obligated toThe data controller is obliged to ensure such a legal basis, even if the order processor has concluded the SCC with a subcontracted processor in a third country. However, it is not entirely clear here whether the controller only has a corresponding documentation obligation or an original obligation to ensure the legality of the onward transfer by the processor.
TIA: Access risk assessment
In its TIA, the municipality had considered, among other things, that FISA 702 did not permit access to data when the Access to a US person targetsi.e. a person (including a company) who is in the USA at that time (§1881a(b)). This excludes access at Google LLC, because the relevant data is transmitted to Google LLC and thus a US person.
The data protection authority does not agree with this argument. In its view, this restriction applies only if the purpose of the data access is to obtain information about US persons to raise, not at US companies:
After reviewing the legal restrictions on the collection of information under FISA 702, the Privacy Board believes that the restrictions [in §1881a(b)] are intended to prevent the collection, both directly and indirectly, of Information about US persons, including companies, prevent these persons from reaching the target of the survey are.
According to the Danish Data Protection Authority, the restrictions therefore do not apply if and to the extent that Danish citizens or the municipality of Helsingør as a whole become the subject of data collection under FISA 702.
In addition, the EDPS believes that FISA 702, by its very purpose, provides a legal basis for U.S. law enforcement agencies to obtain information about foreign persons who may be reasonably believed to be outside the U.S. for the purpose of collecting foreign intelligence information.
Against this background, the DPA considers that the personal data transferred to Google LLC could be obtained by US law enforcement authorities. In doing so, the EDPS has taken into account the fact that Google LLC to be considered an “electronic communications service provider”. and that the personal data transferred to Google LLC concerns the students and employees of the municipality, i.e. Danish citizens.
Requirements for the level of protection in the destination country
As far as the required level of protection is concerned, it follows from the Schrems II ruling of the ECJthat
a level of protection for personal data must be ensured in the third country concerned which is equivalent to that in the Essentially corresponds to the level of protection within the EU/EEA.
According to the authority, this requirement apparently applies not only to the question of whether a state has an adequate level of protection, but also to transfers based on the standard contractual clauses. It justifies this – not explicitly, but in context – with GDPR 44:
Any transfer of personal data […] shall be permitted only if the controller and processor comply with the conditions set forth in this chapter […]. All provisions of this chapter shall be applied to ensure that the not undermine the level of protection afforded to natural persons by this Regulation will.
This in turn means that
any transmission must be subject to adequate safeguards. Thus, it is not sufficient that almost all transfers or a certain percentage of transfers enjoy the protection of the Regulation, unless this is provided for in the Regulation.
Here is probably the Zero risk approach now also to the Danish supervisory authority. This is an unusual view – it can perhaps be paraphrased as follows: If a residual risk of an authority access of 2.5% is accepted, statistically 2.5% of the transmissions do not enjoy sufficient protection, which is why a sufficient level of protection is lacking in this respect. This is not what the authority says, but it can hardly be understood otherwise that any and not only almost every transmission is in need of protection.
Lack of additional measures
The Authority therefore concluded that supplemental protective measures were required in addition to the SCCs, notwithstanding the community’s risk assessment:
Therefore, the EDPS considers that the transfer of the data in question in the United States is Subject to conditions that prevent the standard contract used as the basis for the transfer from being an adequate means of ensuring of a level of protection substantially equivalent to that in the EU/EEA. The municipality of Elsinore is therefore obliged to ensure that additional measures are taken to bring the level of protection up to the required level.
However, such measures are said to be missing here. The encryption of the data was not sufficient. Apparently it was possible for Google LLC to access data in plain text, according to the account of the municipality itself (although the key was managed by Google EMEA, but decryption was apparently required in the support case).