AGEFI Luxembourg - mars 2023

Mars 2023 40 AGEFI Luxembourg Informatique financière I n just a few years, the use of cloud services has increased significantly in both the public and private sec- tors. A trend that has been further ac- celerated by the Covid-19 pandemic and the drive for digital transforma- tion across all sectors. This is not wi- thout risk from a data protection perspective, especially when it in- volves the (often-unavoidable) use of a hyper-scale Cloud Service Provider (CSP) which belongs to a group outside the EU/EEA. A number of recent publica- tions by the European data protection board (EDPB) are of particular re- levance in this context. Here is a summary of some of the main takeaways that have emerged from them: State of play of the use of cloud solutions in the public sector: lessons to be learned for the private sector as well In 2022, most data protection authorities in the EU started to carryout a so-calledCoordinatedEnforce- mentActionon theEU level pertaining to the use of cloud-based services by the public sector. The EDPB has compiled the findings of the partici- pating national supervisory authorities on the use of CSPs in the public sector following these coordi- nated investigations throughout 2022andpublished a “state of the play” report on 17 January 2023. In particular, this report contains a list of points of non- compliance of several public sector actors across the EUwhen entering into agreements with CSPs. These GDPR violations may be followed by cor- rective actions initiated by the different national data protection authorities. Luxembourg was one of the only countries whichwas not in the scope of this coordinated enforcement action but the report providesmany insights that are not only useful for the public sector but for any organisation, thus also private sector actors, that deploys cloud services or intends to do so. The report revealed, amongst others, that: - often theobligatory dataprotection impact assess- ments (DPIAs) and/or involvement of the DPO are insufficient or sometimes even absent ; - often the roles and responsibilities of the client and the CSPs are not (adequately) qualified, whereby the EDPB also indicated that “ If the public bodies cannot negotiate the terms of the contracts in prac- tice, due to the imbalance of power, it may be difficult for them to determine the purposes and the means of the pro- cessing of personal data for the duration of the contract, and fulfil their obligations under the GDPR ” ; - often the control on the sub-processing chain is insufficient – indeed CSPs rely on a multitude of sub-contractors; as well as - the collection and use of telemetry/diagnostic in- formation . The report included an inevitable point on interna- tional data transfers and the consequences of the Schrems II rulingof theCourt of Justice of theEuro- pean Union in July 2020: a difference seems to be made between the scenario where the regular pro- vision of cloud services entails quasi automatically an international data transfer (e.g., access for main- tenance and support) and the scenariowhere this is not the case but where there could be a potential 3 rd country governmental access. In that last case, the focus does not seem to lie on ChapterVGDPRon international data transfers (as long as the there is no actual transfer) but rather on the requirement that dataprocessorsmust be choses offering sufficient security measures (incl. against unauthorised access). However, in the first scenario andwhere there is an actual international transfer, the report states that “[…] it can prove impossible or extremely challenging to identify effective supplementary measures. Therefore, it would be extremely likely that the transfers would take place in breach of the transfer rules (Schrems II ruling), requiring the public bodies acting as controller to identify different solutions in order to prevent or stop such trans- fers e.g., by (re)negotiating contracts or using different cloud solutions which are compliant to the GDPR (e.g. compliant EEA-sovereign cloud solutions) ”. As recommendedby theEDPB, to avoid such time- consuming negotiations with CSPs or a change of solution along the way, the EDPB recommends for public bodies to the extent possible to “ ensure that the procurement procedure already envisages all the re- quirements to achieve compliancewith theGDPR, prefer- ably before the initiation of the procurement procedure itself” . Basedonour experience,we see that there is an increasing interest in themat- ter: where public sector players do not limit the risk of non-compliance with the GDPR provisions on inter- national data transfers in tenderswith a cloud element, thismay lead to lit- igation when a competitor deems that thewinning candidatedoes not complywith these provisions. We have also seen that the public sec- tor, in the Netherlands for example, has carriedout extensiveDPIAs and has forced undertakings such asMicrosoft andZoomto amend some of their practices. Theoverviewof actions that have been under- taken by the different au- thorities on the use of cloud solutions in the public sector (pp. 21-30), is certainly worth a close reading andwill bemost instructive for private sector entities as well. Obligations arising from the use of a CSP subject to 3rd country legislation Inorder to limit the riskof personal databeing trans- ferred to a third country, it is not uncommon for a private or public entity to engage anEU/EEAentity of aCSPon the condition that the data are hosted in the EU/EEA and that no one outside the EU/EEA, including its (oftenUS) parent companynor its sub- contractors, has access to the data. Data hostedby the EU/EEAentity of aCSP that be- longs to a group outside the EU/EEA may never- theless be accessed by 3 rd country enforcement agencies under certain circumstances. For example, it is not excluded that data hosted in the EU/EEA by Luxembourg-basedCSPAmazonWeb Services EMEAs.à r.l. canbe accessed if itsmother company Amazon Web Services, Inc. is subject to a request from the US enforcement authorities to produce data in the course of a specific criminal investiga- tion under the so-called CLOUDAct. Some data protection authorities have tried in the past to argue that the mere possibility to produce data under the CLOUDAct already triggered in it- self the GDPR provisions on international data transfers. In the latest version 2.0 of its guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR adopted on 14 February 2023, the EDPB confirmed – implicitly but unam- biguously – its position that could already be in- ferred from its report on the state of the play of the Coordinated Enforcement Action on EU level per- taining to the use of cloud-based services by the public sector: until such request doesnotmaterialise, there is no transfer and theGDPRprovisions on in- ternational datadonot apply.However, if sucha re- quest is addressed to theCSPand the latter complies with this request, the disclosure is to be considered a transfer underChapterVof theGDPRcarriedout in violation of the controller’s instructions. In this regard, the EDPB recalls that it is up to the controller to ensure, before engaging the CSP, that the latter provides as dataprocessor sufficient guar- antees to implement appropriate technical and or- ganisationalmeasures to complywith theGDPRas required by Article 28 GDPR. Those guarantees should also have regard to reliability, “ whichmay be in doubt if the processor is subject to third country legis- lationwhichmay prevent it from fulfilling its obligations as a processor ”. Such measures may include, for in- stance, a commitment by the data controller to con- test the access request to the maximum extent permitted by applicable foreign law or to grant ac- cess to data only in an anonymous form. In its decision of 31 January 2023, the Conference of German DPAs has taken a similar stance and put the bar quite high for those guarantees to be suffi- cient andseems to followaquasi zero-riskapproach viaArticle 28GDPR. However, we believe that “ ap- propriate technical and organisational measures ” inAr- ticle 28GDPR echoes the requirement laid down in Article 32 GDPR. This provision requires that the controller and the processor must implement “ ap- propriate technical and organisational measures ” and this “ to ensure a level of security appropriate to the risk ”, whereby the “risk” is to be assessed in the light “ of varying likelihood and severity for the rights and freedoms of natural persons ”. In other words, if there is no actual transfer of per- sonal data outside the EU/EEA, a risk-based ap- proach must be possible, taking into account cases where there is rather a low risk that personal data will be the object of a measure of mass surveillance (of course there will be cases where that risk is higher) or anyother non-compliant 3 rd countrygov- ernmental agency disclosure request. What about personal data transfers to the US? On 28 February 2023, the EDPB issued its opinion on the EuropeanCommission draft adequacy deci- sion relating to the EU-US data privacy framework (DPF). The DPF is designed to replace the previous framework, known as the “Privacy Shield”, which was struck down by the Court of Justice of the Eu- ropeanUnion (CJUE) on 16 July 2020 in the famous Schrems II case. Inessence, theCJEUidentifiedseveral shortcomings in US national security legislation, allowing for far- reaching ( i.e. not limited towhat is strictlynecessary andproportional) possibilities of surveillance byUS authorities, which impede personal data protection andviolate theGDPR. Inparticular, theCJEUfound that the US law did not provide data subjects with rights that couldbe enforcedbefore an independent and impartial court against the US authorities. This has a significant impact on US-based CSPs and their subsidiaries inEurope, which had to find a newway to legitimise their data transfers under Chapter V of the GDPR. Most of themhave there- fore opted for the use of the European Commis- sion’s standard contractual clauses (SCCs), which have been updated as of 4 June 2021 as a result of the Schrems II ruling. However, to ensure that the US legislationdoes not affect the level of protection afforded by the SCCs in a way that would render them ineffective, the concerned data controllers and the CSPs had to take additional supplemen- tarymeasures (especially in terms of pseudonymi- sation and encryption) to accompany these clauses. As set forth above under 1. , the EDPB and the na- tional data protection authorities are quite pes- simistic as towhether there can be supplementary measures that would be sufficient to stop US au- thorities from accessing data. The DPF is therefore a response to the deficiencies of the previous “Privacy Shield” and also to the lack of effective supplementary measures when SCCs are used. As was the case before, the DPF will only apply to US organisations that have self-certified to the re- quirements of the framework.However, in contrast to the previous one, this new framework will be basedon the additional safeguards laiddown inEx- ecutive Order 14086 on enhancing safeguards for united states signals intelligence activities (EO 14086) issuedby theUSPresident on7October 2022 followingnegotiationswith theEuropeanCommis- sion. EO 14086’s key innovations include: - the introduction of the concepts of necessity and proportionality in the US intelligence legal frame- work in the formof a list of purposes forwhichdata collectionmay or may not take place; as well as - the establishment of an independent Data Protec- tionReviewCourt (DPRC),which is empowered to hear complaints from EU individuals and to issue bindingdecisions to remedy coveredviolations ( e.g. deletion of unlawfully collected data). While the EDPB welcomes those “ substantial im- provements ”, it nevertheless expresses concerns re- garding their effectiveness. Without going into details, the list of objectives forwhich a collection of data is allowed could be updated with additional and not necessarily public objectives in the light of newnational security imperatives. As far as the DPRC is concerned, in order to avoid revealingwhether or not the complainant was sub- ject toUS signals intelligence activities, the latterwill simply be notified that either no covered violations were identifiedor that adetermination requiringap- propriate remediationwas issued, this standard re- sponse being not subject to appeal. For this reason, theEDPBasks theEuropeanCommission to closely monitor thepractical functioningof thismechanism. There have, of course, been a number of other rec- ommendations made to the European Commis- sion with regard to the review of the adequacy decision. Some of themare similar to those formu- lated by the LIBECommittee in the European Par- liament in its resolution of 14 February 2023 calling for the outright rejection of the draft DPF and the continuation of negotiations with the Commis- sion’s US counterparts. Even when the EDPB opinion sounded less dra- matic than the LIBE Committee resolution, it is by nomeans certain that theDPFwill be adopted in its current form in the near future orwill stand the test in a potential Schrems III case. This means that US- based CSPs and their subsidiaries in the EU/EEA will have to continue touse another other legal basis provided for in Chapter V of the RGPD, SCCs, and supplementarymeasures in particular, for a while. In light of the foregoing, there is no doubt that pri- vate and public sector actors need to pay particular attention to the choice of their CSPs, especially if there are subject to the law of a third country with extraterritorial effects such as the US surveillance legislation. In this respect, public bodies should make the most of their advantage of being able to formulate their requirements in advance of the ten- dering process in order to ensure the compliance of their data processing with the GDPR, including with respect to international transfers. Vincent WELLENS (portrait) Avocat à la Cour (Luxembourg) /Avocat (Bruxelles) Partner NautaDutilhAvocats Luxembourg S.à r.l. vincent.wellens@nautadutilh.com Antoine PETRONIN Avocat (Luxembourg) Associate NautaDutilhAvocats Luxembourg S.à r.l. antoine.petronin@nautadutilh.com The EDPB provides for further guidance on the use of cloud solutions in line with the GDPR Abonnement aumensuel (journal + éditiondigitale) 1an (11numéros) =55€abonnement pourLuxembourget Belgique - 65€pour autrespays L’édition digitale du mensuel en ligne sur notre site Internet www.agefi.lu est accessible automatiquement aux souscripteurs de l’éditionpapier. NOM:....................................................................................................................................................................... ADRESSE:.............................................................................................................................................................. LOCALITÉ:............................................................................................................................................................ PAYS:....................................................................................................................................................................... TELEPHONE:...................................................................................................................................................... EMAIL:.................................................................................................................................................................... - Je verse ……€ au compte d’AGEFI Luxembourg à la BIL / LU71 0020 1562 9620 0000 (BIC/Swift : BILLLULL) -Jedésireunefacture :...................................................................................................................................... -N°TVA : ................................................................................................................................................................ Abonnement aumensuel en ligne Si vouspréférezvous abonner en ligne, rendez-vous à lapage ‘S’abonner’ sur notre site In- ternet https://www.agefi.lu/Abonnements.aspx Abonnement à notre newsletter / Le Fax quotidien (5 jours/semaine, du lundi auvendredi) Informations en ligne sur https://www.agefi.lu/Abonnements.aspx Abonnez-vous / Subscribe