Today we conclude our Guest Blog with Data Protection Expert, Owen Sayers. We look at the Supplementary Measures and what the EDPB think is needed to send personal data outside of the UK and EU.
3rd Country Legal Measures (United States)
So, let’s take a look at these measures and what the EDPB think is needed to send personal data outside of the UK & EU to countries like the US.
Before we jump straight into the measures themselves however, it’s important to consider the type of 3rdCountry legal measures we are trying to address, and we can use the United States as our example here (though the US is certainly not the only country where the domestic legal regime is a problem for exporting GDPR data).
The EDPB take the time to explain that all US data importers that fall under 50 USC § 1881a (FISA 702) – often called an Electronic Communication Service Provider (ECSP) and comprising a group that includes all US headquartered Cloud Service Providers, telecoms providers and many familiar companies like Facebook – are ‘under a direct obligation to grant access to or turn over imported personal data that are in their possession, custody or control. This may extend to any cryptographic keys necessary to render the data intelligible.’
What this means is that any data held by an ECSP – wherever it may be located in the world and whether its encrypted or not – must be disclosed to the US Government if its lawfully requested. That request may also require the ECSP not to inform the data subject or Controller of the data.
Because the legal powers of the US Government are so strong and have a global reach (sometimes referred to as an ‘extraterritorial effect’), the Supplementary Measures need to be equally strong.
The EDPB have explained their Technical Measures in the context of Use Cases – examples of the type of 3rdCountry processing a control may typically be applied to – and then considered if they are effective and what specific procedures are needed to be able to use them.
Without going into specific details (which you can find on the EDPB pages) services such as Microsoft’s M365, or most Software as a Service offerings on AWS, Google Cloud or Azure cannot be aligned to the EDPB supplementary Measures using Technical means alone.
The Contractual Obligations do have a broader potential applicability, but only where they can be added to contract in a manner that cannot be overridden by the 3rd Country laws you are trying to protect against. In most cases this means that contractual measures will not give the protection many customers expect; and even if they did, the changes required for most US Hyper-Cloud services would be so fundamental that they would need to extensively re-write their terms of service, which may be hard for them to do.
So, if the technical measures you can apply are limited in effect, and the contractual obligations you can add to contract may not be able to override the domestic legal regimes we need to address to meet the CJEU ruling then where do we actually stand today?
For most EU and UK Data Controllers, the position is simple to summarise, but may be hard to accept: US based Cloud and IT services are – in the main – not legally suitable for the processing of UK and EU Personal Data, and there are no clear measures on the horizon that will change that position.
How Nine23 Can Help?
If your organisation requires the processing of UK personal data our secure IT solutions and services are underpinned by our fully managed, Nine23 owned enterprise infrastructure, Platform FLEX.
Platform FLEX is a Hybrid Cloud which combines a private cloud with public cloud services, NCSC/GPG accredited to OFFICIAL-Sensitive and located in secure UK hosting locations to ensure data sovereignty.