2022 was a special year on many aspects. There is one field, however, that never disappoints. This is, of course, the GDPR field where in 2022, 830€ million fines were distributed. This is less however than in 2021 which was a record year for GDPR fines totaling over a billion euros1.
The record for the highest GDPR fine in 2022 goes to an American company, Meta, with several fines, €405 million 2, €210 million3, and €17 million4 by Irish authorities and a €60 million5 fine from the French Data Protection Authority. This is however still far from the Amazon Europe Core SARL fine from 2021 of 746 million of euros. 2023 started quite strongly with a 390€ million fines against Meta, announced on January the 4th, 2023. This only shows how crucial data protection is nowadays and how important it is for a business to be able to demonstrate compliance to the relevant legislation.
Data is now considered to be the gold, the oil, the fuel of the digital age on a constantly more and more competitive market where personal data creates the value of the business. Aspects of human life such as consumer behaviour, social and political orientation, money spending habits, health, lifestyle, etc, represents a value, generates money and constitutes a part of a company’s assets. Data has become an important commodity generating profits on its own, and data collection has become the main activity for numerus businesses. As any other asset of a company, personal data deserve to be handled correctly.
Why should you care about protecting personal data?
To understand we need to go back to why the GDPR was created. It was created to protect European's citizens data, to give rights to the data subject at a time where the data is a resource used by companies to make profit. The core idea is to protect the European citizens.
"The protection of natural persons in relation to the processing of personal data is a fundamental right. […] everyone has the right to the protection of personal data concerning him or her."
The GDPR sets up principles that must be respected when processing personal data, it is crucial that, whenever and wherever we are processing personal data, we keep these principles in mind:
Lawfulness, fairness, and transparency
It means we shouldn’t purposely withhold information about what or why we are collecting data and should not mishandle or misuse the data we collect. Transparency forces us to be clear, open, and honest with data subjects (natural persons whose personal data are processed).
The second big GDPR principle is purpose limitation
This purpose limitation means data is “collected for specified, explicit, and legitimate purposes” only, as stated in the GDPR. Your purposes for processing data must be clearly established and they must also be clearly communicated to individuals.
The third one is Data minimisation
You need to collect only what you need to fulfil the purpose (explained here above). You cannot collect personal data if it is not necessary for the established purpose.
You also have a duty regarding integrity and confidentiality of the personal data you processed
The GDPR requires that we maintain the integrity and confidentiality of the data we collect, essentially keeping it secure from internal or external threats. This takes planning and proactive diligence. You must protect data from unauthorised or unlawful processing and accidental loss, destruction, or damage.
But it also means that it is strictly forbidden to process person data in a country or in a set up that does not ensure Europeans citizens' rights:
- Right of access: They have the right to access the information we process about them.
- Right of rectification: They have the right to correct information about them and to have incomplete information about themselves supplemented.
- Right to deletion: In some cases, they have the right to have information about themselves deleted. For example, when the information is no longer necessary to fulfil the purposes for which it was collected or processed, or if the processing of the data is unlawful.
- Right to restriction: In some cases, they have the right to have the processing of their personal data restricted.
- Right to object: They have the right at any time to object to a processing of their personal data.
- Right to data portability: In some cases, they have the right to receive the personal data they have provided.
- Right to withdraw consent: They have the right to withdraw consent at any time for the processing of their personal data.
- Right to submit a complaint: To the relevant Authority for Privacy Protection.
The GDPR, wanting to protect and ensure European citizens’ rights, forbids any transfer to a third country that does not offer the same level of protection.
Transferring personal data to a country that does not respect the above-mentioned principles and rights can be extremely costly. In the spring of 2021, the Spanish Data Protection Authority (“DPA”) announced a fine of EUR 8,125,000, including EUR 2,000,000 related to unlawful transfer of personal data6. A telecom operator was transferring personal data to a processor outside of the EEA/EA, in Peru, and the agreement with this processor did not include reference to any transfer mechanism under the GDPR. As such, the transfer did not ensure an adequate level of protection for the personal data.
Can you transfer personal data outside of EU/EEA?
The GDPR in its article 44 provides that a transfer of personal data to a non-EEA country is only allowed if the conditions laid by the GDPR is complied with. A transfer of data can occur when:
- The Commission has decided that the third country ensures an adequate level of protection. This is more commonly known as an Adequacy Decision.
- The controller or processor has provided appropriate safeguards. The most common one being the standard data protection clauses adopted by the Commission (Standard Contractual Clauses, “SCC”);
- Outside of these two previous cases, it is possible to transfer personal data to a third country only when the data subject has explicitly consented to the transfer.
The SCCs are the most common tool used to transfer personal data to a third country. However, recent developments informed us that it is not sufficient anymore.
The specific case of the US
Up until July 16th 2020, the transfer of personal data to the US was relying on the Adequacy Decision on the EU-US Privacy Shield which was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield.
In summary, Maximillian Schrems, an Austrian privacy activist, brought a complaint against the Irish Data Protection Authorithy (“DPA”), arguing that the US does not provide sufficient security and mechanisms to protect transferred personal data. In Schrems’ case, the privacy data related to his personal Facebook data, which he claimed Facebook Ireland transfers and processes on servers of Facebook Inc., based in the US. These transfers between Facebook Ireland and Facebook Inc. took place relying on the SCCs. Schrems claimed that the SCCs do not provide an “adequate” level of protection, as US legislation does not explicitly limit interference with an individual’s right to protection of personal data in the same way as EU data protection law, i.e. the intrusive nature of US surveillance activities. In its judgment of 16 July 2020 (Case C-311/18), the Court of Justice of the European Union (CJEU) invalidated the adequacy decision. The EU-US Privacy Shield is therefore no longer a valid mechanism to transfer personal data from the European Union to the United States.
This judgement shook the entire planet as more than 4,000 US-based companies were relying on the EU-US Privacy Shield. This decision was very sudden, and overnight all transfers to the US relying on the Privacy Shield became illegal. A year later and a half later, let’s dive into what happened.
The CJEU’s judgment regarding the validity of SCCs was that they provide sufficient protection for EU personal data to be transferred to third countries (including the US). However, it was noted that any EU organisation relying on them is obliged, prior to any transfer, to adopt a proactive role to ensure there is an “adequate” level of protection for personal data in the respective third country. The CJEU also added that organisations may implement additional safeguards, over and above those contained in the SCCs, to ensure the adequacy of the protection conferred by the SCCs. When a data importer is unable to comply with the SCCs, and there are no additional safeguards in place to guarantee the necessary level of protection, there is a requirement on the EU data exporter to suspend the transfer of data and/or terminate the contract.
The key reason behind this decision is the intrusive nature of the surveillance programs undertaken by the US government and intelligence agencies allowed by Section 702 of FISA (Foreign Intelligence Surveillance Act) and Executive Order 12333 (which sanctions bulk collection of personal data not limited to information that is “strictly necessary” and is, therefore, viewed as disproportionate under the GDPR). The CJEU highlighted the lack of redress EU citizens have in the US under the Privacy Shield.
Due to this judgement, European data controllers and processors find themselves in legal uncertainty. Most of them have business partners or service providers located in the US and such business relations often require the exchange of personal data. Many US service providers, which were operating under the EU-US Privacy Shield certification, have promptly switched to SCCs, informing their clients that this would be a reliable and valid alternative to the Privacy Shield.
It is possible to understand why businesses would choose to blindly accept that the SCCs are sufficient to ensure a safe transfer. It is, of course, way easier to put in place than to replace all US-based service providers. Moreover, as the CJEU did not declare the SCCs invalid, one could indeed believe that one could simply switch the legal instrument.
The CJEU, however, makes the validity of the SCCs depending on whether such SCCs are coupled with additional mechanisms ensuring an appropriate level of protection (such as encryption).
A case taking place in Germany regarding Mailchimp can illustrate that. In this case, the controller used the service Mailchimp, a service for email newsletters, provided by a company based in the US7. The Data transfers were made based on the SCCs but without the controller having performed a transfer impact assessment or ensured that supplementary measures were in place prior to the transfer. The DPA decided that the transfer was not lawful under the GDPR.
Using a US-based service provider without assessing the situation and implementing the appropriate safeguards is therefore illegal.
Summing up, if the transfer of personal data into the US is based on the SCCs concluded without any further amending measures, risk assessments etc., it will most likely not be sufficient and the European data protection authorities will most likely suspend or prohibit such transfer, probably accompanied by issuing fines for the infringement of the GDPR.
According to the European Data Protection Board, the initial transfer impact assessment will determine that either an adequate level of protection exists and data transfer is possible or that there is no adequate level of protection. In the latter case, the data transfer must either be stopped or effective additional measures must be taken.
Following the decision in the Schrems II ruling, NOYB (“None of Your Business”, a non-profit organisation focusing on privacy), launched 101 complaints throughout the EU to entities using Google Analytics. The Austrian Data Protection Authority has decided in January 2022 that the continuous use of Google Analytics violates the GDPR8. This is the first decision on the 101 model complaints filed by NOYB in the wake of the so-called "Schrems II" decision.
Google Analytics is the most common statistics program. While there are many alternatives that are hosted in Europe or can be self-hosted, many websites rely on Google and thereby forward their user data to the US multinational. The fact that data protection authorities may now gradually declare US services illegal, puts additional pressure on EU companies and US providers to move towards safe and legal options, like hosting outside of the US. A similar decision on EU-US transfers was reached by the European Data Protection Supervisor (EDPS) a week earlier.
Additionally, Ekot (part of the National Swedish Radio) investigated almost 500 websites owned by government organisations and their use of the Google Analytics. Ekot concluded that more than 150 websites transferred personal data (in the form of IP addresses) to Google without informing the website visitor of the transfer9. The review resulted in several data breach notifications to the Swedish DPA.
In September 2021, the Swedish Tax Agency and the Swedish Enforcement Authority recently concluded, following a detailed assessment of Microsoft Teams, that the agencies are prevented from moving from Skype on-prem solution to a cloud-based Teams solution because of the amount of data that would be disclosed to Microsoft and the lack of additional measures to prevent such disclosure, which, according to the agencies’ assessment, would be in violation of the Swedish secrecy legislation as well as GDPR10.
In March 2022, the EU and US agreed “in principle” to new trans-Atlantic data agreement that will include a new Executive Order. However, Maximilian Schrems let people know that he will not hesitate to challenge the new deal in court if it is still not in compliance with the GDPR principles “In the end […] the Court of Justice will decide a third time”11.
On February 28, 2023, the European Data Protection Board (“EDPB”) issued its Opinion on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (the “Opinion”). In the Opinion, the EDPB recognized substantial improvements in the proposed EU-U.S. Data Privacy Framework (“DPF”) when compared to Privacy Shield. However, a number of aspects of the DPF need to be clarified, developed or further detailed.
One point that still needs to be addressed is the fact that the Data Privacy Framework does not introduce a requirement for prior authorisation by an independent authority for bulk collection of data. Safeguards in this context may be insufficient.
Overall, The effectiveness of the Executive Order will depend on the adoption of policies and procedures for its implementation by U.S. Intelligence Agencies. The EDPB believes that both the adoption and entry into force of the DPF should be made conditional on the adoption of said policies and procedures. We are therefore still far from an actually protecting legislation in the US regarding personal data12.
What are the risks of transferring personal data to a third country?
You may have heard of the Facebook Cambridge Analytica scandal. This is a perfect illustration of the value of personal data and how vital it is to protect them.
In 2013, it was publicly revealed that Facebook gave access to a third-party app, Cambridge Analytica, to harvest personal data without the user’s consent. Cambridge Analytica, a British political consulting firm, obtained access to a database with personal data from 87 million Facebook. They took advantage of a Facebook privacy breach and legally obtained consent from 200,000 users to access their personal data. These data were utilised for political analysis and Facebook advertisement in support of political campaigns. This was done to manipulate the public opinion towards specific electoral candidates.
This incident illustrates the danger of leaving any organisation with an extensive access to personal data. They can be used in some many risky ways. In this specific case, it has been proven that personal data has been harvested to influence public political opinion. Therefore, the question we should ask ourselves is, why would we let foreign powers harvest, use and exploit our citizen’s personal data? Nowadays, information is power and it seems foolish to think that a foreign power would not try to use that power and take advantage of any personal data available.
Following several complaints relating to use by the Portuguese National Institute for Statistics of a US service, the Portuguese DPA declared that the transfer of personal data to the US was not made in accordance with the GDPR and ordered the institute to suspend all transfers within only a 12-hour period from the issuance of the decision13. The decision that the transfer was unlawful was mainly because the importer of the personal data (Cloudflare) was subject to the US surveillance laws mentioned above, which obligated the provider to allow the US authorities access to the personal data upon request.
What we can understand from the several cases above is that people’s confidence in companies to protect their privacy has been recurrently undermined by these type of incidents, with serious impact in credibility and trust in the digital economy. We cannot expect that such digital field companies will proactively revert this situation by regulating themselves putting an end to a situation that ultimately generates huge profits for them. Immediately after this incident, Facebook lost US $80 billion in market value (ca. 18% depreciation in stock price) followed by other social media giants Google (ca. 7%) and Twitter (ca. 20%).
The business necessity of processing personal data inside of Europe
Creating trust online is a fundamental challenge to ensuring that the opportunities emerging in the information economy can be fully leveraged. Studies show that consumers are increasingly concerned about how their personal data are collected and used.
In 2014, approximately $30 trillion worth of goods, services and finance was transferred across borders. Around 12 percent of international trade in goods has been estimated to occur through global e-commerce platforms like Alibaba and Amazon.
As stated earlier, one of the main principles when processing personal data is the need to have a legitimate reason for any processing activity. The obligations concerning the quality of the personal data being processed is another core principle, requiring that data are accurate, complete and kept up-to-date. Compliance with this principle should be mutually beneficial to both the data subject of the processing and the controller/processor.
While the need to control cross-border flows of data for privacy purposes is clear, the application of such controls in an increasingly interconnected world is very challenging. New technologies developments, such as cloud services, are making things even more complex, with processing entities not necessarily aware about where data are located. Data protection is an increasingly important field, mostly due to the expansion of the digital/information economy. As more business models and practices move onto the digital platform and data becomes increasingly shared and exchanged on an international scale, its relationship to international trade intensifies. One of the most essential thing one can do is to map all the data transfers happening inside an organisation, even though it might seem difficult.
The Computer and Communications Industry Association (CCIA) summarises the impact of data protection on digital trade as follows: “With the growth of digital flows and e-commerce have come concerns about the protection of personal data, and the security of digital transactions and content. These concerns are not just shared by consumers. Protection of data is at the core of the Internet’s sustained growth as a platform for expression and trade in goods and services. In fact, the lifeblood of Internet-based industry—which today has grown to include a substantial component of all industries—is the trust that global Internet users have in online platforms.”
Cloud services do not present unique issues in data protection, but they do add to the complexity of existing issues, especially in relation to cross-border data transfers. The issue of cloud computing and cross-border data transfers is closely linked to the issue of surveillance (discussed in more detail above), since cloud services provided by private sector organisations have become a mechanism for accessing personal data by national security agencies.
The data processing policies and practices of two of the world’s largest software companies, Salesforce and Oracle, will come under scrutiny in the High Court of England and Wales in the biggest digital privacy class action lawsuit ever filed.
Two major US-based companies, Oracle and Salesforce, which use third-party cookies to track, monitor and collect online browsing data and auction it to advertising platforms, were subject to a claim. Claimant were seeking damages that have been estimated more than £10 billion. As one of the claimants said:
“The data these companies are compiling on ordinary citizens is terrifying. With their tracking technologies in use across the most popular websites, it is hard to escape from their data collection14.”
The claim has been dismissed in January 2022 for not collecting the Dutch citizens claimant’s identity safely, but the root of the issue is still relevant15.
Now you understand why you should not transfer personal data outside of EEA without appropriate safeguards ensuring an adequate level of protection.
The recent development in this field shows that privacy in the EU is a matter of a fundamental right, which needs to be taken seriously. This area will continue to evolve in the coming years, and it is the key for organisations to ensure that GDPR compliance matters are reviewed and addressed on a continuous basis. The development also indicates that companies taking privacy matters seriously will be rewarded in the long run by earning goodwill and trust from its customers.
Given the significant amount of data that flow between the EEA/EU, companies transferring personal data outside the European Union are now struggling to ensure that future transfers are compliant. The US and the EU might reach a new agreement for the transfer of personal data to the US. The US might soon have a new Adequacy Decision. But for how long? The International Safe Harbor Privacy Principles lasted until 2015. The Privacy Shield until 2020. How long will the next decision lasts?
Today, most organisations continue to treat their data as overhead, a cost of doing business, or, worse, a necessary evil and underestimate how important it is to respect the principles set by the GDPR. While everybody agrees that good, clean data is a must have, many organisations do little to nothing to remedy their data misalignment. They do not perform the necessary analysis when choosing a supplier, and do not consider the use that is going to be made of theirs and their customers’ personal data. They might often choose an economic approach and choose a cheaper US-based supplier, ignoring the illegality of the potential personal data transfers occurring, and forgetting the huge fines they can face in case of breach of the GDPR.
Considering that even the simplest attribute of customer data is collected and managed across data silos, re-used for myriad processes, and re-purposed in supporting applications with human and robotic manipulation, why wouldn’t they want to value their data as much as their trademarks? The collection and analysis of personal data is not only important for businesses but for society in general. While the benefits from collecting and analysing personal data are evident for a large number of organisations, various interests recurrently challenge its protection.
Customers have an increased understanding about the importance of privacy and want to know how their information and is being used and protected. This new era of privacy has huge benefits. As businesses learn to extract value from and utilise data at a deeper level, it is essential for companies to be extremely conscientious about protecting personal information. For any organisation, respecting consumers’ privacy is a smart strategy for inspiring trust and enhancing reputation and growth.
On the internet, the personal data users give away for free is transformed into a precious good. The puppy photos people upload train machines to be smarter and their location histories tell investors which stores attract the most shoppers. Even seemingly benign activities, like staying in and watching a movie, generates mountains of information, treasure to be used later by businesses of all kinds.
The information data brokers collect may be inaccurate or out of date. Still, it can be incredibly valuable to corporations, marketers, investors, and individuals. In fact, American companies alone are estimated to have spent over $19 billion in 2018 acquiring and analysing consumer data, according to the Interactive Advertising Bureau.
Whether data is fabricated by computers or created by real people, one of the biggest concerns will be how it is analysed. It matters not just what information is collected but also what inferences and predictions are made based upon it.
Before we can figure out the future of personal data collection, we need to learn more about its present. All of the privacy scandals that have come to light in recent years—from Cambridge Analytica to Google Analytics - have demonstrated that users still don’t know all the ways their information is being sold, traded, and shared, and the fact that so many companies still use US-based companies indicates that they haven’t completely understood the dangers of transferring personal data to countries that do not ensure European citizen’s rights.
Why not choose a European based supplier to handle your personal data? Book a demo with us to find out more!
 Data compatibilized by Atlas VPN