In the wake of the European Commission’s adequacy decision in July 2023, relying on the Data Privacy Framework, it is natural for organisations in the EU to ask whether they have been given the green light to use US cloud services.
In this report we analyse what the adequacy decision really means and does not mean.
We focus in particular on the situation where a business considers allowing a cloud service provider to handle personal data within the EU, which is to say without third country transfers to the United States. The adequacy decision and the Data Privacy Framework are not used in such a case, while the GDPR sets out specific requirements to prevent access by authorities in third countries to personal data in the EU.
We also review some of the changes on the US side that prompted the adequacy decision. In particular, we highlight parts of Executive Order 14086 (EO 14086) and the regulations of the new review body called the ”Data Protection Review Court” (DPRC).
Our hope is that the report will support organisations in determining which cloud service providers they can rely on. This is relevant both when an organisation buys cloud infrastructure (IaaS) and when an organisation considers using a SaaS or PaaS provider which in turn uses underlying cloud infrastructure.
There are, of course, a number of legal and appropriateness factors to consider when using cloud services, in addition to what is covered in this report.
Arman Borghem, LL.M., Regulatory and Compliance Advisor at Cleura
Obs: denna rapport finns också på svenska.
Introduction and summary
In July 2023, the European Commission issued an adequacy decision based on the Data Privacy Framework. Many organisations in the EU are therefore asking themselves whether they have the green light to use US cloud service providers.
We believe that the answer remains no.
To begin with, we expect the Court of Justice of the European Union to annul the new adequacy decision within 2–3 years. Some reasons for this are discussed below in the section Executive Order 14086 and the Data Protection Review Court. Already because of this, we believe that it would be a strategic mistake to rely on the adequacy decision for digital investments of any importance.
However, this report focuses on a more important issue than the fate of the adequacy decision.
The report analyses what the adequacy decision can – and in particular cannot – be used for.
Particular focus is devoted to what applies when a controller processes personal data with a cloud service provider’s servers entirely within the EU. In such a case the adequacy decision does not apply, as it is not used for any third country transfers. At the same time, US surveillance laws can make it possible for US authorities to access the data in the EU, if it is processed by an American cloud service provider. We highlight the requirements set out by the GDPR to protect personal data from such access.
With this report, we hope to clear up some questions and prevent misunderstandings.
The European Commission’s adequacy decision does not constitute any kind of general approval to use US cloud service providers. The adequacy decision only allows the transfer of personal data from the EU to recipients in the US which have self-certified that they follow the principles of the Data Privacy Framework and have been included in the US Department of Commerce’s list.
An organisation in the EU can thus use the adequacy decision to transfer personal data from the EU to an approved recipient in the United States. However, the adequacy decision does not give a green light for organisations to use US cloud service providers to manage personal data in the EU.
Most EU businesses will continue to handle personal data in the EU. The reasons may, for example, be legal or related to what is appropriate. The delay to data centres in the EU may also be shorter than to data centres on the other side of the Atlantic. There is even a trend where US cloud service providers at least partially offer data localisation within the EU. Thus, when processing personal data only within the EU, the adequacy decision does not apply.
However, the question of access by US authorities to data processed by US cloud service providers in the EU remains. What does union law say about protecting personal data from such third country access? Which cloud service providers can an organisation rely on?
Organisations must ensure the level of protection of personal data required by the EU Charter of Fundamental Rights and the GDPR. In this context it is important to understand the obligations US cloud service providers are subject to under US law, and whether these obligations conflict with union law.
As we describe in our report comparing US and European surveillance legislation and fundamental rights (available in Swedish), we argue that a reasonable starting point is that US intelligence collection laws, especially FISA 702, allow US authorities to force US cloud service providers to disclose data regardless of whether the cloud service provider handles the data on servers in the EU. This is called extraterritorial legislation, which is legislation in third countries (e.g. the United States) which claims to regulate processing of personal data on EU territory.
The GDPR provides clear safeguards against such extraterritorial legislation.
When an organisation in the EU intends to allow a cloud service provider to process personal data on behalf of the organisation, the parties must enter into a data processing agreement. The data processing agreement must state that the cloud service provider may only process personal data in accordance with the instructions from the controller. There is but one exception where the cloud service provider may deviate from these instructions, for example to disclose personal data to a government authority. The exception only applies if union law or the national law of an EU/EEA member state requires this of the provider. This is clear from Article 28(3)(a) GDPR.
Similarly, requirements for security mean that processors shall take steps to ensure that their staff do not deviate from the instructions of the controller (for example, to disclose information to an authority) unless union law or the national law of an EU/EEA member state requires them to do so. This is clear from Article 32(4) GDPR.
US surveillance laws such as FISA 702 are neither union law nor the national law of an EU/EEA member state. At the same time, surveillance laws may force US cloud service providers to disclose information in the EU while deviating from the controller’s instructions. These cloud service providers also state that they have clear procedures for how to comply with compelled disclosures valid under US law. Thus, these cloud service providers ensure that they will deviate from the controller’s instructions in order to carry out such disclosures.
We believe that this shows, in principle, that US cloud service providers cannot meet the requirements of Article 28(3)(a) and 32(4) GDPR.
Nor can the adequacy decision be used as a basis for transfers from the EU to US intelligence services in the United States. The adequacy decision can only be used for transfers to recipients in the United States who have self-certified themselves under the Data Privacy Framework. US intelligence agencies have not done so, and are not expected to.
If a cloud service provider discloses personal data when compelled to by a government authority, the cloud service provider no longer acts according to its customer’s instructions, but instead becomes the controller for the disclosure. All processing of personal data must have a legal basis in the GDPR and the question then becomes what legal basis a cloud service provider can use.
We believe that the only possible legal basis for a cloud service provider’s disclosure to an authority is in Article 6(1)(c) GDPR, since the disclosure is necessary for the cloud service provider to fulfil a legal obligation. The legal obligation of the cloud service provider is the obligation to carry out the authority’s decision that the information must be disclosed.
The problem for US cloud service providers is that such a legal obligation must be established in union law or the national law of an EU/EEA member state. This is clear from Article 6(3) GDPR. As noted, US surveillance laws such as FISA 702 are neither union law nor the national law of an EU/EEA member state. The adequacy decision cannot be used either; US intelligence agencies are not covered by the Data Privacy Framework and are not approved recipients. Thus, such disclosures cannot be carried out in accordance with the GDPR – there is no legal basis.
However, the GDPR provides a legal avenue for cloud service providers to disclose personal data in the EU to third country (for example, US) authorities. A possible basis in union law is clarified in Article 48 GDPR. The solution is an international agreement between the EU and the third country in question. However, an adequacy decision is not an international agreement. It is a unilateral decision by the European Commission, which does not aim to regulate extraterritorial access by US authorities to data in the EU. Article 48 cannot therefore be used.
Because US cloud service providers ensure that they can carry out disclosures that are valid under US law but violate the EU legal order, rather than prevent such disclosures, we argue that they do not provide the guarantees required by processors of personal data under Article 28(1) GDPR. We cover this in the section GDPR guarantees when using cloud service providers. In the section CJEU jurisprudence and the view on risk we describe how the EU court’s jurisprudence can be seen as supporting this conclusion.
The provisions of the GDPR that we have touched on are not affected by the adequacy decision and, in essence, not by an assessment of the rule of law in the United States.
In the section Executive Order 14086 and the Data Protection Review Court we still consider why the executive order and the new review body are insufficient to meet the requirements of EU law for third country transfers. This section is primarily relevant to organisations considering if they can rely on the adequacy decision for their own transfers, and want a better understanding of the likelihood that the adequacy decision survives the scrutiny of the Court of Justice of the European Union.
In the section Real-life examples of US surveillance we provide both historic and modern examples of US government violations and lack of due process when it comes to surveillance.
In the section Encryption and similar measures we look at why encryption in the cloud, and similar measures, rarely provide the protection against disclosures to third country authorities that many organisations hope for.
The conclusion is that cloud services with real data sovereignty, without exposure to US law, continue to be the most attractive alternative.
The adequacy decision does not allow third country transfers to US intelligence agencies
The European Commission’s July 2023 adequacy decision only allows transfers of personal data from the EU to recipients in the United States who have self-certified that they follow the principles of the Data Privacy Framework, have reported this to the US Department of Commerce and been included on a special list.1 The adequacy decision does not allow transfers to the United States in general.2
NSA and other US intelligence agencies are not self-certified recipients. Thus, they are not included in the list of approved organisations and are not expected to be added either.
In addition, an adequacy decision in and of itself does not require a transfer of personal data. As we will expand on later, it therefore does not by itself provide grounds for a valid legal basis to disclose personal data in the EU to third country authorities.
This aforementioned means that the adequacy decision cannot be used to transfer personal data from the EU to US intelligence agencies in the United States.
At the same time, most EU businesses want to handle personal data in the EU. This may be because the latency is shorter to data centres in the EU than on the other side of the Atlantic, for regulatory reasons or because the alternatives would not be appropriate. US cloud service providers are also increasingly offering data location within the EU.
The question then is what applies when an organisation intends to handle personal data in data centres located in the EU. Which cloud service providers can they actually use?
Here, organisations need to keep in mind that US cloud service providers are subject to rules that may force them to give US authorities access to data in the EU. At the same time, union law has rules that in principle prohibit such transfers from the EU to third country authorities.
The adequacy decision does not make a difference in these situations.
The level of protection in the EU applies regardless of the adequacy decision
Introduction
A controller in the EU must ensure that its processing of personal data meets the level of protection required by the EU Charter and the GDPR. EU rules such as the EU Charter and GDPR are commonly called union law.
Union law applies to processing of personal data that takes place entirely on servers within the EU, that is, when the adequacy decision is not used for any transfers of personal data to the United States. Union law then regulates, among other things, how personal data in the EU must be protected against access from authorities in third countries.
Therefore, in order for a controller to determine whether it can use a cloud service provider in the EU to process personal data, the organisation first needs to understand the meaning of the level of protection of union law. What are the requirements for the level of protection when the organisation intends to use a cloud service provider, especially in relation to third country legislation?
Protection of the EU Charter
The level of protection of union law means that personal data must be processed fairly for specified purposes and with a legitimate and legal basis (Article 8 of the EU Charter).
In addition, the following applies:
- the right of access personal data collected,
- the right to rectify incorrect personal data,
- that compliance with the rules is subject to control by an independent authority; and
- the right to independent and impartial judicial review for those whose rights have been violated.
These points have a kind of constitutional status as they are laid down in the Charter of Fundamental Rights of the European Union (EU Charter, Articles 8 and 47). The GDPR makes these and other rights more concrete and should be read in the light of the EU Charter.
The right to judicial review (or effective remedy as it is also called) is particularly important. That right is crucial for a person to be able to have an independent examination of whether the person’s other rights have been violated. The Court of Justice of the European Union (CJEU) has repeatedly held that this is an inherent requirement for the rule of law:
According to settled case-law, the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law. Thus, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the [EU Charter] (C-311/18 Schrems II p. 187)
It is therefore particularly important that a controller ensures this right so that it is not undermined as a result of the choice of cloud service provider.
The EU Charter’s fundamental rights are not absolute, meaning they can be restricted. For example, during an ongoing, legitimate intelligence gathering, it may be reasonable not to grant access to personal data collected.
However, any such restriction on a fundamental right must meet certain requirements of the EU Charter. Among other things, the scope of the restriction must be clearly stated in law. The CJEU has in several cases clarified the limits that make a restriction acceptable. The legislation that sets out a limitation of rights must meet requirements for clarity and precision. One purpose is for the legislation to be able to give effective protection against the risks of abuse.
A restriction of rights must not go beyond what is strictly necessary to fulfil the purpose of the restriction. Legislation interfering with rights must itself contain clear and precise provisions regulating the scope and application of the interference and laying down minimum requirements, so that the persons whose data are transferred have sufficient guarantees to enable their personal data to be effectively protected against the risk of abuse. In particular, the legislation must specify the circumstances and conditions under which a measure for processing personal data may be taken, ensuring that the interference is limited to what is strictly necessary.3
It is sometimes argued that while US law allows for extensive intelligence gathering, contrary to the requirements of the EU Charter, the legislation is not used in such a comprehensive way in practice. However, this is not to the legislation’s advantage – on the contrary.
US legislation such as section 702 of the Foreign Intelligence Surveillance Act (FISA 702) allows for a more comprehensive collection than is justified, and the CJEU has ruled that the legislation does not provide an effective protection against the risks of abuse.4
The record also shows that the activities of US authorities are accompanied by violations and lack of due process both historically and more recently, which we return to in the section Real-life examples of US surveillance.
Our assessment is also that any restrictions imposed by executive orders, or government regulations internal to the executive branch, are not capable of addressing these shortcomings, since the CJEU states that it is the legislation that limits rights which must itself establish the minimum requirements that enable effective protection against the risks of abuse.5
The shortcomings in US law, and the reasons why the changes in the US are insufficient, are elaborated on in the section Executive Order 14086 and the Data Protection Review Court. For further reading, also see our report comparing US and European surveillance legislation and fundamental rights (currently available in Swedish).
In this section we have explained some aspects of the EU Charter’s requirements for protecting fundamental rights. Organisations that cannot guarantee this protection of rights cannot meet the requirements of union law.
We believe that several of the rights enshrined in the EU Charter are undermined if an organisation allows personal data in the EU to be exposed to US law that takes precedence over union law. This is normally the case when a US cloud service provider is allowed to handle personal data in the EU.
The preconditions to disclose personal data to government authorities are regulated in more detail in the GDPR. There, it is clear that a disclosure is only allowed if the disclosure has a basis in union law or the national law of an EU/EEA member state. Thus, third country legislation is not allowed to come into play. This is discussed in the next section.
GDPR protection against access from third countries
When the processor may deviate from its instructions
When an organisation in the EU intends to let a cloud service provider process personal data on behalf of the organisation, the parties must enter into a data processing agreement. Through the data processing agreement, the controller (customer) gives instructions to the processor (cloud service provider) on how to process the personal data so that the controller achieves its purposes of the processing.
The data processing agreement must state that the cloud service provider may only process personal data on the instructions of the controller, including regarding third country transfers. Thus, without instructions from its customer, the processor (cloud service provider) cannot process personal data for its own or others’ purposes, including to carry out third country transfers. The only exception, where the cloud service provider may still e.g. disclose personal data while deviating from the controller’s instructions, is if union law or the national law of an EU/EEA member state requires the processor to do so. This is clear from Article 28(3)(a) GDPR.
Similarly, the requirements for security of personal data mean that processors must take steps to ensure that their staff do not deviate from the instructions of the controller unless union law or the national law of an EU/EEA member state requires them to do so. This is clear from Article 32(4) GDPR.
US intelligence gathering laws such as FISA 702 are neither union law nor the national law of an EU/EEA member state. At the same time, surveillance laws may force US cloud service providers to disclose information they process in the EU, thus deviating from the controller’s instructions. It can also be noted that Article 28(3)(a) and 32(4) do not provide for exceptions for third countries with laws that fulfil requirements for due process. Thus, when deviations from the controller’s instructions require a basis in union law or the national law of an EU/EEA member state, this applies without exceptions for third countries with laws that reach a certain quality.
As we noted in the section The adequacy decision does not allow third country transfers to US intelligence agencies, neither can the adequacy decision be used as the basis for these disclosures. The adequacy decision can only be used for transfers to self-certified recipients in the United States, and US intelligence agencies are not self-certified. In addition, an adequacy decision in and of itself does not require a transfer of personal data. Article 28(3)(a) and 32(4) only make exceptions for disclosures required under union law or the national law of an EU/EEA member state.
Legal basis for disclosures to authorities
When a cloud service provider discloses personal information at the request of an authority, the cloud service provider no longer acts according to its customer’s instructions, but becomes the controller for the disclosure. All processing of personal data must have a legal basis in the GDPR and the question then becomes what legal basis a cloud service provider can use. Without a valid legal basis, the disclosure cannot fulfil the GDPR.
The CJEU has ruled that a private actor’s sharing of information with law-enforcement authorities to prevent, detect and prosecute criminal offences, is an objective which in principle is not capable of being a legitimate interest pursued by the company under Article 6(1)(f) GDPR. The court also noted that the objective in question was unrelated to the company’s economic and financial activity.
The CJEU instead points to the legal basis of compliance with a legal obligation to which the controller is subject under Article 6(1)(c) GDPR.6 Based on the court’s reasoning, we consider that the same legal basis becomes relevant for a cloud service provider’s disclosures to intelligence agencies.
The legal obligation that the controller (the cloud service provider) is subject to under Article 6(1)(c) GDPR must in turn be established in union law or the national law of an EU/EEA member state to which the controller is subject. This is clear from Article 6(3) GDPR.
US intelligence gathering laws such as FISA 702 are not union law nor the national law of an EU/EEA member state. Therefore, US cloud service providers do not appear to be able to rely on any legal basis in the GDPR for disclosures to US authorities under these surveillance laws. As we noted in the section The adequacy decision does not allow third country transfers to US intelligence agencies, the adequacy decision cannot be used either.
Disclosures to third country authorities require an international agreement
Article 48 GDPR provides a basis for cloud service providers to carry out decisions under third country law, but only if the decision has a basis in an international agreement between the third country and the EU or an EU/EEA member state.
The adequacy decision is not such an international agreement, as we will discuss in the next section.
Article 48 states in its entirety:
Transfers or disclosures not authorised by Union law
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
If a controller or processor receives a decision requiring it to transfer or disclose personal data to the authorities in a third country, the decision may thus under Article 48:
- only
- be recognised or enforceable7
- in any manner
- if based on an international agreement.
Here we note the strict wording of Article 48, which is confirmed by how recital 115 of the GDPR spells out the EU legislature’s aversion to extraterritorial legislation.
Article 48 does not prejudice other grounds for third country transfers, but we believe that prerequisites are insufficient on other grounds as well. The adequacy decision which relies on Article 45 cannot be used because the NSA and other US intelligence agencies are not self-certified recipients. We also do not expect US intelligence agencies to enter into standard contractual clauses with US cloud service providers or to participate in using other transfer tools under Article 46. Finally, we believe that it is in principle not possible to rely on Article 49 of this context8, partly because a cloud service provider is normally not informed about the circumstances behind each disclosure it is compelled to perform under, for example, FISA 702.
Thus, without an applicable international agreement as a basis, US cloud service providers are prevented from transferring personal data to third countries based on decisions from third-country authorities.
Microsoft’s President Brad Smith is one of the people who has stressed the need for international agreements between the US and the EU, as a solution to the problem of unilateral extraterritorial access to data in the EU.9
The adequacy decision is not a basis in union law, the national law of an EU member state or an international agreement – for disclosures to third country authorities
As we noted in the section The adequacy decision does not allow third country transfers to US intelligence agencies, the adequacy decision only enables third country transfers to self-certified recipients in the United States that are on the US Department of Commerce’s list. US intelligence agencies such as the NSA were never self-certified under the two previous frameworks Safe Harbour and Privacy Shield. Nor are they expected to self-certify under the Data Privacy Framework.
The adequacy decision neither requires nor enables third country transfers from an organisation in the EU to US intelligence agencies. Thus, the adequacy decision is not a basis in union law or the national law of an EU/EEA member state that can be used for disclosures that deviate from the controller’s instructions pursuant to Article 28(3)(a) or 32(4), or as a legal obligation under Article 6(1)(c) and 6(3).
Although there is sometimes talk of a ”data transfer agreement” or ”data pact”, the adequacy decision is not in itself an international agreement. It is a unilateral decision by the European Commission, which does not aim to regulate access from intelligence services in the United States to data in the EU. FISA 702, the US President’s EO 14086 and the DPRC regulations are also one-sided and do not constitute international agreements. None of these instruments is thus an international agreement that can be used for third country transfers under Article 48.
GDPR guarantees when using cloud service providers
We have so far established that, for a number of reasons, US cloud service providers lack legal prerequisites in the GDPR to disclose personal data they handle in the EU to US authorities. At the same time, US cloud service providers state that they take great care when ensuring the fulfilment of their obligation to disclose data to US authorities. As we have noted earlier, this is the opposite of what they are obliged to ensure under the GDPR. What consequences does this have for an organisation considering hiring such a cloud service provider?
Article 24 of the GDPR describes the controller’s responsibility – regardless of whether a processor is used. The provision requires appropriate technical and organisational measures to ensure and be able to demonstrate that processing of personal data is performed in accordance with the GDPR.
This responsibility continues when a controller uses a processor, such as a cloud service provider. The controller shall, in accordance with Article 28(1) GDPR only use processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of persons.
A cloud service provider’s guarantees must therefore relate to measures that are implemented in such a manner that the processing will achieve two results: meet the requirements of GDPR and ensure the protection of persons’ rights.
The GDPR’s requirements include, for example:
- the requirements for protection against third country law, expressed in Article 28(3)(a) and 32(4) GDPR (discussed above),
- the principles expressed in Article 5 GDPR, such as the requirements for lawfulness, fairness and transparency, and
- the personal rights expressed in Chapter III GDPR, which shall be read in light of the fundamental rights we mentioned in the section Protection of the EU Charter.
The question then is what guarantees, if any, that US cloud service providers give to controller organisations in this context, in order for controllers to meet the requirements of Article 28(1) GDPR.
In every case we are aware of, US cloud service providers state that they disclose personal data when compelled to do so under decisions by government authorities. Since these cloud service providers are subject to US law, even when operating in the EU, they will thus follow decisions to make personal data in the EU available to US authorities.
At the same time, some cloud service providers claim that they have received few requests from US authorities, at least on the basis of certain legal provisions, categories of requests, customer segments, services, or data types. Such claims may, for example, mention the number of disclosures of ”customer data” or ”content data” for a particular customer segment. However, these claims do not necessarily include disclosures of metadata, which can potentially be as sensitive as the contents of a document or message.10
By using statements of this kind, we can assume that the cloud service providers are attempting to imply such a low probability of disclosures that the risk should in practice be disregarded.
Despite this, all the terms of US cloud service providers that we have reviewed, in effect give the US legal system priority over the EU legal system. US cloud service providers present this as self-evident, that they, as US companies, must naturally comply with decisions under the US legal system. They thus expect it to be equally self-evident that their customers in the EU must give up the sovereignty of their own legal system in favour of the US legal system.
If the likelihood of disclosure is so insignificant, we wonder why no US cloud service provider is prepared to guarantee that it will deny every disclosure request, at least for certain customer segments or service types. For the same reason, we wonder why US intelligence legislation cannot be constrained to exclude the possibility of such disclosures which supposedly do not happen in reality.
As we noted in the section Protection of the EU Charter there is nothing appealing about legislation that can be used for extensive collection but which is not normally used so widely in practice. Because legislation such as FISA 702 enables more extensive collection than is justified, we believe that the legislation does not allow for effective protection against the risks of abuse as required by union law. We have in the section Real-life examples of US surveillance included a selection of violations and lack of due process in US surveillance.
A cloud service provider may find it difficult to control the number of disclosure requests it receives, no matter what the number has historically been. We therefore also question whether statistics on disclosures to US authorities can even be considered part of a processor’s guarantees.11
In light of the above, in particular with regard to the inability to fulfil the requirements stemming from Articles 28(3)(a) and 32(4) GDPR, we conclude that US cloud service providers do not give controllers in the EU the guarantees those controllers need according to Article 28(1) GDPR.
CJEU jurisprudence and the view on risk
We have also noted the CJEU’s view of what is required to ensure the level of protection of union law – and what is sufficient to undermine it. We believe that the CJEU does not appear to give any real scope to assess the likelihood of disclosures to third country authorities or to consider the types of personal data that may be disclosed.
In a third country transfer case, the CJEU ruled that effective protection of personal data cannot be ensured when the law of a third country allows the authorities of the third country to interfere with the rights of persons.12
The CJEU has also held that a third country transfer must be suspended already when the law of the third country imposes obligations on the recipient of the personal data, if the obligations are capable of impinging on the protection to be ensured under union law.13 Regardless of what it means in practice to achieve adequate protection under union law, the crucial question is thus if third country laws apply to the recipient (e.g. a cloud service provider), and thereby impose obligations capable of impinging on that protection.14
The CJEU has held that the disclosure of personal data to an authority constitutes an interference with fundamental rights regardless of how the data is subsequently used. The same applies to storing personal data with a view to later use by the authorities. The CJEU has further held that in this context it is irrelevant whether the information relating to private life is sensitive or whether the persons concerned have been inconvenienced in any way due to the interference with their rights.15
The CJEU has not held that impinging on the level of protection requires an actual disclosure to US authorities or even that this is likely. The deciding factors are what the third country law allows and could be used for. The CJEU here appears to make no probability assessment, nor take into account whether data relating to private life is sensitive, nor take into consideration whether persons are inconvenienced in any way due to information being disclosed.
This also seems consistent with the CJEU’s 2014 judgment invalidating the EU Data Retention Directive.16 That directive compelled telecoms providers to store traffic data about phone calls and internet use, but not the contents of communications. One would assume that only a very small proportion of this data would be of interest to law enforcement and other authorities. Presumably there would therefore be a small probability that a given person’s data would be disclosed. Yet, the CJEU invalidated the entire directive – it was too big a threat to our fundamental rights to privacy and data protection. When far more data than necessary is to be retained, when it is not sufficiently clear under which circumstances data can be disclosed, and when disclosures can be made in secret, we are left in uncertainty. The CJEU held that ”the fact that data are retained and subsequently used without the subscriber or registered user being informed is likely to generate in the minds of the persons concerned the feeling that their private lives are the subject of constant surveillance.”17
Today, the lion’s share of our communications, digital behaviour and large amounts of metadata, including location data, are processed by three cloud service providers who are all subject to the same mandatory US surveillance legislation, FISA 702.
We consider that the CJEU’s views in the aforementioned cases underlines what is required to ensure the level of protection of union law when processing personal data in the EU – and crucially, what is sufficient to undermine it.
This is because an assessment of a third country transfer’s level of protection is made by comparison to the level of protection in the EU. It is the level of protection in the EU that a third country transfer must be at least essentially equivalent to. As stated in Article 44 GDPR: ”All provisions in [Chapter V] shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.” (Cleura’s emphasis). That is what it means when the protection of personal data follows the data from the EU to a third country.
The level of protection for a third country transfer only needs to be essentially equivalent to the level of protection in the EU. If anything this suggests some room for a slightly lower level of protection for a third country transfer than when processing personal data in the EU. This means that the reverse cannot be true. Processing personal data in the EU cannot be subject to a lower level of protection than for a third country transfer.
It would also seem disproportionate to require an even higher level of protection for third country transfers than the already high level of protection applicable in the EU. It would also defeat the purpose of facilitating international trade and cooperation, as stated in recital 101 of the GDPR.
This means that the level of protection required under Articles 24, 28, 32 and so on, when processing personal data within the EU, must be interpreted to be at least as high as the level of protection required for a third country transfer.
When the CJEU considers that a third country transfer is not permitted already when the law of a third country allows the authorities of the third country to interfere with the rights of individuals under union law, and that a third country transfer must be suspended already when the law of the third country imposes obligations which are capable of impinging on the level of protection under union law, it follows that the bar for ensuring the protection of union law when processing personal data in the EU must be at least as high.
The conclusion of this is that the level of protection of union law when processing personal data in the EU, including under Articles 24, 28 and 32 of the GDPR, cannot be ensured when US law imposes obligations on a cloud service provider which allow US authorities to interfere with the rights of persons or which are capable of impinging on the protection of union law. This is still the case, irrespective of the adequacy decision, when FISA 702 applies to a US cloud service provider and US authorities thereby can compel the cloud service provider to give access to personal data that the cloud service provider processes in the EU.
Summary of conclusions
Against this background, we do not see how a US cloud service provider can be considered to have taken steps that are sufficient to meet the requirements of the GDPR and ensure protection of persons’ rights, when the cloud service provider’s statements means that:
- The cloud service provider is subject to US surveillance legislation, and has made it clear that it allows itself to disclose personal data in the EU to US authorities under such legislation.
- The cloud service provider allows itself, in violation of the requirements on data processing agreements under Article 28(3)(a) of the GDPR, to deviate from the controller’s instructions, and allows its staff to do the same in violation of the requirements for security under Article 32(4) of the GDPR, in order to disclose personal data in the EU to US authorities without a basis in union law or the national law of an EU/EEA member state.
- The cloud service provider allows itself, in violation of Article 6(1)(c) and 6(3) of the GDPR, to disclose personal data in the EU to US authorities without a valid legal basis in the form of a legal obligation in union law or the national law of an EU/EEA member state.
- The cloud service provider allows itself, in violation of Article 48 of the GDPR, to disclose personal data in the EU to US authorities without a basis in an international agreement, and without being able to use a derogation for specific situations.
What US cloud service providers therefore actually guarantee is that they take steps to ensure that they do not meet the requirements of the GDPR. We consider that such cloud service providers do not provide the guarantees necessary to be used as processors of personal data under Article 28(1) of the GDPR.
Executive Order 14086 and the Data Protection Review Court
When the Data Privacy Framwork and adequacy decision matter – and when they don’t
As previously noted, the GDPR prohibits US cloud service providers from transferring personal data in the EU to US intelligence authorities without a basis in union law or the national law of an EU/EEA member state. In fact, US cloud service providers have an obligation to take steps to ensure that they do not perform such transfers. This follows from Article 28(3)(a) and 32(4) GDPR.
These rules in the GDPR apply regardless of whether the receiving country meets requirements for due process. To lawfully transfer personal data from the EU to US intelligence authorities, cloud service providers would need to rely on a basis in union law or the national law of an EU/EEA member state. The adequacy decision based on the Data Privacy Framework is not such a basis that allows for third country transfers from the EU to US intelligence authorities.
Despite this, US cloud service providers say they will still disclose personal data to US intelligence authorities when compelled to under US law. We therefore consider that these providers do not give controllers the guarantees necessary to be used as processors of personal data under the GDPR. The reasons for this conclusion are explained in the section GDPR protection against access from third countries.
The situation is different when a controller in the EU intentionally wants to transfer personal data to a third country such as the US. This can for example be the case when a controller in the EU wants to transfer personal data to a cloud service provider in the US for further processing on the cloud service provider’s servers there. Another example can be when a controller in the EU gives a cloud service provider’s support staff in the US access to personal data stored in the EU.
Such transfers can rely on the adequacy decision, provided that the cloud service provider is self-certified under the Data Privacy Framework. However, in that scenario, the question remains whether the adequacy decision can be relied upon in the future or whether it risks being invalidated, like the previous two adequacy decisions meant to allow transfers to self-certified recipients in the US.
We will therefore look at some of the changes on the American side that the third adequacy decision relies on. The goal is to provide a better picture of the likelihood that the Court of Justice of the European Union (CJEU) will invalidate the adequacy decision, as well as an understanding of the parts of US law that are still lacking in relation to union law.
This assessment of the adequacy decision’s survival is primarily relevant to organisations considering third country transfers from the EU to self-certified recipients in the United States, including by giving support staff in the US access to personal data stored in the EU. The assessment of the adequacy decision is less relevant to organisations that will only process personal data in the EU – for such organisations, however, the previous chapters of this report are highly relevant.
What has changed since Schrems II
To evaluate US law, we start with the CJEU’s judgement in Schrems II and then make a comparison to some changes made thereafter.
In Schrems II, the CJEU that US surveillance programs based on FISA 702, Executive Order 12333 and Presidential Policy Directive 28 do not meet the minimum requirements required by union law under the principle of proportionality set out in the EU Charter of Fundamental Rights. This means that the surveillance programs based on those provisions cannot be considered limited to what is strictly necessary.
The CJEU also found that the surveillance programs do not give persons rights that can be enforced against US authorities in court, which means that the persons are not entitled to an effective remedy. This is also a requirement under the EU’s fundamental rights charter.
Since then, the United States has essentially made two changes referred to by the European Commission in its July 2023 adequacy decision. We will therefore have a closer look at some relevant parts of these changes to see if they make any significant difference.
First, the President of the United States issued Executive Order 14086 for signals intelligence gathering (EO 14086), which has been implemented by the intelligence services. Second, EO 14086 states that the United States Department of Justice shall issue regulations setting up a review body called the Data Protection Review Court (the DPRC regulations).
The question then is whether EO 14086 and the DPRC regulations address the shortcomings identified by the CJEU in Schrems II. Other actors have made in-depth analyses of this.18 In brief, we consider that EO 14086 and the DPRC regulations are problematic in relation to union law. In the following section, we explore the reasons for this conclusion in more detail. This account does not claim to be exhaustive.
We also have a report delving closer into the subject of how surveillance and fundamental rights are regulated in the United States and at the European level in relation to cloud services, available in Swedish.
Executive Order 14086
The first change that the European Commission relies on in its adequacy decision is Executive Order 14086 (EO 14086).19 This is a presidential decree setting out rules for signals intelligence that have since reportedly been implemented by the US intelligence community.
First, we doubt for two reasons whether EO 14086 can meet the EU Charter’s requirement that restrictions on fundamental rights have to be provided for in law.
To begin with, an executive order concentrates power to one person, the president, who can modify or revoke an executive order at any time. In addition, the president may secretly update parts of EO 14086 based on an assessment the president itself has made, see section 2(b)(i)(B) and section 2(c)(ii)(C). In our opinion, such an approach does not characterise ”law”. In addition, an executive order is in any case not legislation, while the CJEU speaks in terms of requirements imposed specifically on legislation.20
Surveillance constitutes a limitation on fundamental rights. The Court of Justice of the European Union has ruled that ”the legal basis which permits the interference with those rights must itself define the scope of the limitation on the exercise of the right concerned” (Cleura’s emphasis). The CJEU states that this is a prerequisite for meeting the EU Charter’s proportionality requirements.21 As we understand it, FISA 702 is legislation which allows for surveillance regardless of EO 14086’s existence. Surveillance based on FISA 702 involves an interference with people’s rights to privacy and protection of personal data, which are fundamental rights. The CJEU has held that FISA 702 does not meet the EU Charter’s proportionality requirements.22 To rectify this, it therefore appears some form of amendment to FISA 702 is needed so that FISA 702 itself in a sufficiently clear manner defines the scope of the limitation on the exercise of fundamental rights. However, no such amendment has been made. Instead, EO 14086 has been introduced with rules of procedure for signals intelligence. We believe that EO 14086 does not even appear to be capable of compensating for the lack of proportionality in FISA 702 because EO 14086 is not the legal basis which FISA 702 is.
Second, we doubt – regardless of the assessment in the first question – whether the wording of EO 14086 materially meets the requirements for clarity and precision according to the EU Charter’s requirements for proportionality (see the section Protection of the EU Charter). The terms necessity and proportionality are mentioned in EO 14086, but there is sparse explanation of what those concepts mean in concrete terms. The wording is also vague regarding when alternatives to signals intelligence shall be prioritised. Alternatives shall be used when they are ”viable, feasible, and appropriate”.
The terms ”necessary” and ”proportionate” in EO 14086 may at first glance appear to be linked to concepts in union law, especially since these terms are essential to the CJEU’s interpretation of the EU Charter in Schrems II. In addition, EO 14086 specifies several rules regarding ”personal information”, which is a different term than union law’s personal data. The intention appears to be that none of these terms shall be interpreted in line with union law. The DPRC, which is meant to review whether surveillance has been properly conducted under EO 14086, must interpret EO 14086 and its terms solely in light of US law and legal tradition, not any other source of law.23
Against the background, we doubt that EO 14086 complies with the requirements in union law for clear provisions that specify the circumstances and conditions under which intelligence collection may take place. We find it difficult to see how EO 14086 in a sufficiently clear manner, in accordance with the requirements of union law, regulates the scope and application of the intelligence collection and establishes minimum requirements that provide persons with adequate guarantees that enable effective protection of their personal data against the risks of abuse (see the section Protection of the EU Charter for more on these requirements). The situation is not helped by the fact that the DPRC is prohibited from interpreting the concepts of necessity and proportionality according to union law, that ”personal information” does not appear to correspond to the GDPR’s definition of personal data, and that the DPRC is not allowed to take into account legal developments in the EU when interpreting the practical application of EO 14086.
Data Protection Review Court
The review body called the Data Protection Review Court was established through the DPRC regulations,24 which were issued by the US Department of Justice on the basis of the president’s orders in EO 14086. The purpose may be understood as intending for the DPRC to meet the requirements of union law for an effective remedy after the CJEU ruled25 that the Privacy Shield Ombudsman was insufficient.
First, we doubt whether the DPRC meets the EU Charter’s requirements for the right to a fair and public hearing ”by an independent and impartial tribunal previously established by law.”
As for the requirement to be established by law the same doubts remain as for EO 14086, which is discussed in the first part of the section on EO 14086 above.
As regards the requirement of independence and impartiality, we note that the US system of government is characterised by the doctrine of separation of powers. Power is thus divided between the legislature (Congress), the executive (the president) and the judiciary (federal courts). The DPRC is not a federal court of the judicial branch under US separation of powers doctrine. The DPRC was created by the Department of Justice but is also itself a part of the Department of Justice26 and thus the executive branch.
The members of the DPRC are appointed by the US Attorney General. Members also seem to receive protection for their appointment and from reprisals only in relation to the Attorney General, not the president.27 The CJEU has noted that the Privacy Shield Ombudsman did not appear to be covered by guarantees in relation to the executive as regards of the ombudsman’s appointment.28 The president is the person who ultimately exercises executive power in the United States.
Second, the DPRC’s jurisdiction only includes certain types of violations, so-called ”covered violations”, which seem to leave violations of important EU rights outside the DPRC’s jurisdiction.
In short, the definition of a ”covered violation” seems to require that a violation both adversely affects a complainant’s individual ”privacy” and ”civil liberties” interests, and violates the US Constitution, parts of FISA or FISC procedures, EO 12333 or related procedures, EO 14086 or related policies and procedures, a subsequent statute, order, policy or procedure, or other statutes, orders, policies or procedures similar to EO 14086.29
To the best of our knowledge, none of mentioned laws or regulations contain an applicable right of access to personal data or the right to rectification of incorrect personal data, at least not to an extent similar to union law where these rights are part of the fundamental right to protection of personal data under Article 8 of the EU Charter, and are thus accompanied by proportionality requirements for any limitations.30
We also question whether one can sufficiently clearly read these data protection rights into the concepts of ”privacy” and ”civil liberties interests”. The EU Charter of Fundamental Rights recognises the right to respect for private life (often described as a right to privacy) in Article 7, as well as the right to data protection in Article 8. As a comparison, the European Convention on Human Rights recognises the right to private life, but does not have an explicit right to data protection. While it may be a matter of judgement how privacy-sensitive a particular processing operation is allowed to be, data protection rights such as access and rectification apply regardless of the degree of privacy intrusion. Moreover, the DPRC regulations mean that when EO 14086 mentions terms like ”personal information”, ”privacy” and ”civil liberties interests”, those terms must not be interpreted with union law in mind, but exclusively in light of US law and legal tradition.31
It therefore seems dubious that US law would recognise data protection rights with reference to a person’s ”privacy” or ”civil liberties interests”. Looking at the right to privacy in particular, that right, as interpreted under the US Constitution, is severely curtailed due to the third-party doctrine. This doctrine means that a person forfeits their right to privacy in relation to information they are considered to have voluntarily given to a service provider.32
When fundamental rights under union law are not expressly recognised or specified in the US regulations or legal framework, it would appear these rights are not possible to violate in the form of a ”covered violation” to begin with. Therefore, the DPRC does not appear capable of deciding on corrective measures in all cases where these rights under union law have been infringed.
Third, and as we touched on above, the DPRC regulations do not give complainants a right to judicial review for the purpose of gaining access to their personal data. As a consequence, complainants do not appear to be guaranteed their rights to rectification or erasure either. Furthermore, this means that the DPRC does not seem to have sufficient preconditions to assess the proportionality and legality of a surveillance measure.
The CJEU has held that:
According to settled case-law, the very existence of effective judicial review designed to ensure compliance with provisions of EU law is inherent in the existence of the rule of law. Thus, legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him or her, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the [EU Charter]33
The right to judicial review thus includes having one’s rights to access or rectification of personal data reviewed by a court. The right of access and the right to rectification are not absolute, but any restriction must be proportionate according to the requirements of the EU Charter. An important purpose of an independent and independent judicial review will then be to determine whether it is really justified to withhold information from a person (and if so during which circumstances, such as for how long). It is such a judicial review that the CJEU has repeatedly held is a prerequisite for a rule of law.
The European Commission’s July 2023 adequacy decision refers, inter alia, to the possibility of requesting access to information under the US Freedom of Information Act (FOIA), subject to various exceptions such as when information is classified for reasons of national security. Furthermore, foreign intelligence information whose existence is classified by the FBI is completely excluded from the scope of the FOIA.34 We assume that the CJEU in Schrems II was aware of existing avenues for requesting access to one’s personal data, such as FOIA. Regarding access to judicial review of FISA surveillance, the CJEU noted how the European Commission has recognised that this possibility is limited for non-Americans, including because of the requirement to demonstrate standing, which appears to have been a reason for the introduction of the Privacy Shield Ombudsman.35
The CJEU has also held that FISA 702 does not provide any guarantees for non-Americans that may be subject to surveillance and that, although surveillance must comply with the rules of PPD-28, PPD-28 does not give individuals rights that they can assert in court towards US authorities.36 We therefore conclude that US law has not been sufficient to provide effective judicial remedies to non-Americans, and that this will remain the case unless the DPRC provisions address the shortcomings of the Privacy Shield Ombudsman.
The DPRC rules state that the complaints process ends with a final determination ”without confirming or denying that the complainant was subject to signals intelligence activities”. In all cases, the notice should read ”The review either did not identify any covered violations or the Data Protection Review Court issued a determination requiring appropriate remediation”.37 Although the DPRC must assign a ”Special Advocate” to the complainant, this person is not allowed to disclose whether the complainant was subject to US signals intelligence activities.38
As the DPRC does not provide complainants with a right to know whether they have been subject to signals intelligence, the DPRC cannot provide complainants with a judicial review of their rights to access, rectify or erase personal data. Even if the DPRC can on paper decide on, for example, rectification or erasure, we believe that it is almost inevitable that the DPRC will have an insufficient basis for its reviews and measures, and that the DPRC can therefore in practice not ensure that it can decide on remediation in every case where it is needed.
This is because it is difficult for a person to describe to the DPRC how a piece of information should be rectified, or explain why it is irrelevant and should be erased, without first having access to the information to assess it. Similarly, without access to the information, the person cannot raise issues that are relevant to the DPRC’s assessment of the proportionality and lawfulness of the data collection itself. The right of access to data is thus a precondition for the exercise of other fundamental rights. The CJEU has held:
Thus, the right of access provided for in Article 15 of the GDPR must enable the data subject to ensure that the personal data relating to him or her are correct and that they are processed in a lawful manner … In particular, that right of access is necessary to enable the data subject to exercise, depending on the circumstances, his or her right to rectification, right to erasure (‘right to be forgotten’) or right to restriction of processing … as well as the data subject’s right to object to his or her personal data being processed … and right of action where he or she suffers damage39
Our conclusion is therefore that DPRC does not give people any right to a judicial review of the right of access or rectification of personal data. As a consequence, the DPRC also lacks an effective capability to review the lawfulness of surveillance as well as the right to restrict processing and to bring an action as a result of damages suffered.
Thus, the DPRC does not address what the CJEU identified as the shortcomings of the Privacy Shield Ombudsperson, and US law therefore still falls short of the requirements in union law with regard to effective judicial remedies.
Moreover, even if we were to see past the DPRC, and an EU-based person would somehow gain standing before a US court, we question whether US courts are fully competent to review the relevant facts in a right of access to personal data.
For a closer look at the US legal system compared to the European legal system when it comes to surveillance, see our report analysing differences in rights protection when using cloud services, available in Swedish at the moment.
Our understanding of the CJEU’s jurisprudence is that a restriction on a person’s right of access to personal data cannot lead to EU courts being prevented from accessing the data in order to perform a judicial review under Article 47 of the EU Charter regarding the person’s right of access.40 In this regard, we note that the US legal principle of State Secrets Privilege gives the executive branch (government) of the United States an ability to completely exclude information from a court case. A judge may even be prevented from reviewing evidence on their own if the government asserts that the information is covered by the State Secrets Privilege.41 As a result, the judge may then have to dismiss the case.
This restriction on the courts’ ability to review information does not appear to be consistent with the CJEU’s interpretation of the right to an effective remedy under Article 47 of the EU Charter.
Fourth, limitations are placed on the DPRC in terms of what measures the DPRC can decide on in the event of an identified violation:
Prior to determining an appropriate remediation … a DPRC panel shall seek through the ODNI CLPO the views of affected elements of the Intelligence Community regarding the appropriate remediation, including an assessment of impacts on the operations of the Intelligence Community and the national security of the United States. The panel shall take due account of these views as well as customary ways of addressing a violation of the type identified.42
This limits the DPRC’s freedom in the choice of remediation, as the DPRC is obliged to take into account views and customary ways which are not necessarily based on legal imperatives.
Summary of conclusions on EO 14086 and the DPRC
We question whether EO 14086 and the DPRC regulations meet the level of protection required by union law in several respects, in particular:
- Whether EO 14086 can be regarded as law within the meaning of the EU Charter, particularly given the concentration of power in the hands of the president who can amend or repeal EO 14086 at any time and can secretly amend parts of EO 14086.
- Whether EO 14086 meets the requirements of proportionality, due to its vague language on necessity and proportionality and when alternatives to signals intelligence shall be prioritised (when ”available, feasible and appropriate”). Moreover, concepts that seemingly relate to union law are not to be interpreted in accordance with union law, but exclusively in light of US law.
- Whether the DPRC fulfils the EU Charter requirement of a right to a fair and public hearing ”by an independent and impartial tribunal previously established by law”. This considering that the DPRC itself is part of the US Department of Justice and thus the executive branch.
- Whether DPRC members receive adequate protection for their appointment and against retaliation. The DPRC provisions appear to provide protection only in relation to the US Attorney General but not to the president, who ultimately exercises executive power.
- That the DPRC’s jurisdiction does not seem to cover violations of all fundamental rights under union law, as these do not always seem to be considered ”covered violations”.
- That the DPRC regulations do not provide individuals with a right of access to their personal data, and that this also precludes the effective exercise of the right to rectification or erasure, and the ability to add context necessary for the DPRC to assess the proportionality and lawfulness of a surveillance measure.
- That the DPRC’s room for manoeuvre when deciding on measures is limited by the fact that the DPRC has to take into account the views and customary ways of the intelligence services, which are not necessarily based on legal imperatives.
Real-life examples of US surveillance
US surveillance is marred by abuses and lack of due process, both historically and in the recent past.
Here is a selection of examples, some of which concern illegal behaviour, while others show what has been allowed to take place legally.
- As early as 1975, the Church Committee concluded that the US federal government had for many decades ”intentionally disregarded” legal restrictions on its surveillance activities and ”infringed the constitutional rights of American citizens”.43
- In October 2015, the NSA was found to have violated a surveillance agreement with its German counterpart. Almost 70% of the selectors investigated by Germany, which the NSA wanted to conduct surveillance against, were government bodies in EU countries. European companies were also targeted.44
- In February 2020, a US court declared that a surveillance programme used by the NSA to collect billions of records related to phone calls was illegal. The court also criticised statements made by US authorities about the usefulness and effectiveness of the surveillance programme, which the court said were inconsistent with secret documents made available to the court. When asked if the NSA still stood by its previous statements, the NSA declined to comment.45
- In July 2020, it was revealed that a US security service had prepared intelligence reports on journalists.46
- In a May 2021 interview, a former federal judge who served in Houston between 2004 and 2018 described how domestic surveillance warrants were routinely kept classified. Not only during ongoing investigations, but long after the cases were closed. In his court, there were over 15-year-old requests for authorisations that were still classified. He investigated the matter further and found that if a case had once been classified, 99% of the time it remained classified forever.47
- In June 2021, Microsoft President Brad Smith published an op-ed in the Washington Post describing how the abuse of secret surveillance had continued under both the Trump and previous presidential administrations.48
- In May 2023, it was revealed that the FBI had conducted more than 278 000 unauthorised searches of an intelligence database containing FISA 702 information.49 A Senator who has been a member of the Senate Intelligence Committee since 2001 called for changes to US legislation, not just updates to the FBI’s internal guidelines. The Senator also stated that ”There is important, secret information about how the government has interpreted Section 702 that Congress and the American people need to see before the law is renewed.”50
These examples are, of course, only from what has come to public light.
We want to emphasise that US intelligence gathering can be valuable when conducted against real threats. What is problematic from a European point of view is how excessive broad the legislation is, the political interference and the lack of honesty and effective oversight.
Microsoft’s President Brad Smith put the issue into words in the context of a criminal investigation case a number of years ago:
(…) the U.S. Department of Justice’s attempt to seize foreign customers’ emails from other countries ignores borders, treaties and international law, as well as the laws those countries have in place to protect the privacy of their own citizens. As the French government stated on Monday, it’s a path that creates “a significant risk of conflict of laws.” And as the tech sector appreciates all too well, that’s a conflict that will leave tech companies and consumers caught in the middle.
It’s also a path that will lead to the doorsteps of American homes by putting the privacy of U.S. citizens’ emails at risk. If the U.S. government obtains the power to search and seize foreign citizens’ private communications physically stored in other countries, it will invite other governments to do the same thing. If we ignore other countries’ laws, how can we demand that they respect our laws? That’s part of why public interest groups, such as the Brennan Center for Justice and the Reporters Committee for Freedom of the Press, are watching this case so closely.
The [Department of Justice’s] position also bodes ill for the U.S. economy and American jobs. Right now, U.S. companies are world leaders in providing cloud services. That leadership position is based on trust. But if the U.S. government can assert this type of unilateral power to reach into datacenters that are operated by U.S. companies in other countries, foreign countries and foreign customers will question their ability to trust American companies.51
In response, the US Congress passed measures giving an explicit legal basis for the extraterritorial access that Microsoft so strongly warned about. Since then, fears of eroded trust have been realised. The July 2023 adequacy decision does not solve the problem of this extraterritorial access. It means that the violation of the EU’s legal sovereignty remains.
Encryption and similar measures
Encryption, pseudonymisation or microsharding are sometimes proposed as a solution to prevent US authorities from accessing personal data. However, we consider that such measures, to be sufficient, must in practice make it impossible for US cloud service providers to disclose the personal data.
The US intelligence law FISA 702 allows the US government to issue information collection directives to US cloud service providers. A cloud service provider receiving such a directive must then immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition, in secret, and with a minimum of disruption to the cloud service provider’s services.52 The cloud service provider must then also be compensated for its assistance.53
How does this affect encryption as a method to protect data from access by US intelligence agencies? We believe that a prerequisite must be that the cloud service provider must not have the technical ability to circumvent encryption or otherwise access data in clear text. This is because the cloud service provider could be forced to use such an ability, even if it requires the cloud service provider to take significant measures such as adapting its software or service delivery. Indeed, the cloud service provider’s obligation under FISA 702 is very broad, if not seemingly unlimited, to provide all assistance necessary to acquire information.
This should means, among other things, that the cloud service provider must not have the technical ability to use its own or the customer’s access control systems to give itself or third country authorities access to personal data, encryption functions or keys that can decrypt personal data. This is where encryption schemes often prove insufficient in this context, when it turns out that the cloud service provider at some point:
- Handles data in plain text in the cloud.
- Can influence how encryption keys are generated or used.
- Manages the customer’s encryption key in clear text in the cloud.
- Has its own encryption key that is managed in clear text in the cloud.
- Has access to the key management system or the access control system for the key management system.
Processing of data in clear text at some stage in the cloud is a common prerequisite for cloud services such as SaaS solutions to function at all. Thus, even if data is encrypted at rest and in transit, it may need to be decrypted when in use. This is normally the case when data is modified, used in a calculation or displayed in an end-user’s web browser or other locally installed software.
If all encryption and decryption of data happens on-premises, and only encrypted data is handled in the cloud, the cloud becomes little more than a passive storage area. Organisations then lose access to the cloud service provider’s scalable computing power to process the data.
We want to be clear that encryption is an important measure in general. For example, when a cloud service provider performs cloud encryption at rest and in transit, this can protect data in case of cyber attacks or unauthorised insider access. However, such encryption would not prevent US cloud service providers from disclosing the data when requested by US intelligence agencies.
We have not seen any case where a US cloud service provider has demonstrated how it encrypts data in a way where the customer is in full control, and where the cloud service provider does not have the technical ability to decrypt the data, without the customer also being affected by one or more of the following:
- The encryption covers only a subset of the data that needs to be managed in the cloud.
- Reduced performance and functionality as it becomes difficult or impossible to process information in the cloud and to search, share and collaborate on information.
- Higher licence costs.
- Administrative burden of managing encryption and associated security risks where a key must be protected against unauthorised access and all encrypted information is lost if the key is lost. If the key is managed by a third party, one needs to trust the third party to adequately protect the key against unauthorised access and not lose the key. This puts a lot at stake.
- Increased demands on employees regarding the systems and digital tools in which they may handle information, requirements that are difficult to fully enforce.
Even the double key encryption (DKE) solution of a major cloud service provider was found to provide insufficient guarantees to BSI, the German Federal Office for Information Security. By using two keys, one of which remains with the customer at all times, DKE is intended to prevent data leakage in specific secure environments. However, after a particularly serious incident at the cloud service provider, BSI received such ambiguous replies that it could not assess whether the threat actor had accessed the data in plain text anyway. ”Even after repeated requests and threats of legal action, Microsoft did not provide the requested information. Therefore, BSI is now using the legal instruments at its disposal”, explains a BSI spokesperson, reports Heise Security.
In addition, it needs to be taken into account that current encryption algorithms and their implementation may prove vulnerable in the future, for example considering research in encryption, cheaper processing power and new technological paradigms such as quantum technology.
The challenges of pseudonymisation, or splitting data into smaller parts (so-called microsharding), are largely the same as those of encryption.
We do not claim that encryption, pseudonymisation or other techniques cannot possibly prevent access by US intelligence agencies. However, we question why an organisation would want to take the risk that these measures are not legally or practically sufficient, while facing higher costs and practical limitations.
We believe that legally sound and appropriate cloud services, where data is encrypted but also handled in clear text when and where needed, provide the greatest value for money and the most innovation. We therefore argue that cloud services with true data sovereignty, without exposure to US legislation, will remain the most attractive option.
Sources
- The US Department of Commerce publishes the list on a dedicated website. ↩︎
- The European Commission’s adequacy decision states in recital 8 that ”This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organisations in the United States may take place without the need to obtain any further authorisation.” (Cleura’s emphasis, footnote omitted). ↩︎
- Article 52(1) of the EU Charter, C-311/18 Schrems II p. 175-176. ↩︎
- C-311/18 Schrems II p. 176-180. ↩︎
- Ibid., p. 175-176. ↩︎
- C-252/21 Meta Platforms v Bundeskartellamt p. 124. ↩︎
- ”Enforceable” meaning, according to the Cambridge Dictionary, ”(of a law or rule) possible to make people obey, or possible to make happen or be accepted” (Cleura’s emphasis). ↩︎
- Regarding Article 49, also see the EDPB-EDPS Joint Response to the LIBE Committee on the impact of the US Cloud Act on the European legal framework for personal data protection, p. 6 f. ↩︎
- ”We also need a new generation of international agreements that define when and how governments will seek data stored within other countries’ borders, starting with our European allies.”, from his Washington Post op-ed The Secret Gag Orders Must Stop. For example, the EU and the US have started negotiations on more efficient access to e-evidence. However, when it comes to intelligence gathering, which is the subject of the Schrems judgements, things are quiet. ↩︎
- Depending on the nature of the cloud service, metadata could include information about when a person has used a service, from which approximate locations (through the IP address), with whom communication has taken place and how often, etc. Thus, it is more than just content data that can be sensitive. In a case concerning data retention requirements for telecoms operators, the CJEU has noted that ”traffic and location data may reveal information on a significant number of aspects of the private life of the persons concerned, including sensitive information such as sexual orientation, political opinions, religious, philosophical, societal or other beliefs and state of health, given that such data moreover enjoys special protection under EU law. Taken as a whole, that data may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them. In particular, that data provides the means of establishing a profile of the individuals concerned, information that is no less sensitive, having regard to the right to privacy, than the actual content of communications” (joined cases C‑511/18, C‑512/18 and C‑520/18 La Quadrature du Net, p. 117, Cleura’s emphasis). ↩︎
- On the other hand, statistics from a third country whose legislation actually reaches the level of protection of union law, might confirm a view of compliance in practice with that legislation. ↩︎
- C-311/18 Schrems II p. 126, ”Therefore, although there are situations in which, depending on the law and practices in force in the third country concerned, the recipient of such a transfer is in a position to guarantee the necessary protection of the data solely on the basis of standard data protection clauses, there are others in which the content of those standard clauses might not constitute a sufficient means of ensuring, in practice, the effective protection of personal data transferred to the third country concerned. That is the case, in particular, where the law of that third country allows its public authorities to interfere with the rights of the data subjects to which that data relates.” (Cleura’s emphasis) Also compare with case C-293/12 Digital Rights Ireland where the CJEU invalidated the Data Retention Directive in its entirety despite the fact that it can be assumed that a very small proportion of the retained data would ever be disclosed. That case concerned processing and disclosures to public authorities in the EU. ↩︎
- C-311/18 Schrems II p. 135, ”Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.” (Cleura’s emphasis) ↩︎
- In the aforementioned third country transfer case (C-311/18 Schrems II), it was thus sufficient that the legal obligations themselves were contrary to the standard contractual clauses. When personal data is processed in the EU, it seems reasonable that it is sufficient that the legal obligations are contrary to the EU Charter or the GDPR, as these will apply in lieu of the standard contractual clauses. Relevant obligations under the GDPR are discussed in the section When the processor may deviate from its instructions. ↩︎
- C-311/18 Schrems II p. 171. ↩︎
- Joined cases C-293/12 and C-594/12 Digital Rights Ireland. ↩︎
- Ibid, p. 37. ↩︎
- See for example The Biden Administration’s SIGINT Executive Order, Part I: New Rules Leave Door Open to Bulk Surveillance and Part II: Redress for Unlawful Surveillance. ↩︎
- Executive Order 14086 On Enhancing Safeguards For United States Signals Intelligence Activities, also available in a structured format on noybs webbplats. ↩︎
- C-311/18 Schrems II p. 176. ↩︎
- C-311/18 Schrems II p. 175-176. ↩︎
- C-311/18 Schrems II p. 184. ↩︎
- § 201.10 of the DPRC Regulations. ↩︎
- US Department of Justice, Data Protection Review Court Final Rule. ↩︎
- C-311/18 Schrems II p. 197. ↩︎
- ”The DPRC will be established within the Department of Justice”, p. 3 of the DPRC Regulations. ↩︎
- § 201.7 (d) of the DPRC Regulations. ↩︎
- C-311/18 Schrems II p. 195. ↩︎
- § 201.2 of the DPRC Regulations, which point to the definition of ”covered violation” in EO 14086, see section 4(d). ↩︎
- If so, we assume that this would already be known, given that resourceful actors have highlighted US law in various ways during the litigation leading up to the Schrems II judgement. ↩︎
- § 201.10 of the DPRC Regulations. ↩︎
- We touch on the third-party doctrine and more in our report comparing fundamental rights in a surveillance context in the United States and Europe (available in Swedish). ↩︎
- C-311/18 Schrems II p. 187. ↩︎
- FOIA.gov FAQ, section “What are exclusions?“ ↩︎
- C-311/18 Schrems II p. 45, quoting recitals 115-116. ↩︎
- C-311/18 Schrems II p. 181. ↩︎
- § 201.9 (h) of the DPRC Regulations. ↩︎
- § 201.11 (b) of the DPRC Regulations. ↩︎
- C-487/21 Österreichische Datenschutzbehörde, p. 34-35 ↩︎
- The CJEU held in joined cases C-584/10 P, C-593/10 P and C-595/10 P Kadi, p. 102, 125 and 126, that the confidentiality of information could not be invoked against union courts, as an examination of the relevant information was necessary to ensure the right to effective judicial protection: ”the question whether there is an infringement of the rights of the defence and of the right to effective judicial protection must be examined in relation to the specific circumstances of each particular case … Admittedly, overriding considerations to do with the security of the European Union or of its Member States or with the conduct of their international relations may preclude the disclosure of some information or some evidence to the person concerned. In such circumstances, it is none the less the task of the Courts of the European Union, before whom the secrecy or confidentiality of that information or evidence is no valid objection, to apply, in the course of the judicial review to be carried out, techniques which accommodate, on the one hand, legitimate security considerations … and, on the other, the need sufficiently to guarantee to an individual respect for his procedural rights, such as the right to be heard and the requirement for an adversarial process … To that end, it is for the Courts of the European Union, when carrying out an examination of all the matters of fact or law produced by the competent European Union authority, to determine whether the reasons relied on by that authority as grounds to preclude that disclosure are well founded” (Cleura’s emphasis) ↩︎
- FBI v Fazaga, ”Reynolds, on the other hand, expressly states that examination of the evidence at issue, ‘even by the judge alone, in chambers,’ should not be required if the Government shows ‘a reasonable danger that compulsion of the evidence’ will expose information that ‘should not be divulged’ in ‘the interest of national security.’ … Thus, the state secrets privilege … may sometimes preclude even in camera, ex parte review of the relevant evidence.” ↩︎
- § 201.9 (f) of the DPRC Regulations. ↩︎
- Final Report from the Church Committee, p. 137 (p. 153 of the PDF document). ↩︎
- Spiegel, Sonderermittler spricht von klarem Vertragsbruch der NSA. ↩︎
- TechCrunch, NSA call records collection ruled illegal by US appeals court. ↩︎
- The Washington Post, DHS compiled ‘intelligence reports’ on journalists who published leaked documents and Lawfare, What If J. Edgar Hoover Had Been a Moron?. ↩︎
- The Markup, Fighting Government Secrecy About Surveillance. ↩︎
- The Washington Post, The Secret Gag Orders Must Stop. ↩︎
- The Wall Street Journal, FBI Searched Jan. 6 Rioters and George Floyd Demonstrators in Spy Database and The Register, FBI abused spy law but only like 280,000 times in a year. The Register further reports that among those monitored were a US senator, a state senator and a state judge. ↩︎
- U.S. Senator Ron Wyden, Wyden Calls for Reforms to FISA Surveillance Following Disclosure of New Abuses. ↩︎
- Microsoft, Something extraordinary happened in Washington, D.C. ↩︎
- 50 U.S.C. § 1881a(i)(1), “immediately provide the Government with all information, facilities, or assistance necessary to accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce a minimum of interference with the services“. ↩︎
- 50 U.S.C. § 1881a(i)(2), “The Government shall compensate, at the prevailing rate, an electronic communication service provider for providing information, facilities, or assistance in accordance with a directive issued pursuant to paragraph (1).“ ↩︎