GDPR & transfers / Google Analytics enforcement - purpose of this webpage

My paper of 24 Jan 2022, summarising post-Schrems II enforcement of the GDPR "transfers" restriction, covered the Austrian supervisory authority DSB's enforcement decision on using Google Analytics, the Google Fonts decision, the Cookiebot decision and the EDPS decision against the European Parliament on Analytics and Stripe, among others. But there's been a flood of other EU data protection authority decisions, court rulings or announcements on Google Analytics or other transfers issues since then.

As I haven't had time to update my paper yet, on 1 Mar 2022 I created the list below of key links to such decisions etc. that I found out about after my paper was uploaded (in reverse chronological order). Some pre-dated 24 Jan, but I hadn't picked them up at the date of uploading. I will aim to keep this webpage updated (with developments on items just under the original items themselves rather than separately flagged). I also reorganised this on 22 July 2022 to add a new section for non-enforcement or non-UK/EU related matters:

Please also now see my Nov 2022 IAPP article.

Disclaimer: general information only, not legal advice, and my personal opinions only!

This webpage was last updated on: 20 Dec 2022

Please let me know of any other links to add? NB. I'm only covering transfers and data localization issues, not other aspects of GDPR. If you find this list of links/summaries useful, please credit me by linking to this webpage. I only ask for attribution not even coffee! 😊

(All translations to English were made using... 🥁Google's free online translation service! Emphasis added to some of the statements below.)
  • 15 Dec 2022 - Spain, Spanish SA AEPD rejected a complaint (via NOYB, part of its 101 complaints) regarding use of Google Analytics' free tool by the Royal Spanish Academy (RAE) transferring personal data to Google LLC in the US unlawfully. Breaking away from other SAs' previous decisions, AEPD stated that:
    • Based on the available information, there was no evidence of current infringement, as RAE had stopped using Google Analytics after Schrems II (it was verified that RAE's webpage no longer contained Analytics code, made no HTTP requests to and no Analytics-associated cookies were set), and 
    • RAE had never used Analytic information to identify its website's users (RAE stated it had only used Analytics' basic, not advanced, functions, had access only to certain (non-identifying) aggregated information from Analytics, not individual IP addresses, and it could not reidentify visitors from the random ID Google assigns users).
  • 13 Dec 2022 - Denmark, Danish SA Datatilsynet extended its deadline to 23 Jan 2023, for municipalities to provide further info on the use in schools of Google Workspace cloud & Chromebooks (see 14 Jul 2022).
  • 12 Dec 2022 - Portugal, Portuguese SA CNPD fined its national statistics authority INE €4.3m regarding the conduct of its 2021 census (see my paper of 24 Jan 2022 Appendix, INE on CNPD's order suspending transfers to the USA); helpful EDPB webpage summary. Reportedly INE is appealing. The fine was for:
    • Unlawful processing of special category data (health, religion - questions on health/religion were optional but not flagged as such)
    • Lack of compliance with transparency obligations (e.g. through display of website privacy notice)
    • Not conducting the required DPIA encompassing all relevant processing operations and the Census. The document provided a DPIA was considered limited in scope, and insufficient in relation to the data processing.
    • Insufficient due diligence in choosing a processor - accepted a standard contrac, that was not assessed in substance for Art.28(3 requirements. The controller did not ensure  the processor adopted all adequate measures to comply with GDPR including guaranteeing that the risks of the processing were mitigated. Under this processing contract, INE agreed that the forum for settling disputes would be the Californian courts (despite the processor having a Lisbon office) 
    • Permtting transfers under the contract to the US using 2010 SCCs without any supplementary measures. The contract authorised use of (sub) processors established in non-adequate third countries. The contract permitted "transit" through any of the company's 200 servers (the 2021 CNPD order noted this included Cloudflare servers in South Africa, China, India, Jordan, Mexico, Russia, Singapore). The CNPD highlighted the INE's lack of control and knowledge of personal data location once they entered the processor network, as well as  full control, by the processor of  encryption/decryption tools securing the transmission of the data.
  • 24 Nov 2022 - Germany, report on Microsoft online services under Microsoft's updated September 2022 Data Processing Addendum, by a working group of Datenschutzkonferenz (DSK - German SAs collectively) after 2 years of investigation and discussion with Microsoft; Microsoft's response with more detail (both in German). Summary of report (note, these are my personal impressions, haven't read Microsoft's detailed rebuttal yet):
    • OSS Microsoft Ireland Operations, Ltd's lead SA is the Irish SA, so the German SAs only considered the lawfulness of German controllers' processsing using Microsoft services, and compliance of the processing contract with Art.28 GDPR
      • Note: a clever way for SAs to get round one-stop shop, when targeting the services of vendors/service providers whose lead SA is in another EU Member State! Hungary's SA effectively did the same, next summary below.
    • SA investigations, fines etc.... Report is explicitly without prejudice to specific SA investigations.
    • Microsoft as controller. Still not sufficiently clear from the updated DPA when Microsoft acts as controller vs. processor: "..When using Microsoft 365, difficulties can still be expected on the basis of the "data protection addendum", since Microsoft does not fully disclose which processing takes place in detail. In addition, Microsoft does not fully explain which processing takes place on behalf of the customer or which for its own purposes. The contract documents are not precise in this respect and ultimately do not allow for conclusively assessable, possibly even extensive processing, also for one's own purposes..."
    • Public sector controllers' legal basis. According to DSK, where service providers use customers' personal data for their own purposes, for public sector controllers (especially schools), Art.6(1)(f) legitimate interests is "not relevant" for public authorities, while Art.6(1)(e) public task is "difficult to justify" due to the difficulty for public sector controllers to meet their accountability obligations. [Presumably because of insufficient info about Microsoft's "controller" processing?? It's not clear to me]
      • Note: in the UK, the ICO has stated public authorities can use legitimate interests for processing outside of their public tasks, although this ability is limited
      • Note: many service providers' processing are for the purposes of all customers, but can't be said to be on behalf of specific customers, hence they're classed as "controller"-type processing. But surely everyone wants cloud providers to secure their services properly for the benefit of all customers? It's interesting that Microsoft's "business operations" definition no longer refers to security. Perhaps this has moved to being "instructed" in the underlying commercial agreement.
    • Description of processing types and purposes, personal data types. The DPA is still not specifc and detailed enough, there must be (a) a customer-specific specification based on Annex II of the Commission's Art.28 SCCs (note, not the same as its transfers SCCs), or (b) reference to a sufficiently detailed list of processing activities of the controller to be formally included in the contract.
      • Note: Annex II doesn't help as it just sets out headings - categories of personal data and of data subjects, sensitive data processed, nature and purposes of processing etc (which you'll recognise from the transfers SCCs Annex I.B Description of Transfer).
      • Note: the DSK's approach to cloud services doesn't seem to take full account of the nature of these services and what they involve. With many cloud services:
        • The personal data to be processed is within the customer's control, it's whatever the customer and its end users choose to process using the service. This is already stated in Appendix B of Microsoft's DPA, which lists all types of personal data and data subjects. How can it be more detailed than that? If you make a cloud customer fill that Annex II info in, they'd come up with exactly the same list, possibly less detailed. Even a cloud customer may not know at the time of entering into a cloud contract all the types of personal data it may in future decide to process using the service.
        • The purposes and types of processing, well it depends on the type of cloud service, surely everyone knows that an online office service offers email, word processing etc., all of which may include personal data. Where the nature of the service is known, how can more specificity be possible? How can it help improve data protection to make these contracts spell out that the service includes email, word processing, file storage etc? And again, if you ask the customer to detail their procesing activities for an office product, they'll just say "email, word processing" etc.
      • If only SAs would provide worked examples in detail of what they expect to be filled in for different types of specific services, and how they expect these Annexes to be completed, especially with standardised commoditised cloud services, that would be really helpful. All I want for Xmas?!
    • Microsoft's "controller" purposes. The DPA was updated in discussion with the working group, but Microsoft had not changed its actual processing. It still has "insufficiently limited rights" to process personal data as controller, and it remains unclear what personal data Microsoft processes as controller for its "business operations" (previously termed "legitimate business operations"). It's also unclear "on which legal basis the transfer of the personal data processed in the order to Microsoft's responsibility for the subsequent processing for Microsoft's purposes, including the associated comprehensive obligation to provide evidence, takes place. The same applies to data such as telemetry and diagnostic data, which, to the knowledge of the working group, Microsoft collects on a large scale and basically for its own purposes." Again there are particular difficulties for public bodies as they can't use legitmate interests (for the controller-to-controller data sharing with Microsoft presumably)
      • Note: I don't quite follow the penultimate sentence quoted - not sure if this is meant to refer to Microsoft's legitimate interests for processing as controller, and its accountability including its legitimate interests assessment?
      • Note: again recall that the UK position on public authorities' use of legitimate interests is different.
    • Microsoft's disclosure of personal data. This is an Art.28 contract point, clearly focused on disclosures required under US (or other third country) law. Quoting directly from the DPA: "Microsoft will ensure that its personnel engaged in the processing of Customer Data, Professional Services Data, and Personal Data (i) will process such data only on instructions from Customer or as described in this DPA". Also, "Microsoft will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law". The report says this doesn't meet the requirements of Art.28.3(a) (processing only on documented instructions unless..), as it's not limited to disclosure as required by EU or Member State law. "Microsoft also contractually reserves the right to make far-reaching disclosures which, if implemented, would not meet the requirements set out in Art. 48 GDPR."
      • Note: disclosure under non-EU law seems impermissible even where the law doesn't go beyond what's necessary and proportionate in a democratic society, apparently! But the wording in Art.28 is quite clear.
      • Note: it is common for US service providers, in their Art.28 terms, not to specify which law here. Otherwise, they could be in breach of their obligations under local, even head office, law. So, personally, I wonder if adding a limitation to ability to disclose (under EU/Member State law or other law that doesn't go beyond...) might help in practice?
    • TOMS. Security measures exist for expressly restricted certain categories of data (customer data in "CoreOnline Services" and"Professional Services data"). In addition, Microsoft stated that after registration it offers access to the website with information about the technical and organizational measures implemented. But, "Legal uncertainties remain, since the guarantees on "security measures" formally only record a subset of the contractual personal data, namely "customer data in "core online services" and "professional service data"."
      • Note: presumably just a drafting fix?
    • Art.28 deletion and return of personal data. Microsoft's updates to the deletion terms "also entail ambiguities and contradictions" so these terms may not meet Art.28(3)(g) requirements; and controllers would not be able to meet their accountability obligations under Art.5(2) and 5(1)(a).
      • Note: again it's unclear to me why/how the updated terms were ambiguous and contradictory. One term even mirrors Art.28(3)(g) word for word!
    • Art. 28 subprocessor information. While Microsoft has updated its notification procedure, DSK states that the information provided is not specific, pointing out that the Commission's standard contractual clauses"provide much more detailed information about the name, address and contact person of the sub-processor as well as a description of the respective processing, which should allow a clear delimitation of the responsibilities of several sub-processors used".
      • Note: lesson - include in subprocessor change/addition info the name, address and "contact person" of the intended subprocessor, not just service/function, HQ and data categories to be processed. Of course, dear DSK, giving the name of the subprocessor contact person (to all existing customers, no less) is processing the contact person's personal data, so cue providing "subprocessorinfo@[]"as a compromise!
    • Transfers. Microsoft transfers personal data to the US using the 2021 SCCs (presumably between its Irish and US entities).
      • It is not possible to use Microsoft 365 without transferring personal data to the USA. From December 2022, Microsoft plans to offer all EU area customers the option of storing and processing customer data, support data and other personal data of customers in the EU area (i.e. not without exception, not for example for certain IT security measures) ("EU Data Boundary").
        • Note: as with the Hungarian decision below, this seems to consider ultimate physical transfer of persolnal data to the USA.
      • Given Schrems II, FISA 702 and EO12333, measures are needed to prevent intelligible access by Microsoft (and therefore US authorities) – and thus Microsoft – from accessing personal data. But many Microsoft 365 services require Microsoft to access  unencrypted, non-pseudonymized data. Microsoft can read data in plain text on a regular basis ultimately to perform its contractual obligations. This is therefore a classic use case 6 of Appendix 2 of EDPB Recommendations 01/2020. "For this use case, the supervisory authorities have so far not been able to identify additional protective measures that could lead to the legality of the data export." 
        • Note: this confirms, as I suspected, that in DSK's view it's not possible to use any SaaS service where personal data is transferred a country with "non-essentially equivalent" laws in cases where the cloud provider needs access to cleartext data to perform its functions, i.e. to do the task and provide the service for which its customers have engaged it.
      • "The measures currently provided by Microsoft in the "Location of the data at rest" section for storing the data (data at rest) do not preclude transmission, nor do they constitute sufficient protective measures. For further processing (apart from storage), the "Data Transfer and Location" section does not contain any statements on data localization. Even the measures promised by Microsoft in the "Addendum to additional protective measures" are not suitable for compensating for the fundamental legal inadequacies of US law measured against the standard of EU law. In addition, Microsoft also contractually reserves the right to make far-reaching disclosures which, if implemented, would not meet the requirements set out in Art. 48 GDPR."
      • "The future increased relocation of data processing to the EU, which Microsoft has already announced, appears helpful, but its implementation must also be observed and evaluated against the background of any extraterritorial legislation."
        • Note: it seems Microsoft's investment in EEA-only data centres and support (what about software maintenance) may bear fruit for it, but this statement suggests that extraterritorial US legislation could undermine the position... we'll have to wait and see..
      • TADPF not taken into account: "Whether and to what extent the Executive Order "Enhancing Safeguards for United States Signals Intelligence Activities" presented by US President Biden and Attorney General Garland on October 7, 2022 and accompanying ordinances of the US Department of Justice require changes to the conditions of the US law has not been taken into account in this report due to the fact that the implementation of these regulations is still pending."
  • ? Oct/Nov 2022 - Hungary, summary in English HT the Hungarian SA ordered a weather website, that used Google Analytics and Google Ads, to stop transferring IP addresses to the US. However, the summary raises some uncertainties, particularly regarding contractual vs. physical flows of data:
    • Many earlier decisions on Google Analytics, summarised below and in the article linked to above, were based on the pre-2021 SCCs position. Then, because SCCs under the Data Protection Directive did not permit processsor-to-processor (P2P) transfers), it was common for EU customers to enter into 2010 C2P SCCs directly with the US parent of the service provider, e.g. Google in the US, for the purposes of transfers from the EEA - even though their main contracting party was generally the EU subsidiary of the US parent, e.g. Irish subsidiary. In those earlier decisions, therefore, the EU customer was transferring personal data directly to Google in the US under the 2010 SCCs, and could be ordered to stop those transfers.
    • Post-2021 SCCs, many US services like Google (and Microsoft, BTW) now provide for EU customers to contract with their EU subsidiary, e.g. Irish subsidiary, as before. However, no SCCs are entered into between the EU customer and the US entity. Instead, the EU subsidiary enters into intragroup P2P 2021 SCCs  with its US parent/affiliate, to transfer the EU customer's personal data to the US.
    • This was such a case. The Hungarian SA noted that it had no jurisdiction over Google's Irish subsidiary (the Hungarian customer's contracting party): it was not competent to assess the compliance of Google Analytics Terms of Service and (new) Google Ads Data Processing Terms with GDPR, given that the main establishment of Google LLC and Google Ireland Limited were not in Hungary and their services did not target Hungarian data subjects. I.e., it seems acknowledging that Google's main establishment for GDPR purposes is in Ireland (or at least not in Hungary!).
    • But it was competent in relation to the processing by the website (which was a controller), as it was available in Hungarian, and the controller did not have a registered establishment, subsidiary or parent company abroad so there was no cross-border processing (it seems the website was Hungary-established, or at least had a physical address there).
    • The controller said it had suspended using Analytics, which the SA confirmed on testing
    • But the testing also found that the website was still using Google Doubleclick, part of Google Ads (for which Google Ireland was stated by the SA to be an independent controller). 3 Google Ads cookies were transmitting data to the USA.
    • The SA noted that under Art.28(1) GDPR, a controller may use "only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject". Therefore, the SA considered that the controller may not lawfully use Google Analytics to the extent that it involves the transfer of personal data to the USA, irrespective of whether Google Ireland Ltd or Google LLC was its contractual partner.
      • Note: the SA seemed to look at only the physical flow of personal data from Hungary to the USA, completely ignoring contracting structure (Hungarian entity with Google Ireland not Google LLC) and also ignoring the P2P 2021 SCCs that are no doubt in place between Google Ireland and Google LLC, presumably also with associated transfer impact assessment and  supplementary measures
    • The SA ordered the website to "permanently remove the possibility of transferring personal data to third countries, in particular to permanently remove Google Analytics codes from the Website. In addition, the Data Controller shall permanently cease and in
      the future not transfer personal data to a controller or processor that transfers personal data to a third country without the safeguards required by the General Data Protection Regulation and remove from the Website the possibility of consenting to the use of such codes."
      • Note: it's odd that although the website was no longer using Google Analytics, the SA called out Analytics rather than Google Ads/Doubleclick, where there was code sending data to the USA. Although admittedly the second sentence above contains a broader transfer ban, which would extend to transfers via Doubleclick code too.
      • It's also interesting that the SA ordered removal of "the possibility of consenting to the use of such codes". The website had previously stated that collection of visitors' personal data via cookies was based on consent. The SA seems to be saying that consent to transfers is never possible? But explicit consent is one of the derogations allowing transfers, so it's not clear.
        • Query: can any Hungarian reader shed more light on this odd paragraph?
  • 21 Sept 2022 - Denmark, news release (and Google Analytics webpage): Danish SA Datatilsynet says that, after investigating Google Analytics, its settings and tools, Google Analytics can't be used legally without implementing a number of additional measures beyond the settings provided by Google, reiterating that this is the pan-European view of SAs. This despite Google having made additional settings available in relation to what information can be collected via GA, since the Austrian decision. The SA's detailed FAQs on Google Analytics are worth a read, here's my summary:
    1. Can transfers to the US be prevented? The SA thinks GA can't be configured to avoid transfers to the US, but says to check with Google whether GA can be used without any transfers of personal data to the USA!
    2. Can GA be set up to not collect personal data? GA assigns visitors unique identifiers, collecting info about website interactions, time, approx. location, browser, operating system etc. It's possible to disable/not activate sharing data with Google for product development or Google Signals targeted marketing, and from Jan 2022 GA can be configured, at least GA4, to avoid collecting much more info e.g. browser, OS. But even with the lowest sharing/collection settings, identifiers, website interactions and time/location are still collected and are still personal data
    3. Is use of GA banned? No. But controllers must be able to demonstrate compliance with data protection rules. If you believe your setup and use of GA differs from the conditions the SA reviewed, document this and be able to demonstrate how the issues the SA identified aren't relevant to your use of GA. If your setup is the same, you're taking legal risk. However, ultimately the legal decision is for the courts.
    4. Isn't GA data pseudonymised? 
      • IP address can be associated with individuals. Google said IP addresses aren't written to disk but hasn't clarified whether its zeroing of the address's last octet (80 bits for IPv6) occurs before transfer to the US; seemingly this occurs in the nearest regional data center, which probably means European servers for those visiting a Danish organisation's website - however, visitors from e.g. Asia are connected directly to US servers if closest, so their IP addresses can be transferred to the US before anonymization.
      • GA4 uses IP address to determine approx. location, then discards the address. But, as with the current Universal Analytics, this could happen on US servers.
      • What's the issue with US servers? Google's firewall logs record incoming traffic; Google could link log info with GA info to derive IP addresses etc. Third country authorities could obtain info about the individuals linked to those IP addresses through legal channels such as agreements on mutual legal assistance (MLATs). So, the information isn't pseudonymized, as third country authorities could obtain additional information to attribute GA information to individuals.
    5. What about technical measures? 
      • Encryption is effective here only if the keys are controlled exclusively by the data exporter or a third party within the EU/EEA or in a secure third country. Google's encryption isn't good enough as it can access plaintext data.
    6. Pseudonymisation? Datatilsynet follows CNIL: a reverse proxy server for Internet traffic from website visitors could enable organizations to control which information is collected and which information is then sent to servers used to deliver the web analytics tool, e.g. Google's servers, but the proxy must be configured to meet the conditions for effective pseudonymisation, i.e. public authorities in the importing country must not be able to attribute the pseudonymised information to an identifiable person alone or in combination with additional information. See CNIL's reverse proxy guidance.
    7. What about a risk-based approach to the likelihood of authorities' requests for access? No. If it's possible (not just probable) that third country authorities can access personal data under laws/practices that can't ensure essentially equivalent protection to European standards, technical measures are necessary to make access impossible or ineffective.
    8. What about consent? Derogations like consent must be understood narrowly so as not to become the rule. Therefore consent isn't compatible with the usual use of GA involving general transfers to the US.
    9. But Google says it's never received US authority access requests for GA info in 15 years? The assessment of whether "problematic" legislation in a third country actually applies to the specific information concerned can't be based solely on the importer's statements, they must be supported by objective, reliable and accessible information.
    10. Any grace period? No. On the contrary, CJEU judgments are retroactive (!). But the SA will take account of the extent to which an organisation actively takes steps to bring its processing into compliance, whether the transfers were previously based on Privacy Shield, and how soon after Schrems II the process to legalise the position began. So organisations must assess their continued use of GA and legalise their use or stop using it - see CNIL's overview of other analytics tools. And it's organisations' own responsibility to demonstrate compliant use of GA.
    11. What about the new EU-US Trans-Atlantic Data Privacy Framework? It's not in place yet. Datatilsynet and the EDPB are ready to help assess its sufficiency. But the precise timing remains unknown.
  • 7 Sept 2022 - Germany, news report: the Karlsruhe Higher Regional Court (news release) ruling Az. overturned the 13 Jul 2022 Baden-Württemberg Public Procurement Chamber decision (judgment text):
    • The court held that German public authorities, in this case two municipally-owned hospitals companies, could use EU subsidiaries of US cloud providers relying on the provider’s contractual commitments that data will be processed only in Germany and not transferred to any third country, and the authority had to gather further information and verify if the contractual assurances could be met only if specific factual indications raised doubts (Az.: 15 Verg 8/22).
    • Note: as the judgment referred to a Luxembourg subsidiary, the cloud company concerned must be Amazon Web Services, because of the main US cloud companies only AWS uses a Luxembourg subsidiary for contracting with European customers.
  • 5 Sept 2022 - Germany, news report: Freie Universität (FU) Berlin the Free University of Berlin has reportedly been ordered by Berlin's SA to stop using Cisco Webex video conferencing (Webex Events, Webex Training and Webex Teams) by the end of Sept 2022, but is resisting
    • Students had previously complained about its use, including transfers to the US
    • The EDPS had previously temporarily authorised contractual clauses for the use of Webex by the Court of Justice of the EU in Aug 2021, see Further links below
  • 29 Aug 2022 - Austria, news report: Austrian lawyer Marcus Hohenecker sent website operators letters claiming data protection violations and demanding €190 compensation, because they were said to use Google Fonts (see 20 Jan 2022 case in Germany). Apparently over 10,000 such letters were sent. Another lawyer Peter Harlander who represents over 100 affected organisations has reported him to the Lower Austrian Bar for disciplinary proceedings and made a fraud/extortion complaint to the public prosecutor's office as it seems the websites might have been targeted by automated means without human access.
    • Shades of copyright infringement claim letters that have been sent out in the UK for years, including allegedly for pornographic videos, with accusations of copyright trolling scamming and extortion against the law firms involved.
    • Light relief : one such letter was apparently addressed to 12th century abbess, composer and poet Hildegard von Bingen, as there's a website dedicated to her - which seemingly uses Google Fonts!
  • As at 23 July 2022 -  Netherland's SA, AP - cookies webpage (under Questions, Show more Q&A) now states:
    "In 2022, several European privacy regulators completed investigations into the use of Google Analytics by websites in various EU Member States. The AP has now completed the investigation into two such websites of Dutch providers. A report has been drawn up of the findings. A legal procedure still has to be completed by the Enforcement Department of the AP. The AP expects to be able to say in the course of 2022 whether the use of Google Analytics is allowed or not."
  • 21 July 2022 - Italy's SA Garante decision (in Italian) in the same vein as its 23 June 2022 decision, against Fastweb SpA
  • 14 July 2022 - Denmark's SA Datatilsynet press release and decision (in Danish) & EDPB's 19 Jul 2022 news item (called Elsinore in translation) on Helsingør Municipality's use of Google's Chromebooks and Google Workspace (formerly G-Suite for Education) for schools (i.e. including children's data), criticising the Municipality's previously-ordered risk assessment and ordering it to suspend transfers to the USA (and delete already-transferred data) and stop using Workspace until an adequate impact assessment had been conducted and the processing was brought into compliance with GDPR. In short: another decision effectively ignoring the likelihood of actual access; even the theoretical risk of US government access again seemed enough, and possible access to personal data purely for support purposes constituted a transfer. Again, encryption is not a sufficient technical measure if the importer can access  intelligible data.
    • Google Cloud EMEA Ltd (incorporated in Ireland) was the Municipality's contracted processor.
    • Via Google Workspace for Education settings, the Municipality ensured  personal data was only stored in data centers located within the EU/EEA.
    • The Municipality had conducted a TIA, concluding that the probability of the risk eventuating was low.
    • However, personal data could be transferred to third countries under the SCCs for support purposes, available to Google LLC in plain text.
    • The SA considered that Google LLC - when providing the service (support etc.) that gives rise to the transfer of personal data to it - must be considered an "electronic communications service provider" and thus may be subject to directives from law enforcement authorities under FISA 702. It also noted that contractual and organizational supplementary measures will generally not address access to or collection of personal data by US law enforcement authorities for surveillance purposes. It will therefore be necessary to take additional technical measures.
    • Encryption can be an effective supplementary measure that is suitable to supplement the EU Commission's standard contract and, overall, bring the level of protection in a third country up to the required European level. However, despite the personal data being encrypted in transit and at rest, Google LLC had access to the plaintext, so the SA found that here encryption was not suitable to address the conditions in the USA preventing the SCCs from being a sufficient means of ensuring effective protection of transferred personal data. EU/EEA, and that the Municipality of Helsingør has not taken the necessary supplementary measures to bring the level of protection up to the required level.
    • So the transfer of personal data that Helsingør Municipality had instructed Google Cloud EMEA Limited to carry out did not comply with the GDPR's transfers restrictions.
    • Note: since upheld in a full decision of 18 Aug 2022 (press release, including ""the Data Protection Authority encourages other municipalities with similar circumstances to look at the same areas as in this case - especially in relation to unauthorized disclosure and transfer to unsafe third countries"), selected quotes:
      • ...In this context, the Data Protection Authority has in particular emphasized that the Helsingør Municipality's instructions to Google to only process "Customer Personal Data" for the municipality's purposes do not include all the personal data that is processed when the municipality's students use Google Chromebooks and Workspace, and that there are a number of personal data in the form of "Service Data", which is collected and passed on to Google for use for Google's own purposes.
      • ...It is thus not sufficient that Helsingør Municipality has only dealt with the risks to the rights and freedoms of the data subjects in Google Workspace – and not in the entire technology stack, including e.g. The Chrome browser and Google OS...
      • ..In addition, the data controller must assess whether there are risk scenarios that could imply illegal processing of personal data. In such risk scenarios, the Danish Data Protection Authority understands possible situations that may arise unintentionally and which involve a deviation from the intended, legal processing activity. It may, for example, be unintentional processing of personal data that the data controller is not authorized to process. It can also be an accidental collection of more information than is necessary in light of the purpose or an accidental failure to delete information when the data controller no longer needs the information. Likewise, it may be unintentional transfers to third countries or the use of data processors who cannot provide the necessary guarantees for compliance with the data protection regulation...
      • ...The previously announced ban of 14 July 2022 is therefore maintained, but amended so that the Data Protection Authority notifies Helsingør Municipality of a ban on processing personal data using Google Chromebooks and Workspace for Education. The ban applies until Helsingør Municipality has brought the processing activity in line with the data protection regulation as stated in the decision of 14 July 2022 and has complied with the regulation's article 35, subsection 1 piece. 7 and Article 36, subsection 1...[DPIA]
  • 13 July 2022 - Germany, Baden-Württemberg Public Procurement Chamber decision Az. 1 VK 23/22. Complaints were raised on several grounds, but only the transfers issues are covered below.
    • A public procurement chamber/tribunal ruled on the applicant's claims contesting a public authority's award under an open tender to a company whose subcontractor X (for server/hosting services) was based in an EU country and had servers physically located in Germany - but X was a subsidiary of a US company.
    • The court said use of X for hosting services was a "transfer". The personal data can be accessed from a third country, regardless of actual access, and the server's EU location is irrelevant. There is a latent risk of illegal transfers.
    • So, using  X, a European company whose parent company is US-based X. Inc., is an inadmissible data transfer to a third country.
    • X's Data Processing Addendum allows transfers from the selected region where necessary to provide the service or to comply with a legal or valid order of a governmental authority. X also undertakes contractually to challenge any excessive or unreasonable request from a state authority, including such requests that conflict with to the law of the EU or the applicable law of the member states. But the latent risk of access by public authorities under these clauses is sufficient for the transfer to be inadmissible under data protection law; the obligation to challenge excessive requests does not eliminate this latent risk.
      • Note: this seems to follow the increasingly-taken approach that even a theoretical risk of third contry public authority access is enough - i.e. no transfers are permissible unless there is a zero risk of access. Zero risk of access is impossible in real life even with personal data hosted in the EEA by all-EEA-only companies, as that data could theoretically be accessed by hackers. Zero risk of access doesn't exist even in that situation, so are they saying that personal data can never be stored electronically anywhere unless air gapped?! Indeed, even air-gapped systems aren't 100% secure, think Stuxnet and malware-infected USB drives.Or should personal data never be stored at all even in paper form, because the risk of theft of paper files is non-zero? I say again, there really needs to be greater emphasis on data security (wherever data is hosted,  whoever hosts it), rather than on theoretical risks under transfers.
      • Note: overturned by Karlsruhe court on 7 Sept 2022, see above.
    • Standard data protection clauses cannot legitimise transfers per se; rather, a case-by-case examination is required. As explained above, this leads to the assumption of inadmissibility under data protection law. There is also no derogation under Art. 49 GDPR here.
      • Note: it seems no transfer impact assessment was conducted here ("case by case examination"), which however is not surprising given the subcontractor was an EU company hosting the data in Germany. So the "no risk-based" approach is now being extended even to EU subsidiaries of US companies - contrary to the French decision discussed in my Jan 22 paper on transfers enforcement which noted that the CJEU did not discuss such subsidiaries in its ruling.
    • Note: This decision is being reviewed by the Karlsruhe Higher Regional Court so is not yet final. On 15 Aug 2022 the Baden-Württemberg SA criticised the decision (can any German speaker shed further light?):
      • It seems the chamber had not successfully accessed the relevant contractual clauses, the term prohibiting tranfers was not sufficiently examined, but most of all the chamber's equating of access risk and transfer (as processing) was legally questionable. Completingly rejecting a risk-based approach is unconvincing and ignores technical-organisational measures to address and possibly exclude the access risk. But the chamber did not consider the encryption tech used here for reasons of public procurement law. The best way to implement GDPR is still individual case by case examinations, not blanket transfer bans.
  • 12 July 2022 - EDPB's statement on transfers to the Russian Federation
    • This statement seems very bland and non-committal, particularly in light of an EDPB-commissioned report on government access to data in third countries (specifically China, India & Russia), Nov 2021, concluding that:
      "Russian data protection law is a complex matter. Although the formal legislative framework seems comprehensive, the enforcement and the application of the legislation has serious drawbacks. In addition, Russia has a striking record of violating the European Convention of Human Rights (ECHR) related to other related rights and freedoms, such as the freedom of expression. Especially in relation to the interests of national security, the right to data protection and privacy is limited. This was also stated by the European Court of Human Rights (ECtHR) in the Roman Zakharov v. Russia case. Considering the close correlation between the ECHR and the EU-Charter, careful consideration should be given to personal data transfers to Russia. Further, when it comes to state surveillance and data protection, some scholars argue, that digitalisation has led to new types of surveillance and possibilities of censorship and information controls. This reflects one of the major findings of this report, that authorities tend to use data protection laws as a means of enforcing political aspirations, maintaining control of the internet, and protecting the interests of the government. Finally, compared to the EU, Russian authorities take a significantly more negative approach to balancing fundamental rights in the digital sphere, putting protection of the State ahead of the interests and rights of data subjects."
  • 7 July 2022 - Italy's SA Garante decision (in Italian) in the same vein as its 23 June 2022 decision, against IlMeteo Srl 
  • 23 June 2022 - Italy's SA Garante press release and decision (in Italian), prohibiting websites' use of Google Analytics, with reprimand for one website and 90 days to comply (Caffeina Media Srl)
    • From the same hymnsheet as previous decisions in France, Austria - i.e., Google's measures aren't considered enough
    • EDPB summary 30 June 2022
  • 7 June 2022 - France's SA CNIL's Q&A on its notices (see item dated 10 Feb 2022, below) to several organisations re use of Google Analytics (notice text)
    • Google Analytics use (which Google confirmed always involves transfer to/hosting in the USA) is illegal
    • CNIL's view reflects SAs' coordinated position, e.g. Austria (see my Jan 2022 paper)
    • SCCs with Google aren't enough to legitimise its use; Google's additional legal, organisational and technical measures aren't enough to protect personal data against US intelligence services' access
    • Third country authorities may oblige companies subject to non-European jurisdiction to disclose personal data hosted on EU-located servers - but we knew that! (My data localization book argues that the focus of transfers restrictions should not be  physical data hosting location, but on effective jurisdiction over those who can access intelligible data.) Art.48 only helps when there's an appropriate international agreement with the requesting third country
    • Google's anonymisation function doesn't apply to all transfers and it's unclear if anonymisation happens before or after transfers to the US. It pseudonymises, but unique identifiers allow tracking, sometimes cross-device;  pseudonymisation is an acceptable supplementary measure only if the transferred data doesn't allow reidentification even with authorities' substantial resources. Tracking risk can be amplified when using Analytics with other Google services, allowing browsing history tracking via IP address.
    • Encryption by Google LLC is insufficient, because  it has the keys and can access intelligible data. Encryption is an acceptable supplementary measures only if keys are exclusively controlled by the data exporter/others established in "adequate" countries
    • How to lawfully use Google Analytics/other audience measurement tools? 
      • Use a proxy server to avoid any direct contact between the Internet user's terminal and the servers of Google/other measurement tool (and transfer only pseudonymised data outside the EU), provided the proxy server meets the criteria under the EDPB's supplementary measures recommendations (but, the recommendations don't actually cover configuration of proxy servers as such!)
      • Or, correctly configure and use analytics tools previously approved by CNIL - but, if the tool involves transfers, you must conduct a Schrems II assessment (transfer impact assessment) or proxify as above
    • Explicit consent under Art.49 can legitimise transfers, but only for non-systematic transfers, so not a long-term solution (EDPB guidelines on derogations)
    • A risk-based approach, taking into account the likelihood of data access, is not possible (& see the 22 Apr 2022 Austrian decision below). If public authorities' acces,s going beyond what's necessary and proportionate in a democratic society, is possible (not just is probable) and the rules on data access requests do not make it possible to guarantee a level of data protection essentially equivalent to that in the EU, additional "technical measures" must be taken to make this access impossible or ineffective.
  • 16 May 2022 - EDPB news on Icelandic SA's fine (about €36k) imposed in early May 2022 on Reykjavík municipality for using the Seesaw educational system, including (but not only) for transfers to the USA without appropriate safeguards
    • The actual decision mentioned a "high risk" of transfer to the United States without appropriate safeguards, even though SCCs had been signed. "In this respect, appropriate protection measures would need to include the encryption of the data or something similar to ensure adequate protection of the information."
    • It does not appear that a transfer impact assessment was conducted.
  • 22 Apr 2022 - via NOYB 2 May 2022, a further Austrian SA decision (English translation), rejecting any risk-based approach to transfers and noting that IP address anonymisation only occurred after Google LLC had received the address, even if the anonymisation was conducted in the EEA.
  • 3 Mar 2022 - Liechtenstein's SA DSS - current topics: "...[especially post-Schrems II] the DSS no longer saw any legal basis to justify the personal data transfer to the USA associated with Google Analytics. Even if the often cited anonymization of the IP addresses is implemented by the website operator, further personal data is transmitted to Google... The findings of this [EDPB 101 taskforce] task force now serve as the basis for the judgments of the data protection authorities...
    Further decisions on the 101 complaints are expected from other European data protection authorities in the near future. Due to the coordinated approach, it can be assumed that the decisions will also be against the use of Google Analytics. So far, the data protection authorities have refrained from fines. However, this could change rapidly in the future.
    The DSS therefore calls on those responsible to design websites in compliance with data protection and to use alternative, data protection-compliant solutions instead of Google Analytics. Even if the DSS is not currently conducting official investigations in relation to Google Analytics, there have already been a number of complaints in Liechtenstein that could be resolved amicably by the website operators immediately deactivating Google Analytics."
      • Note on 101 taskforce: the EDPB decided in its 37th meeting, 2 Sept 2020, to create a taskforce to look into complaints filed in the aftermath of the CJEU Schrems II judgement - 101 identical complaints lodged with EEA SAs against several EEA controllers regarding their use of Google / Facebook services which involve the transfer of personal data. This task force held its first meeting before the EDPB's 38th meeting, 14 Sept 2020, aiming to achieve a consistent approach to the complaints. MEPs' complaints with NOYB were noted in the 45th meeting, 2 Feb 2021 (presumably the complaint against the European Parliament covered in my SSRN paper). In the 57th meeting, 18 Nov 2021, the outcome of the 101 taskforce's work was noted: "The outcome of the work will be used as a resource on which SAs can rely when making their own assessment in the context of the national procedures. The importance of the work carried out by the 101 Taskforce to promote consistency was highlighted." Hence the increasing number of SA decisions being issued on these complaints since Nov 2021.
  • 10 Feb 2022 - France's SA CNIL - news item, and full text of decision (translation) taking a similar approach to Austria's SA on transfers to the US of website visitors' IP addresses, online identifiers, browser data etc. through the website's use of Google Analytics and Google's SCCs, and rejecting the sufficiency of Google's supplementary measures. The draft decision went through the Art.60 cooperation procedure in Jan 2022 without any objections, no doubt because of the 101 task force's work.
    • This decision was anonymised but no doubt the company was one of the six with .fr domains that were named in NOYB's 101 list.
    • Added 19 Aug 2022: in English, from the EDPB's website, related Art.60 OSS decision on a distance selling company, summary;  a similar Art.60 decision of 2 Mar 2022 regarding a retailer of perfumery and beauty products in specialized stores, and another similar 2 Mar 2022 decision on a retailer of sports articles in specialised stores.
  • 2 Feb 2022 - Belgian's SA APD - decision on IAB's TCF, including on transfers (see IAB Europe's statement 2 Feb, and its intention to appeal 11 Feb; on what are TC Strings and CMPs, see IAB Europe's FAQs):
    "386. Finally, when the CMPs determine the list of recipients in accordance with the publishers' instructions, the Litigation Chamber finds that the publishers bear the main responsibility for the transfer of personal data to adtech vendors, without prejudice to IAB Europe’s responsibility, without which the global list of participating adtech vendors would not exist in the first place...
    ...490.With regard to the allegation by the plaintiffs that IAB Europe also violates Articles 44 to 49 GDPR, the Litigation Chamber acknowledges, in view of the scope of the Framework — which involves a large number of participating organisations — that it is evident that personal data captured in the TC Strings will be transferred outside the EEA at some point by CMPs, and that the defendant is acting as data controller in this regard (see para. 356-357). However, the Litigation Chamber notes that the Inspection Service did not include an assessment of a concrete international data transfer in its report. For this reason, the Litigation Chamber concludes that there is an infringement of the GDPR, but in view of the lacking evidence of a systematic international transfer, as well as the scope and nature thereof, the Litigation Chamber finds it is not in a position to sanction the defendant for a violation of articles 44 to 49 GDPR. Notwithstanding the previous, the Litigation Chamber also finds that these international transfers of personal data, where applicable, must be assessed primarily by the publishers and CMPs implementing the TCF. The Litigation Chamber finds that the publishers are responsible and accountable for taking the necessary measures to prevent personal data collected through their website and/or application from being transferred outside the EEA without adequate international transfer mechanisms.
    491. This being said, the Litigation Chamber also finds that the defendant should facilitate the due diligence incumbent on the publishers and CMPs, e.g. by requiring adtech vendors to indicate clearly whether they are located outside the EEA or whether they intend to transfer personal data outside the EEA through their data processors. Furthermore, the Litigation Chamber notes that, contrary to its obligation under the principles of accountability and of data protection by design and by default, IAB Europe did not foresee any mechanism to ensure that participating publishers and CMPs have put in place adequate mechanisms for potential international transfers of the TC String, as foreseen under Articles to 44 to 49 GDPR, both at the time of its creation and when transmitting the TC String to participating adtech vendors. The preamble of the TCF Policies merely indicates that the TCF “is not intended nor has it been designed to facilitate […] more strictly regulated processing activities, such as transferring personal data outside of the EU”. The Litigation Chamberfinds that this does not meet the requirements of Articles 24 and 25 GDPR..."
    • Note: the IAB's initial response stated that "it has always been our intention to submit the Framework for approval as a GDPR transnational Code of Conduct. Today’s decision would appear to clear the way for work on that to begin." While the IAB didn't indicate any intention to adapt TCF as a GDPR code of conduct for transfers, on 22 Feb 2022 the EDPB finalised its guidelines 04/2021 on codes of conduct as tools for transfers, so it would no doubt behove the IAB to consider those guidelines too.
  • 26 Jan 2022 - Norway's SA - news item: "The Norwegian Data Protection Authority (EDPS) has also made a similar decision. The Norwegian Data Protection Authority is also currently dealing with one case concerning the use of Google Analytics.
    - Although we have not concluded in these cases, we will look at European practice in case processing, Judin says.
    We know that there will also be more decisions about Google Analytics from other European data regulators. Therefore, we now recommend everyone to explore alternatives to Google Analytics."
  • 20 Jan 2022 - Germany, LG Munich court decision, awarded a website user €100 because the website used Google Fonts, thus transmitting the user's dynamic IP address to Google in the US: "It must also be taken into account that the IP address was undisputedly transmitted to a Google server in the USA, although an appropriate level of data protection is not guaranteed there (cf. ECJ, judgment of 16.7.2020 - C-311/18 (Facebook Ireland and . Schrems), NJW 2020, 2613) and the liability from Art. 82 Para. 1 DS-GVO is intended to prevent further violations and to create an incentive for security measures."
  • 19 Jan 2022 - Denmark's SA, Datatilsynet - news item: "In Denmark, the Danish Data Protection Agency will read the decision closely and - on the basis of several forthcoming decisions from other countries - provide further guidance on this to Danish companies and authorities."
  • (date unclear but after 7 and on or before 13 Jan 2022, based on the Internet Archive) - Netherland's SA, AP - cookies webpage (under Questions, Show more Q&A):
    "Please note: use of Google Analytics may soon not be allowed
    The Austrian privacy regulator completed an investigation into the use of Google Analytics by an Austrian website in January 2022. According to the Austrian supervisory authority, Google Analytics does not appear to comply with the GDPR in this investigated case.
    The AP is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to say whether Google Analytics is now allowed or not."

Other 2022 transfers-related matters (e.g. transfers enforcement/guidance/issues but not UK/EU, or UK/EU-related transfers issues other than GDPR enforcement)

  • 14 Dec 2022 - US redress - ODNI's press release and Intelligence Community Directive 126: Implementation Procedures for the Signals Intelligence Redress Mechanism under Executive Order 14086.
  • 13 Dec 2022 - European Commission issued draft adequacy decision for the EU-U.S. Data Privacy Framework (DPF). Awaiting EDPB opinion, European Parliament scrutiny (both non-binding), and approval (see flowchart) by a committee of EU Member State representatives. The committee has previously taken 4-6 months to approve such draft decisions under GDPR.
  • 7 Oct 2022 - US President Biden's Executive Order On Enhancing Safeguards For United States Signals Intelligence Activities (EO 14086, Federal Register) and fact sheetNational Security Memorandum on Partial Revocation of Presidential Policy Directive 28
  • 10 Aug 2022 - TheCityUK's press release and report on Digital trade: a commercially viable approach
  • 18 July 2022 - Google's blog post on the Global Cross Border Privacy Rules Forum (FAQ), to establish an international certification system based on the APEC CBPR and PRP Systems, but  independently administered and separate from the APEC Systems
  • 12 July 2022 - Russia's regulator Roskomnadzor - news item: fines for data localization law infringement - Apple Inc. 2m rubles, Zoom Video Communications Inc. 1m rubles, Ookla LLC 1m rubles
  • 28 June 2022 - Russia's regulator Roskomnadzor - news item: fines for data localization law infringement - Twitch Interactive, Inc., Pinterest, Inc. and Airbnb Inc. each fined 2m rubles, United Parcel Service, Inc. (UPS) fined 1m rubles
  • 23 June 2022 - Google calls for more transparency around government data access demands, no doubt influenced by Schrems II and the increasing enforcement action against transfers & Google Analytics
  • 21 June 2022 - Guernsey's regulator ODPA - news item: guidance on data transfers: Guidance on international transfers, Guidance and self-assessment tool for Transfer Impact Assessments, The Bailiwick of Guernsey Addendum for the EU Commission's Standard Contractual Clauses (SCCs)
  • 16 June 2022 - Russia's regulator Roskomnadzor - news item: fines for data localization law infringement - Google LLC 15m rubles, Likeme Pte. Ltd 1.5m rubles
  • 13 June 2022 - Swiss regulator FDPIC's press release. It's Switzerland not EEA/UK, but I've added it anyway
    • FDPIC advised Suva to reconsider its outsourcing of personal data processing to a cloud service of US company Microsoft, albeit using "a data centre operated on Swiss territory". FDPIC reserved the right to take supervisory action. The detailed documents are in German and scanned so no Google Translate - can anyone shed any further light, is this definitely transfers-related?
  • 13 June 2022 - the Datasphere Initiative's paper Sandboxes for data: creating spaces for agile solutions across borders (press release) mentions that privacy enhancing technologies (PETs) "can be used to change the traditional model of cross-border transfers which assumes data leaving one jurisdiction where it has certain protections and requirements, and entering another where these are lessened", mentioning homomorphic encryption (but unfortunately not my pet subject of confidentialiy computing/TEEs/enclaves).
  • 8 June 2022 - Denmark's SA Datatilsynet's press release and guidance on the concept of data exporter (nothing on analytics, but added for completeness)
    • EEA controller -> EEA processor -> non-EEA subprocessor: both controller and processor are responsible for compliance re transfers, security; the processor can use SCCs P2P module. No surprises there.
    • The SA also updated its general transfers guidance to v4. I believe this guidance already stated that, with cloud servics, "transfer" includes perosnal data physically leaving the EU/EEA i.e. hosted outside; cloud provider access to personal data from outside the EU/EEA for maintenance or debugging/error correction purposes; also chats/customer service comms for support purposes where the comms are hosted outside the EU/EEA.
  • 27 May 2022 - Russia's regulator Roskomnadzor - news item: preliminary action on data localization law infringements against Airbnb, Pinterest, Likeme, Twitch, Apple, United Parcel Service, Google
  • 25 May 2022 - European Commission's FAQs / Q&A on the 2021 SCCs published. No time for comments yet, but many of the issues raised in my article on practical problems with the 2021 EU SCCs don't seem to have been addressed...
  • 18 May 2022 - blog by Microsoft's Brad Smith, "Microsoft responds to European Cloud Provider feedback with new programs and principles", including more data localisation and deglobalisation:
    • "We have completed or are now constructing 17 datacenter regions in Europe and are rapidly expanding our footprint across the continent"
      • But what about remote support or software maintenance from outside the EEA, will all that be localised too?
    • For EEA government/public sector bodies' "sovereign needs", partnerships with "trusted local cloud technology company" in Italy (Leonardo), France (Capgemini & Orange), Spain (Telefónica Tech), Germany (SAP & Arvato Systems)
      • Details of the model are not clear, but could it include some licensing of Microsoft software as suggested by CNIL in France? (see my GDPR transfers enforcement post-Schrems paper on CNIL's suggestion, and also on Microsoft's previous partnership with Deutsche Telekom after Schrems I, which model was terminated in mid-2018).
      • It seems some of these partnerships will extend to cloud services like Azure PaaS/IaaS and SaaS like Office365.
      • Again, what about remote support/maintenance from outside the EEA?
  • 16 May 2022 - EU Data Governance Act approved by Council, to enter into force 20 days after publication in the Official Journal, with a 15-month grace period before the new rules apply - not GDPR, but extending restrictions on transfers of non-personal data:
    • "The DGA creates safeguards for public-sector data, data intermediation services and data altruism organisations against unlawful international transfer of or governmental access to non-personal data. For personal data, the EU already has similar safeguards under the GDPR.
      In particular, the Commission – through secondary legislation – may adopt adequacy decisions declaring that specific non-EU countries provide appropriate safeguards for the use of non-personal data transferred from the EU. These decisions would be similar to adequacy decisions relating to personal data under the GDPR. Such safeguards should be considered to exist when the country in question has equivalent measures in place that ensure a level of protection similar to that provided by EU or member state law.
      The Commission may also adopt model contractual clauses to support public-sector bodies and re-users in the case of transfers of non-personal data covered by the DGA to third countries."
  • 15 May 2022 - UK Information Commissioner John Edwards' speech mentioned international data flows as a key area for "collective application":
    • "This is an area crowded with expensive proxies, which impose significant cost on industry and governments, but which provide dubious benefits to those they are intended to protect. By proxies, I mean standard contractual clauses, binding corporate rules, individualised adequacy determinations, accreditation programmes like APEC’s CBPRs.
      They are proxies for the recognition of some of the most fundamental duties any state owes its citizens, the duty to protect them. And a recognition that in order to discharge that duty, organs of the state, being its security and intelligence arms from time to time need lawful, proportionate access to personal information... Until then [international progress] we need to keep working on the least bad options, and to that end I welcome the work of the DCMS International Data Transfer Expert Council" - of which I'm fortunate enough to be a member.
    • I hope this means he read my 2017 book on transfers and data localization particularly in cloud, where I that argued that countries' data transfers restrictions were proxies for control of access to intelligible personal data! (or at least read Chris Reed's seminal book Making Laws for Cyberspace, which introduced the notion of certain laws being proxies for the real legislative objectives, notably copyright laws regulating acts of copying as proxies for the true underlying concern, use).
  • 25 Mar 2022 - European Commission and United States Joint Statement on Trans-Atlantic Data Privacy Framework
  • 25 Mar 2022 - the UK's International data transfer addendum to the European Commission’s standard contractual clauses (Addendum) and International data transfer agreement (IDTA) became effective, having been laid before Parliament on 2 Feb 2022. Guidance on these was due to be published "soon" but as at 25 July 2022 is still not available.
  • 9 Mar 2022 - Denmark's SA Datatilsynet - news item on cloud generally (rather than analytics specifically): Guidance on the use of cloud, in English, with Q&A (Danish). Comments are welcomed. Some translated extracts from the Q&A (emphasis added):
    • "Should I comply with the rules on third country transfers if a cloud provider offers a solution where the information is only stored in the EU and by IP filtering is cut off from being accessed from third countries?
      Maybe. If the cloud provider - either through additional services or as a service or support of its own infrastructure - can access the information from a third country, you must continue to observe the rules on third country transfers."
    • "Can I legally transfer personal information in clear text to the United States?
      If your data importer and / or the information you wish to transfer is covered by e.g. FISA 702, it is very difficult to transfer information in plain text to the United States, ie. without taking additional measures. If you can objectively prove that the problematic legislation, including eg FISA 702, will not be applied in practice to the information to be transferred, it may be possible. In addition, in certain cases and in special situations you can make exceptions to the rules on third country transfers."
    • "If the information is not transferred to the US, can one use a US cloud provider?
      Yes, you can. Even if a provider is covered by US law that may result in disclosure of information (eg US CLOUD Act), you can - if it is agreed and you are assured that the provider will comply with applicable EU law - make good use of the person in question. supplier."
  • 9 Mar 2022 - France's computer security agency ANSSI updated its cloud certification framework SecNumCloud (English translation)
    • The press release stated that this update is Schrems II compliant:
      “The "Schrems II" judgment of the Court of Justice of the European Union recalled the requirement to guarantee protection equivalent to that offered by the General Data Protection Regulation (GDPR) when personal data of European citizens are transferred outside the European Union (EU). Furthermore, and independently of the existence of transfers, certain extraterritorial legislations which do not offer a level of protection substantially equivalent to that guaranteed by the GDPR may apply to data stored by cloud providers within the territory of the EU. In this respect, SecNumCloud 3.2 provides strong guarantees in terms of protection against non-European legislation with extraterritorial scope.
      “While the CJEU's decision calls for a case-by-case analysis which can be complex, the SecNumCloud 3.2 repository provides an answer which is compliant by design with the Court's requirements for data protection in the cloud. The CNIL recommends the use of this standard for data controllers who want to guarantee a high level of protection of personal data” indicates Marie-Laure Denis, President of the National Commission for Computing and Liberties (CNIL). 
    • Key changes in SecNumCloud v3.2 relevant to transfers / data localisation (toned down a little from the 2021 draft that was more drastic regarding data localization, e.g. in effectively requiring support (9.7.d) and maintenance (12.13.a) only from EU-located persons):
      • Provider TIA 5.3:
        • "d) The service provider must list, in a specific document, the residual risks linked to the existence of extra-European laws aimed at collecting data or metadata from sponsors without their prior consent. e) The service provider must make available to the commissioning entity, at the request of the latter, the risk assessment elements related to the submission of the data of the sponsor to the law of a state that is not a member of the European Union."
      • Remote suppport 9.7.d: "In the context of technical support, if the actions necessary for the diagnosis and resolution of a problem encountered by a sponsor require access to the sponsor's data,then the service provider must:... in the case of an intervention carried out remotely by a person located outside the European Union, implement a secure gateway (bounce station) through which the person must connect and allowing supervision (authorization or prohibition of actions, requests for explanations, etc.) in real time, by a person who has himself satisfied the verifications of requirement 7.1.b [stronger background checks for those with admin rights]. The secure gateway must meet the security objectives2 specified in [G_EXT] adapted to the context of the technical support actions;"
      • Roots of trust 10.6.1: "On the technical infrastructure, the service provider must exclusively use key certificates issued by a certification authority of a Member State of the European Union (the master key generation ceremonies must take place in a member country of the European Union and in the presence of the service provider).
      • Data localization 19.2.d: "The service provider must store and process technical data (identities of technical infrastructure beneficiaries and administrators, data handled by Software Defined Network, technical infrastructure logs, directory, certificates, access configuration,etc.) within the European Union".
      • Protection against extra-European law 19.6: "a) The registered office, central administration and [or?] main establishment of the service provider must be established within a Member State of the European Union" (19.6.a, which doesn't seem to preclude using an EU-established subsidiary of a US provider)." I won't quote the rest of 19.6 here, which is long - see 19.6 translation, but there are new requirements regarding non-EU entities' control of shares/voting rights in the provider, any non-EU subproviders used can't have technical access to data, non-EU subproviders must "guarantee" certain service assurances, the provider's service must comply with legislation on fundamental rights and values (consider if it has links with a foreign government/public body), and the provider must give notice within 1 month of changes that may affect its compliance with 19.6.
      • Not new
        • The service agreement must specify the "location of the service" [whatever that means?], and (when from outside the EU) the location of support (19.1.b), and the provider must offer a service agreement specifying the law of an EU Member State (19.1.c);
        • Data localization 19.2: "a) The service provider must document and communicate to the commissioning entity the location of the storage and of the latter's data processing. b) The service provider must store and process the data of the sponsor within the European Union. c) The administration and supervision of the service must be carried out from the European Union. d) The service provider must store and process technical data (identities of beneficiaries and technical infrastructure administrators, data handled by Software Defined Network, technical infrastructure logs, directory, certificates, access configuration,etc.) within the European Union. e) The service provider may carry out support operations for sponsors from a State outsidethe European Union. He must document the list of operations that can be performed by the support to the sponsor from a State outside the European Union, and the mechanismsensuring access control and supervision from the European Union."
      • (See also 12.10 on updates and code audits, new 19.1.b: "The service agreement must indicate that the collection, handling, storage, and more generally the processing of data made in the context of pre-sales, implementation, maintenance and termination of the service are carried out in accordance with the requirements laid down by the legislation in force", and 19.4.a provider must give 21 days' notice of deletion post-termination)
  • 23 Feb 2022 - European Commission's news item about the proposed EU Data Act which includes Art.27, International access and transfer:
    • "1.  Providers of data processing services shall take all reasonable technical, legal and organisational measures, including contractual arrangements, in order to prevent international transfer or governmental access to non-personal data held in the Union where such transfer or access would create a conflict with Union law or the national law of the relevant Member State, without prejudice to paragraph 2 or 3 [court judgments, administrative decisions etc - if MLATs or no MLATs] ...", plus notice of administrative requests (see also Recital 77).
  • 21 Jan 2022 - Guernsey's data protection authority, ODPA - news item (not EEA, but...): "Because we were using it [Google Analytics] in such a limited way, and in light of the January 2022 judgment by the Austrian Data Protection Authority on its use within the EU, we decided to remove it from our website."
  • 19 Jan 2022 - Google's blog - emphasising that "...Google has offered Analytics-related services to global businesses for more than 15 years and in all that time has never once received the type of demand the [Austrian] DPA speculated about. And we don't expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law. (pre-24 Jan, but I didn't specifically note that point in my paper).

Further links to relevant matters not mentioned in my Jan 2022 paper although pre-dating it:

  • 17 Nov 2021 - Denmark's SA, Datatilsynet - news item: "in this connection, Næstved Municipality has supplemented by the fact that Amazon Web Service (AWS) Frankfurt is the sub-processor for Siteimprove, which is also stated in the data processor agreement between Næstved Municipality and Siteimprove. The agreement ensures that personal data is only stored in the EU. In this connection, AWS Frankfurt has in the agreements and publicly given guarantees that this restriction will be maintained and that there will be no transfer to countries outside the EU - including the USA. It is Næstved Municipality's opinion that there is no real risk that information will be transferred to the USA in violation of these guarantees in connection with online support or the like...
    Finally, the Danish Data Protection Agency has emphasized that AWS, which is used as a sub-data processor for the processing of personal data for statistical purposes, has by agreement and publicly guaranteed that there is no transfer of data to countries outside the EU, and that the processing therefore takes place under Siteimprove's controlled framework.
    Against this background, the Danish Data Protection Agency assesses that Næstved Municipality's processing of personal data about website visitors on has taken place as part of the municipality's exercise of authority and thus within the framework of the Data Protection Ordinance, Article 6 (1). 1, letter e."
  • 28 Sept 2021 - Microsoft's first post in a four-part series on the NOBELIUM nation-state cyberattack including SolarWinds.
  • 31 Aug 2021 - the European Data Protection Supervisor (EDPS) temporarily authorised the use of ad hoc clauses for transfers through using Cisco Webex, between the Court of Justice of the EU and Cisco.
  • 14 Apr 2021 - University of Surrey - news item on academic study showing 100 per cent rise in nation-state attacks in the last three years: summary; report.