Who hasn’t used Dropbox, Google Drive, or We Transfer to send images or heavy document folders at work? How many companies use applications like Mailchimp to design their newsletter?
There are many entities – companies, SMEs and freelancers, foundations, NGOs – that use these means of digital storage and mass dissemination of emails in their day to day. What many do not know is that they are based in the United States and that this has legal implications and risks in terms of data protection.
To clarify a bit the panorama and the roles, it is necessary to point out that the SME, organization or self-employed person that uses these means has the role of “data controller” of personal data.
And every time you “upload” information from third parties to these platforms, you would be carrying out an international data transfer, as defined by the General Data Protection Regulation (RGPD). And, to close the circle, companies such as Google Drive, Microsoft One Drive or Dropbox, will be the “processors” of such personal data.
On the other hand, the RGPD or the Spanish regulations do not indicate anything specific about storage in the cloud, or about email marketing platforms or collaborative digital work.
The end of the Privacy Shield
But it does clarify that the data controller will only choose a person in charge of the processing of personal data who offers sufficient guarantees regarding data protection; In other words, the person in charge must confirm that the person in charge is from a country where levels of data protection similar or higher than those of the European Union (EU) are guaranteed. And their lack of diligence – it goes without saying – will derive responsibilities.
All this was solved until a few months ago, when relations between the European Union and the United States were governed by a regulatory framework known as the Privacy Shield. But since the Sentence of the Court of Justice of the European Union of July 16, 2020, also called Scheme II, was published, this “Shield” has been invalidated.
As a solution, the RGPD provides that for an international transfer of data between different entities, CCT or Type Contractual Clauses -SCC, the acronym in English for Standard Contractual Clauses- can be agreed. But the aforementioned ruling also refers to the CCT.
On the one hand, it says that although these clauses are applicable to the exporter and importer of the data, they are not binding for a third country (in this case, for the United States).
On the other, there are no guarantees or protection equivalent to art. 52 of the Charter of Fundamental Rights of the European Union in case of any interference with surveillance programs, such as those that the United States Government can carry out under the USA Patriot Act of 2001.
User consent?
Third, the Court of Justice of the European Union considers that the communication of personal data to a third party, such as a public authority, constitutes an interference with the fundamental rights protected by articles 7 and 8 of the Charter, whatever the subsequent use of the information communicated. And, finally, it indicates that in the United States there is no body equivalent to those in the EU that allows people to appeal and have guarantees on their personal data transferred to that country.
On the other hand, and reinforcing this idea, the EDPB (European Data Protection Board or, in English, European Data Protection Board) has also ruled on the legal situation of the United States regarding privacy: “American law (… ) does not guarantee a substantially equivalent level of protection ”of the European data protection regulations”.
In short, that a US provider of this type of services has Standard Contractual Clauses does not give assurance that it is hiring a processor who complies with all the guarantees required by the General Data Protection Regulation.
Let’s put ourselves in the case that the user allows it: what would happen if the owner of the rights consents to an international transfer taking place? The RGPD considers that the consent of the rights holders would only be sufficient if they have done so explicitly and after having been informed of the possible risks involved in the lack of adequate guarantees.
In addition, the transfer must meet a series of requirements and can only be carried out if it is not repetitive; if it affects a limited number of stakeholders; if it is necessary for the purposes of compelling legitimate interests of the data controller, but only if the interests or rights and freedoms of the interested party do not prevail; if the controller correctly assessed all the circumstances related to the transfer and offered appropriate guarantees for data protection.
The alternatives
On the other hand, the person responsible for the treatment is obliged to inform both the control authority and the interested party of the legitimate interests that motivate him to make said international transfer.
Among the companies that provide these services, we can say that Microsoft became the first cloud provider to work with the European data protection authorities for the approval of the European model clauses, it was also a pioneer in adopting new technical standards for privacy in the cloud, and strong supporters of the GDPR since its first proposal in 2012.
Other cloud solutions have not yet been adapted to the European Regulations, despite the fact that their web pages deal with such adaptation. For example, Google and Dropbox -among others- do not refer to the current reality after STJUE 7/16/2020 in their terms and conditions on international transfer, and the impression they offer is that they are still not adequate.
Against this background, a real alternative is for the service provider, even if it is of American origin, to have the servers, headquarters, etc. located. in the territory of the European Union, so it would have to comply with European legislation.
Another solution is the anonymization of the data, in such a way that personal data is not provided – and it is no longer subject to the rules of the RGPD – and only numbers that have no reference to identifiable persons are provided (can be consulted in this meaning the Guide published by the Spanish Data Protection Agency (AEPD) in 2016, and revised in 2019, on the anonymization of personal data).
If the SME, the self-employed, the association or NGO wants to continue using this type of service from providers in the United States, it will be essential to have the informed and express consent of the interested parties. Also be aware of the communications made on this matter by the EU and also of the measures that the provider is adopting, studying its policy in detail.
In these specific cases, it will be essential that the Data Protection Officer or the law firm that advises the entity on privacy matters carry out periodic audits to detect possible changes and analyze their legal impact.