A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.
Prior to the pandemic, there was considerable interest in the increased regulation of cookies, albeit with a focus on the legal bases of processing. In 2019, numerous SAs across Europe introduced guidance on cookies, and in parallel the European Court of Justice confirmed the need for opt-in consent when setting cookies in the formative Planet49 case. Such considerations momentarily took a back seat to the urgent data protection issues arising from the pandemic, with the UK data protection authority (the “ICO”) in particular formally announcing a pause on its investigation into the real time bidding (“RTB”) and the AdTech industry.
The Austrian SA Decision
Transfer Scrutiny Spreads Across the EU, and Potentially Beyond
Questions over the Future of EU, UK, and US Data Transfers
Organizations relying on cookies or other tracking technologies that transfer data to providers outside the EEA or UK will potentially be saddled with a high compliance burden. According to the Austrian SA’s decision, the burden of compliance lies with the website provider and not their service provider. As data exporter, the website operator was found to have violated its data transfer obligations under the GDPR. The burden of proof as to whether the data being transferred to the US is personal data also lies with the website provider, as the Austrian SA indicated that the possibility of identifying an individual through the uniqueness of the cookie number was sufficient for it to be classified as personal data. This is in-line with the GDPR’s definition of personal data, as the possibility of identification is sufficient (regardless of whether such identification can be proven to occur or not) and the low threshold for what constitutes personal data means that it is easy to fall within the scope of the GDPR.
With the cookie data considered to be personal data, an open question remains as to what measures will be deemed adequate to attain GDPR-compliant protection for personal data transferred to the US. The Austrian SA required supplementary measures to “actually prevent or restrict the access possibilities of US intelligence services on the basis of US law.” This appears to call for an absolute elimination of risk—the encryption of personal data in this instance in and of itself was not sufficient protection because the data importer was subject to US law and as such could be compelled to provide both the data and the relevant cryptographic keys to US authorities.
Furthermore, whether the UK may use this opportunity to further differentiate itself from the EU remains far from certain. Although the UK is not shy about its intentions to develop a unique data protection compliance regime, the current European Commission adequacy decision for the UK depends on the UK’s compliance with European standards; a failure to do so may result in the invalidation of this adequacy finding and consequently the need for data transfer mechanisms to export data from the EU to the UK. Moreover, as the only adequacy decision (so far) with a sunset clause, the pressure for the UK to comply with EU data protection standards is not only evident but heightened. Set against this background, it remains to be seen if the draft International Data Transfer Agreement (“IDTA”) (the UK’s version of the Standard Contractual Clauses) will trigger any pushback from Brussels, and whether they will remain in their current form until their tentative entry into force in March later this year.
Beyond the Standard Contractual Clauses or IDTA, it is also far from certain whether another data transfer mechanism will come to the rescue in time. Since the Schrems II decision was issued, the EU and US have been attempting to find a replacement to Privacy Shield, but there has been no serious momentum or proposal made. Despite negotiations intensifying on the matter, the specter of a potential Schrems III invalidating a “Safe Harbor 3.0” remains in the background, and the recent spotlight on this issue only serves to make the negotiators’ task more difficult.
It remains to be seen how data transfer restrictions in the EU and elsewhere around the globe will shape the world wide web. Ropes & Gray will be monitoring for further developments and opinions regarding data transfer mechanisms. Subscribe to RopesDataPhiles to receive updates.