A recent decision by the Austrian Supervisory Authority (“SA”) casts a spotlight on the complexities of data transfers and cookie use, and highlights a shift in regulatory focus onto these topics in the year ahead. Regulators around Europe are increasingly beginning to weigh in on such transfers, and the outcomes of their deliberations will shape the data transfer compliance landscape in the months to come. These decisions present complex questions about the future of data transfers in the EU and UK.

Background

Prior to the pandemic, there was considerable interest in the increased regulation of cookies, albeit with a focus on the legal bases of processing. In 2019, numerous SAs across Europe introduced guidance on cookies, and in parallel the European Court of Justice confirmed the need for opt-in consent when setting cookies in the formative Planet49 case. Such considerations momentarily took a back seat to the urgent data protection issues arising from the pandemic, with the UK data protection authority (the “ICO”) in particular formally announcing a pause on its investigation into the real time bidding (“RTB”) and the AdTech industry.

It is now clear that any respite the pandemic might have provided was temporary. The pivotal Schrems II decision in July 2020 invalidated the use of Privacy Shield to legitimize transfers of data from the EU to the US and increased regulatory scrutiny over the use of Standard Contractual Clauses (for more information, please see our client alert Privacy Shield Invalid but SCCs Survive… What next for international personal data transfers?). Last month, a decision announced by the Austrian SA declared that EU to US data transfers through the use of cookie services were in breach of the GDPR. These decisions, among other guidance, investigations, and opinions issued across Europe, signal not only increased oversight of the use of cookies and similar tracking technologies but also a focus on the data transfers that result from such use and whether such transfers are compatible with EU data protection law in light of Schrems II.

The Austrian SA Decision

The Austrian SA found that a website was in breach of the GDPR’s data transfer rules through its use of cookies. In particular, the SA found that the website operator did not ensure that personal data transferred from Europe to the US—via cookie services—was provided with an adequate level of protection. Even though the website operator had entered into the Standard Contractual Clauses with the service provider, with the additional implementation of numerous supplementary measures (including encryption, anonymization, and pseudonymization, and “careful examination(s) of every data access request” received by the US authorities), such measures were still found to be insufficient.

Transfer Scrutiny Spreads Across the EU, and Potentially Beyond

As the first response to the 101 complaints filed to SAs across Europe by NOYB, a privacy centered non-governmental organization founded and led by Maximilian Schrems (the eponymous party to the seminal Schrems cases), it was only a matter of time before other SAs weighed in on the matter. The Austrian SA’s decision has in turn sparked investigations in Denmark and the Netherlands regarding EU to US transfers through cookie practices, with the Netherlands SA expected to issue its conclusions in the coming months. Other SAs across the EU are also expected to weigh in on the matter shortly, although certain SAs have already indicated an inclination to follow the Austrian decision. For example, although German SAs operate at a state level, federal-level guidance issued in December last year indicated that supplementary measures (on top of standard contractual clauses) may not be sufficient to justify the use of certain website-integrated tracking services. Moreover, the European Data Protection Supervisor issued a reprimand to the European Parliament earlier this month regarding the illegal transfer of data stemming from their use of cookies, implying an overarching stance on this matter across the EU.

Questions over the Future of EU, UK, and US Data Transfers

Organizations relying on cookies or other tracking technologies that transfer data to providers outside the EEA or UK will potentially be saddled with a high compliance burden. According to the Austrian SA’s decision, the burden of compliance lies with the website provider and not their service provider. As data exporter, the website operator was found to have violated its data transfer obligations under the GDPR. The burden of proof as to whether the data being transferred to the US is personal data also lies with the website provider, as the Austrian SA indicated that the possibility of identifying an individual through the uniqueness of the cookie number was sufficient for it to be classified as personal data. This is in-line with the GDPR’s definition of personal data, as the possibility of identification is sufficient (regardless of whether such identification can be proven to occur or not) and the low threshold for what constitutes personal data means that it is easy to fall within the scope of the GDPR.

With the cookie data considered to be personal data, an open question remains as to what measures will be deemed adequate to attain GDPR-compliant protection for personal data transferred to the US. The Austrian SA required supplementary measures to “actually prevent or restrict the access possibilities of US intelligence services on the basis of US law.” This appears to call for an absolute elimination of risk—the encryption of personal data in this instance in and of itself was not sufficient protection because the data importer was subject to US law and as such could be compelled to provide both the data and the relevant cryptographic keys to US authorities.

Furthermore, whether the UK may use this opportunity to further differentiate itself from the EU remains far from certain. Although the UK is not shy about its intentions to develop a unique data protection compliance regime, the current European Commission adequacy decision for the UK depends on the UK’s compliance with European standards; a failure to do so may result in the invalidation of this adequacy finding and consequently the need for data transfer mechanisms to export data from the EU to the UK. Moreover, as the only adequacy decision (so far) with a sunset clause, the pressure for the UK to comply with EU data protection standards is not only evident but heightened. Set against this background, it remains to be seen if the draft International Data Transfer Agreement (“IDTA”) (the UK’s version of the Standard Contractual Clauses) will trigger any pushback from Brussels, and whether they will remain in their current form until their tentative entry into force in March later this year.

Beyond the Standard Contractual Clauses or IDTA, it is also far from certain whether another data transfer mechanism will come to the rescue in time. Since the Schrems II decision was issued, the EU and US have been attempting to find a replacement to Privacy Shield, but there has been no serious momentum or proposal made. Despite negotiations intensifying on the matter, the specter of a potential Schrems III invalidating a “Safe Harbor 3.0” remains in the background, and the recent spotlight on this issue only serves to make the negotiators’ task more difficult.

It remains to be seen how data transfer restrictions in the EU and elsewhere around the globe will shape the world wide web. Ropes & Gray will be monitoring for further developments and opinions regarding data transfer mechanisms. Subscribe to RopesDataPhiles to receive updates.