International: Data transfers and online advertising technologies post-Schrems II
With the new scenario following the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case'), the legitimation of international data transfer flows has changed, directly impacting the regulation of the different technologies and vendors in the online advertising field. Dmitry Alekseev and Javier Arnaiz, Senior Associates at ECIJA, discuss this issue and its nuances.
In July 2020, the CJEU in the Schrems II Case invalidated the European Commission's Privacy Shield Decision on account of invasive US surveillance practices. After this recent ruling, most companies have faced an ambiguous and uncertain situation regarding the performance of international transfers.
The use of technologies such as cookies, pixels, tags, etc. is directly impacted by data protection and electronic commerce legislation. Both the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and Directive 2000/31/EC of 8 June 2000 on Certain Legal Aspects of Information Society Services in Particular Electronic Commerce in the Internal Market (Directive on Electronic Commerce) (17 July 2000) ('the e-Commerce Directive') are the most relevant European rules currently covering this topic, without prejudice to future developments, such as the ePrivacy Regulation.
In the vast majority of cases, the implementation of trackers implies the engagement of providers that are normally located in the US. Personal data collected through such technologies is either transferred to or accessed from the US, implying an international data transfer outside of the EEA. Thus, the online advertising market is likely one of the most affected by the consequences of the Schrems II Case.
It is well known that Facebook, Google, or Amazon are US-based and the usage of their products (e.g. Sizmek, DV360) certainly implies international data transfer. However, other important players, such as Xandr (formerly AppNexus) or OpenX for SSPs; The Trade Desk or MediaMath for DSPs; or Lotame or Snowflake for DMPs, also have one common denominator: the companies providing the services have their headquarters or central offices located in the US. This means that either for the provision of services (if there is no representation in the EU) or for bureaucratic purposes, personal data will be sent to the US, and neither users of the services, nor data subjects, can factually object to such transfer. In all or the majority of cases, the transfer is a non-negotiable condition of a service designed in a take-it-or-leave-it approach.
This does not mean that US-based providers should not be used or that, conversely, only EU providers are to be engaged. International data transfers are still allowed, and there are mechanisms that are perfectly valid for doing so. However, there are certain matters that must be taken into account by entities who are to transfer data outside the EEA. To provide a proper guidance to exporters of personal data to third countries outside the EEA, the European Data Protection Board ('EDPB') has published recommendations aimed at solving the present situation, through a list of steps1 to be taken to verify that the transfers to be made outside the EEA comply with the GDPR, identifying additional guarantees to be applied.
These recommendations define a roadmap to be followed by the companies when performing international data transfers. In the framework of the online advertising activity, these steps should be considered by the companies as one of the few 'official' mechanisms to comply with the GDPR. Nevertheless, some of the recommended measures to be adapted could cause challenges in implementation.
Step 1 - Know your transfers
To guarantee the level required by the GDPR and to apply additional guarantees, a record of all international transfers must be kept, from those made directly by the exporter to those made by the importer to its suppliers who may be located in another third country. Having an updated register of processing activities is mandatory to achieve this point, and in addition the controller must identify the processors attached to its processing activities.
Step 2 - Identify the transfer tools you are relying on
Once the transfers are identified, the data exporter must identify the most appropriate mechanism to legitimise the transfer; these tools are defined in Article 45 and following of the GDPR.
During the months following the Schrems II decision, many providers relying on the Privacy Shield to transfer data to the US had to make a switch to Standard Contractual Clauses ('SCCs'), which is the most common mechanism currently used. These changes have already been reflected in privacy policies; however, there are also cases where the change has not been expressly included in the legal text although, in practice, providers are no longer making use of the invalidated Privacy Shield decision.
However, it is important to highlight that SCCs are not the only tool for the transferring of data outside of the European Economic Area. Along with the SCCs, Binding Corporate Rules ('BCRs') can also be used to transfer data abroad within a group of companies, which is (or should be) a good option for those cases where some information needs to be sent to the US for accounting, legal review, conservation, invoicing, or any other similar purpose.
Additionally, not all of the international data transfers require a transfer tool. There are some cases where a non-EU country has been deemed by the European Commission to have an adequate level of protection, similar to that offered in the EU. In these cases, the parties involved in the transfer would have to evaluate the need of any additional measures (see Step 3), without the need to enter into SCCs or similar mechanisms.
Lastly, it is worth noting that the GDPR also foresees scenarios where the country of destination of the transfer does not count on an adequacy decision, nor are there any transfer mechanisms in place. For example, and although hard to carry out in practice given the scale of the processing activity in the ad-tech industry, data subject's express consent is another valid method of transferring personal data.
To consider this consent valid and under the Article 49 exception, such consent shall be collected with transparent information, explicitly, and in a separate document (or checkbox) from other purposes. In the case of cookies, including a separate check informing about the transfer without any kind of condition (or even cookie wall) could be considered under the Article 49 exception.
In addition, Article 49 of the GDPR defines several exceptions for specific situations where the former requirements regarding adequacy decision or appropriate transfer mechanisms cannot be complied with. Sections b) and c) define that, if the transfer is necessary for the performance of a contract between the data subject and the controller or in the interest of the data subject, the transfer can be carried out. Such condition could be difficult to apply in the ad-tech industry insofar as the transfer could be almost impossible to justify in the interest of the data subject.
Step 3 - Assess whether the Article 46 GDPR transfer tool you are relying on is effective in light of all circumstances of the transfer
If there is no decision on the adequacy of the third country, nor are the exceptions of Article 49 applicable, this third step should be considered.
In particular, it should be assessed, in cooperation with the importer, whether the legislation or practice of the third country may affect the guarantees of protection provided by the chosen transfer instrument. In this regard, special attention should be paid to the regulations that establish obligations for the recipient/importer of the data located in that third country, vis-a-vis the authorities to whom the personal data is disclosed.
The main issue with this step is that, taking into account that most of the companies involved in the online advertising market are based in the US, the access to information, including personal information by authorities, although permitted under local law, is considered against GDPR principles, mainly due to the lack of procedural guarantees for the data subjects.
Step 4 - Adopt supplementary measures
When it is verified that the use of any of the tools of Article 46 of the GDPR is insufficient to guarantee that level of protection, additional measures must be applied to ensure such protection. Annex II of Recommendations 01/2020 provides some examples of additional assurance measures that can be implemented by the data exporter.
These additional measures are designed from a legal, technical, and organisational sphere with the aim of being able to control the access that can be made by unauthorised third parties (especially public administrations) to the personal data being transferred.
Step 4 is the requirement where the data exporter is unable to guarantee a position fully compliant with the GDPR. In this sense, the data exporter could apply the different additional measures defined in these Recommendations, notwithstanding the fact that when contracting with big markets operators (e.g. Google, Facebook, Amazon, etc.), it is not empowered to ask for the implementations of such measures.
There is not a compliant solution to this issue, but a compliant position will be the documentation of the accomplishment of these steps, informing about the measures adopted in each step, and identifying the non-compliant points. If there is no option to change the online advertising provider, then an additional risk analysis must be conducted.
In addition to this point, including clear information in the privacy and cookies notices is a fundamental point to properly inform the data subjects about this issue. The inclusion of specific section regarding data transfers (in each layer), even including links to the legal notices of the providers informing about the data transfer mechanism are points well considered regarding GDPR transparency obligation.
Step 5 - Procedural steps if you have identified effective supplementary measures
It is fundamental to consider legal procedures if the exporter is implementing additional measures. In the case of SCCs and if the measures implemented may directly or indirectly contradict them, this tool may not be used as the only instrument to guarantee the level of protection required, but an authorisation must be requested from the competent supervisory authority. In the scenario where the measures put in place in addition to SCCs are not contradictory, there is no need to request an authorisation from the competent authority.
Step 6 - Re-evaluate the circumstances previously contemplated
The last step included is the duty of continuous surveillance over events occurring in the third country to which the personal data has been transferred and, in particular, anything that might affect the initial assessment of the level of protection carried out. In other words, it is a constant obligation during the time that the transfers take place. Likewise, the importer must contemplate sufficiently solid mechanisms to ensure that the transfers are suspended or quickly terminated when that adequate level of data protection can no longer be guaranteed in the third country.
Unless specific circumstances require to do so, authorities must not put burdens on the free market. While the pursuit of the protection of data subjects' rights and freedoms should always be the primary objective of privacy and data protection laws, it must go in parallel with clear instructions for the actors involved on how to comply. It is hard to deny that until the present moment, the companies transferring data abroad - and specifically to the US - have seen themselves in a position where they had to evaluate the laws applicable to data protection in the recipient country and implement, where required, additional measures, without any further guidance given by competent authorities, but with responsibility laying on their shoulders for deficient or inappropriate evaluation and/or applied measures.
With the recommendations indicated by the EDPB, the entities of the EU that act as data exporters now have some guidelines for carrying out an evaluation exercise of the recipients that receive data as importers following the established steps, and for review of the contracts signed in order to analyse the need to include additional guarantees through technical, organisational, and/or contractual measures for the regularisation of international data transfers in compliance with the regulations.
It is also worth noting that, after quite a few years of waiting, the European Commission has already published a draft Decision on SCCs for international transfers of personal data to third countries in accordance with the GDPR, including a whole new set of scenarios, not just ordinary controller-to-processor or controller-to-controller cases. The decision was under public consultation until 10 December 2020.
Without prejudice to the fact that from now on the data exporting entities at European level start from a reference of recommendations and additional guarantees it is the responsibility of the exporters to implement any other complementary measures to carry out the level of protection of the data transferred to the EU standard.
Finally, although the companies exporting data shall in near future (as soon as final versions of the recommendations and SCCs) have a new framework for transferring data abroad, now it should be the turn of the US and EU authorities to negotiate a common ground with regards to the access to personal data by local authorities, with the aim of creating a similar approach that could protect data subjects vis-a-vis access to their data, regardless of the location of or applicable law to said data subjects.
1. Recommendations 01/2020 and 02/2020 are under public consultation at the time of elaboration of this note.