De Dutch Internet Cleanup Foundation announced in August on their website Basicsecurity.com a application introduced that checks to whiche countryand the Dutch overity provides online services. From the measurements has shown that but as many as 1087 domains, from which governments offer online servicesare located outside the EU/EEA. These results are problematic.
In this Blog, we will discuss this phenomenon further and explain why these results are so problematic.
Specifically, what was identified in the Netherlands?
Basicsecurity.nl measurements have shown that 3% of the government domains used by the Dutch government originate from the United States, in addition, 10% of the Dutch government’s mail servers are also located in the US. Specifically, of the 3957 addresses are from government mail servers:
- 1 in Asia
- 409 in North America
- 3547 in the EU
Most of the North American addresses lead to Google Servers, Google Cloud and Amazon.com, among others.
Can one be GDPR proof mail if the data outside of Europe is stored?
Every Web site or e-mail provider inherently processes personal data, for example, IP addresses. From the moment the controller operates in the EEA, the transfer of personal data to third countries is subject to the GDPR. Specifically, the provisions of Chapter V of the GDPR apply, This chapter establishes obligations around transfers of personal data to third countries or international organizations.
- Andorra;
- Argentina;
- South Korea;
- The United States (only for transfers to the organizations on the
Data Privacy Framework list
).
- Jersey;
- New Zealand;
- Uruguay;
- Japan;
- United Kingdom;
To date, such decisions have been approved for these countries:
It is also important to check whether the European Commission has approved an adequacy decision for that particular third country.
- Canada (for processing subject to the Canadian Personal Information Protection and Electronic Documentation Act);
- the Faroe Islands;
- Guernesey;
- Israel;
- the Isle of Man;
The third-country hoster should also be bound as a processor under Article 28 of the GDPR.
A Critical Analysis of Available Mechanisms
If the Third Country does not have such an adequacy decision, an agreement will have to be drawn up under Article 46 of the GDPR. A model agreement for this is made available by the European Commission. In addition, one can also opt to adopt binding corporate rules. Also, Article 49 of the GDPR allows for recourse to certain statutory exemptions.
Yet these options are not foolproof. Before the adoption of the new Privacy Shield between the EU and the US, these articles used the Standard Contractual Clauses (SCCs). In the aftermath of Schrems II, it became clear that these SCCs were not sufficient and U.S. intelligence agencies could use European data without restrictions. Article 49 may have statutory fallback bases for incidental transfers, such as the explicit consent of the data subject, but they were not useful here.
Complexities and Limitations in Taking Additional Measures.
However, guidance from regulators, including EDPB Recommendation 01/2020, explains that it is the responsibility of controllers to analyze their specific transfers, take additional measures if necessary, or stop transfers if such measures are impossible.
Reality has shown more than once that there are no technical measures that could help in a cloud or SaaS setting, and that can include web hosting. This is all the more problematic when the controller, such as the Dutch government, for example, holds sensitive personal data.
Offers the new Privacy Shield the solution?
Most web servers and mail servers are located in America. We also saw this in the measurement results from the Dutch government.
As already cited, on July 10, the European Commission approved the adequacy decision for the new EU-U.S. Data Privacy Framework (“Privacy Shield”). The decision confirms that the United States guarantees an adequate level of protection – comparable to that of the EU – for personal data transferred to America. Under this new adequacy decision, personal data can be safely transferred from the EU to U.S. companies and organizations participating in the Privacy Shield without the need for additional data protection safeguards.
Does this now mean that U.S. Web domains are safe?
We do not yet dare to answer this positively. Indeed, it is not yet very clear how stable this treaty really is.
Indeed, privacy organization noyb has announced its intention to challenge this treaty again in the European Court of Justice. The previous treaties between the EU and the US came to an end the same way.
Which Web domains are best used?
In essence, personal data under the GDPR not be allowed to leave Europe, however, using servers outside the EEA is not prohibited. Yet this is not a smart thing to do. It is important to note that certain countries have entirely different laws, consider, for example, that U.S. intelligence services until recently unrestricted access had access to European data and that American companies were even required to do so to the intelligence services deliver. As your data is processed on servers outside the EU, will u not only must safeguards That the data is adequately protected, but should u also be sure that the service is also on all other areas to the GDPR fulfills.
Impact on Data Transfer and Services
If you use a web hosting provider whose servers are located within the EU, you can be sure that the server location is at least compliant from a “transfer of data” perspective, which is already one less thing to worry about. You do still need to perform due diligence on these providers, as you need to make sure that the other aspects of their services meet your obligations to comply with the GDPR.
It would therefore be wise to migrate a website hosted in a third country to a server in the EEA or in a country that has a clear and stable adequacy decision.
For more information on this, contact an accredited DPO.