In the decision, the German DPAs assess the data protection significance and requirements in the case of (legal) access by public authorities or other third-country bodies to personal data processed by data processors established in the EEA under the General Data Protection Regulation (GDPR).

In the DSK decision, the German DPAs conclude that, in such cases, EEA data processors lack the reliability as required under Article 28(1) of the GDPR. According to the German DPAs, it is not sufficient, in this context, that business customers of such data processors merely exclude the risk of an unlawful transfer to a third country by means of a contractual agreement on data processing in the EEA. Rather, the data controller is obliged to carry out a strict case-by-case assessment of the data processor and to ensure that such a contractual agreement can actually be complied with.

What scenarios does the DSK decision apply to?

The DSK decision is of significant practical relevance, in particular for business customers of internationally active group companies. If (at least) one company in the data processor's group of companies in a third country is subject to laws or practices that may give, under certain circumstances, the data processor (indirect) access to personal data being processed by group companies acting as data processors in the EEA, the findings of the DSK decision apply, if such access were not compliant with EU law. For example, the CLOUD Act requires providers of certain electronic services, in certain cases, to collect data of users of those services and make such data available to the relevant US authorities, even if the data is not stored in the US.

For example, the DSK decision also affects cloud services provided by groups of companies headquartered in a third country, even if an EEA group company provides the relevant services to corporate customers in EEA countries. However, the DSK decision does not cover scenarios where the transfer of personal data to a third country is already the subject of data processing, e.g., where a German company directly contracts a US provider of cloud services which also directly processes the user data in the US.

What is the data protection background to the DSK decision?

The requirements of the GDPR for cross-border transfers of personal data to third countries (Article 44 et seq. of the GDPR) stipulate that the protection of personal data must also be ensured outside the EEA. For each transfer of personal data to third countries, the data exporter must ensure that the level of data protection provided by the GDPR is not undermined. In any event, the level of protection outside the EEA must be substantially equivalent.

In the Court of Justice of the European Union's (CJEU) judgment in the Schrems II case, the CJEU, which invalidated the EU-US Privacy Shield, established strict requirements for the transfer of personal data to the US and worldwide. Companies that make such data available for potential cross-border transfers (including where a non-EEA supplier is being used) must ensure that the recipient country provides data protection 'essentially equivalent' to that of the EEA. For this purpose, such companies must assess the recipient country's level of compliance with the GDPR (e.g., by conducting a so-called Data Protection Impact Assessment (DPIA)).

What is the content of the DSK decision?

These high requirements may be problematic not only in the case of direct transfers of data from an EEA company to companies in third countries. In the described scenarios described above, where authorities or other bodies in third countries may have access to personal data processed by EEA companies, the question also arises as to whether the EEA companies are subject to these or other requirements. This is because, in such cases, even, for instance, cloud-based services where data processing takes place exclusively within the EEA territory are not protected from disclosure of user data to third-country authorities, so that an adequate level of data protection cannot be consistently guaranteed.

In this respect, the DSK decision makes the following findings:

• First, the DSK decision clarifies that the mere (abstract) risk of a data transfer to a third country due to a possible instruction from the third country parent company in the third country to the EEA company does not constitute a data transfer within the meaning of the GDPR, which is subject to the requirements for a transfer to a third country within the meaning of Article 44 of the GDPR, as interpreted in the Schrems II case.
• However, such a risk may, according to the DSK decision, result in the data processor in the EEA lacking the necessary reliability under Article 28(1) of the GDPR, unless this risk is compensated by (further) technical and organizational measures.
• If - depending on the legal situation and practice in the third country in question - a standard or practice in the respective third country exists that may require the unlawful processing of personal data under EU law, it is not sufficient in the view of the German DPAs to meet the requirements of reliability under Article 28(1) of the GDPR merely by excluding the risk of an unlawful third country transfer by means of a contractual agreement on data processing within the EEA.
• Rather, according to the DSK decision, the data controller is obliged to carry out a case-by-case assessment of the reliability of the EEA subsidiary acting as a data processor by the data controller and to ensure that a corresponding contractual agreement can actually be complied with.

What aspects must data controllers take into account when assessing reliability?

According to the DSK decision, the case-by-case assessment of the EEA data processor's reliability to be carried out by the data controller covers a wide range of aspects. In particular, data controllers must consider the answers to the following questions:

• Is there a risk that the third country parent company of the EEA data processor could instruct the latter to transfer personal data to a third country in accordance with the law of that third country (i.e., reviewing the law and practice)?
• Could the law or practice of the third country in question affect the obligations under the applicable data processing agreement?
• Does the data processing agreement allow for processing based on the law of the third country that would be inadmissible under the standards of EU data protection law?
• Are there assurances from the parent company in the third country and the EEA data processor on how to deal with conflicting requirements of the third country and EU data protection law?
• Can any assurances based on the third country's law and practice, as well as other issues actually be complied with?
• Have there been any data protection violations in the past?
• How should the severity and likelihood of sanctions for violations be assessed under EU data protection law and the law of the third country?
• Are appropriate technical and organizational measures in place to rule out unauthorized data transfers?

If the (interim) result of the assessment of reliability is that there are sufficient safeguards, the following questions are decisive:

• Can the data processor or data controller compensate for the risks of data processing in breach of data protection law by (further) technical and organizational measures? These measures must ensure that the data processor does not process data contrary to the instructions of the data controller, in particular, that it does not transfer data to third countries on the basis of third-country law or practices, such as the CLOUD Act. For this purpose, companies can refer to the European Data Protection Board's (EDPB) Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (the Recommendations 01/2020).
• Can the data controller provide evidence that a data processor meets the requirements of Article 28(1) and Recital 81 of the GDPR regarding expertise, reliability, and resources?

Only if the last two questions can be answered in the affirmative can the data processor be considered reliable within the meaning of Article 28(1) of the GDPR. Otherwise, the involvement of the data processor in question must be classified as inadmissible under the GDPR on the basis of the DSK decision.

What are the implications of the DSK decision?

The DSK decision has far-reaching implications, particularly for the digital economy. At the same time, it is pleasing that the German DPAs have clarified in the DSK decision that the mere risk of data access by authorities from third countries to data processed by EEA companies does not constitute a data transfer within the meaning of the GDPR. This increases legal certainty for companies in the EEA using electronic communications and cloud services from, for example, US providers.

Extended control obligations for data controllers

However, the strict requirements for the reliability check of EEA data processors required by the German DPAs seem hardly feasible in practice. For example, a service provider's business customer acting as a data controller would have to verify the assurances of the US parent company in the third country, as well as those of the EEA data processor with regard to the third country's law and practice. In order to determine which services can be used, it is necessary for data controllers to document the reliability check, taking into account the aspects described above. Furthermore, according to Article 28(1) of the GDPR, data controllers must not only carry out initial checks, but must also repeat them at regular intervals. In particular, changes in the corporate structure within the provider's group of companies may lead to a new risk of transfer to third countries requiring additional checks.

Few effective measures available to compensate for data access risks

Reliable measures to compensate for the risks of data processing in breach of data protection law also do not seem to be available to the companies concerned in many cases.

The only legally secure measure that can be considered is probably the complete encryption of the relevant data before it reaches the data processor. The key for decryption may only be held by the data controller. However, whether and to what extent this is technically possible depends on the service in question. If the data is not only stored in cloud services, but the data stored there is also to be used (data in transit), this will probably not be technically possible in many cases.

So-called data trustee models, where in principle only a 'data trustee' has access to the data processed in the EEA territory, could also potentially mitigate the legal risks associated with this issue. However, data trustee models, which are clearly not subject to laws, such as the CLOUD Act, are only rarely offered in the market.

Use of electronic communications and cloud services from third countries not legally admissible?

At the same time, the DSK decision sets high requirements on the access of a data processor to clear (i.e., unencrypted) data of the principal and refers to a corresponding application of the Recommendations 01/2020. With regard to the transfer of unencrypted personal data to a third country for processing, the EDPB states that, given the current state of the art, no effective technical measure is conceivable that could prevent the violation of the rights of data subjects in the event of such access. The EDPB is likely to come to the same conclusion in cases of mere access from third countries.

According to the test program required by the DSK decision, this means that the use of third-country cloud providers is usually not possible in a lawful manner if they have access to unencrypted data. Given the dependence of EEA companies on cloud providers from the US and the virtual absence of technically equivalent alternatives from EU providers, this presents many companies in the EEA with challenges that can hardly be solved without legal risks on the basis of the applicable data protection law requirements as interpreted by the German DPAs.

It is true that the specifications in the DSK decision only constitute the German DPAs' interpretation, which is not binding on either the data controllers or the individual German DPAs. The requirements, however, are very likely to reflect the expectations of the German DPAs.

Data transfers to the US as an uncomplicated fallback solution?

However, this situation may change de lege ferenda in light of the announced European Commission Draft Implementing Adequacy Decision (the Draft Adequacy Decision) on the adequate protection of personal data under the European Union-US Data Privacy Framework (EU-US DPF).

In December 2022, the European Commission launched the procedure for and published the Draft Adequacy Decision, which would confirm that the US legal framework for US companies under the EU-US DPF provides sufficient data protection safeguards (i.e., comparable to those in the EU). This would ensure an adequate level of protection for the processing of personal data and remove the need for a separate authorization for data transfers to the US. The adequacy decision could be published in the third quarter of 2023.

Following the adequacy decision, direct transfers from third countries to providers in third countries, such as the US, may become a comparatively attractive solution. Compared to the extensive and burdensome assessments that the DSK decision imposes on data controllers in relation to EEA data processors, direct transfers to third countries will be a much easier alternative to implement. In order to address the assessment requirements of the DSK decision, companies may (again) more frequently consider having personal data processed directly by US providers themselves, rather than by EEA subsidiaries of cloud providers.

Conclusion and outlook

The latest DSK decision on data access from third countries applies the very strict requirements of the German DPAs taken in other decisions to data processing scenarios. Data controllers aiming at fully implementing the DSK decision from a risk perspective will face significant practical challenges.

The DSK decision does not provide for a convincing rationale for its requirements. In this respect, it remains to be seen whether the German DPAs will actually enforce the requirements of the DSK decision consistently in practice.

It also remains to be seen whether companies will increasingly address the strict assessment requirements of the DSK decision by transferring data to the US as a fallback solution in light of the announced draft adequacy decision.

Where significant legal uncertainty remains, companies should seek legal advice to minimize the risk of administrative fines or other enforcement actions under the GDPR.

Valentino Halim Senior Associate
[email protected]
WilmerHale, Frankfurt