The German Conference of Independent Data Protection Supervisors of the Federal Government and the Länder (Data Protection Conference, DPC) as well as the European Data Protection Board (EDPB) have analyzed the level of data protection in the USA, India, China and Russia. The result: Due to the far-reaching, in some cases unrestricted rights of access of security authorities and intelligence services to personal data, the level of data protection in these countries is basically not to be assessed as adequate. Companies or authorities in the European Union (EU) will therefore find it even more difficult in the future, when carrying out their Transfer Impact Assessment (TIA), to argue in a concrete case that the data transfer to these countries is (still) to be considered compliant from a data protection point of view.
Extensive rights of access of U.S. intelligence agencies, also to data in the EU
On 25 January 2022, DPC have released the expert legal opinion by Professor Stephen I. Vladeck, University of Texas School of Law, on the current state of U.S. surveillance law (German / English). Currently, the DPC is still evaluating the implications of the findings. However, as an independent scientific study, the report has no directly binding effect on the assessment of individual cases, according to the DPC in its summary of the main findings. Nevertheless, the DPC would consider the expert legal opinion within the scope of its activities. The main findings are:
- No proactive obligation: Providers of electronic communications services were not proactively obliged under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) to provide data to the U.S. intelligence services or to grant access to them. Only an order from the U.S. authorities under FISA 702 would oblige providers to release data.
- Wide range of application: The addressees of FISA 702 are so-called "electronic communications service providers". Which companies are covered is defined in 50 U.S.C. § 1881(b)(4). This includes (i) telecommunications carriers (TC Services), (ii) providers of electronic communications services (ECS Services), or (iii) provider of remote computing services (RCS Services), (iv) any other communication service provider who has access to wire or electronic communications either in the transmission or storage of such communications, or (v) officers, employees, or an agent of any of the foregoing. The scope of application was therefore broader than previously assumed. In addition to the traditional providers of electronic telecommunications services, other companies, such as banks or hotels, were also eligible in principle. For example, an U.S. court ruled that a company that provided an e-mail service to its employees would meet the ECS definition. Similarly, an U.S. court found that a travel agency that provided its employees with computer terminals running an electronic reservation system would be a provider of ECS services.
- All data types affected: Under FISA 702, the U.S. intelligence services were entitled to access all types of data, including metadata or communication content in certain situations. It would be irrelevant whether the data would is at rest or in transmission.
- Access also to data in the EU: If an entity is not subject to FISA 702, but uses an electronic communications service provider to process certain data, FISA 702 would also be applicable. The decisive factor would be that the data is located at the electronic communications service provider. It would not matter where the data would come from, but whether it would be stored on servers in the U.S. or transmitted via a U.S. infrastructure at the time of the query. U.S. intelligence agencies could therefore likely access data outside the U.S. if U.S. companies (including their EU companies) were involved. Moreover, FISA 702 could also apply to EU companies that have a US subsidiary.
- Violation of foreign law irrelevant: When deciding on access measures, U.S. intelligence agencies would not take into account whether the measure violates EU law (e.g., the General Data Protection Regulation (GDPR)). Rather, FISA 702 explicitly would state that the laws of other countries were irrelevant.
- No redress: The redress available to affected EU/EEA citizens would be very limited.
Extensive state access rights also in India, China and Russia
Previsously, the EDPB had already commissioned a legal study ("Legal study on Government access to data in third countries") and published the final report on December 14, 2021. This study verified in particular whether and to what extent government access rights exist and whether, against this background, the level of data protection in India, China and Russia can be assessed as adequate. For the study, a literature review on legal instruments and case law was first conducted. Then loopholes in the knowledge in this area of law were identified and a tailored questionnaire per country was prepared. After approval by the EDPB, these questionnaires were sent to carefully selected experts in each country. However, out of 29 experts contacted, only eight were willing to participate in the survey as a result of various reasons. Finally, the experts' responses were evaluated and compared with the results of the secondary research, with the following results:
- To the People's Republic of China: The People's Republic of China could not be considered as a democratic, liberal state by Western standards, nor would it have a rule of law. The protection of personal data could also not to be considered equivalent to the protection of personal data within the EU. It would be true that Article 40 of the Constitution would provide that the freedom and confidentiality of citizens' correspondence must be protected by law. At the same time, however, Chinese data protection law would be based on the assumption that the stability of the community takes precedence over the needs of the individual. This would explain why the Personal Information Protection Law (PIPL) or the Data Security Law (DSL) would seem at first glance to provide rights for data subjects similar to those in the GDPR, but why government access to personal data for national security purposes would be hardly restricted and data subjects would have no sufficient rights of defense.
- To India: The Indian nation also would have theoretical monitoring mechanisms at its disposal, but these would be not transparent in practice. Above all, the Indian government could not be held accountable for data privacy violations under the currently applicable law. It is true that on August 24, 2017, the Supreme Court of India recognized the right to privacy for the first time in Puttaswamy v Union of India. There would also be a data protection law in the future in the form of the Personal Data Protection Bill (PDP). However, broad exceptions would be available to the Indian government (even after the PDP enters into force) to access personal data without the data subjects being able to sufficiently defend themselves against such accesses. This would apply in particular when national security is used as a justification for data access. As a result, India would recognize the right to privacy as a fundamental right, and data protection law would also receive more attention. However, both rights would have been violated by the government to a considerable extent in the past. Moreover, the existing protection mechanisms would not apply to access by the state. In this respect, there would be a legislative vacuum and therefore access to data of EU citizens could not be ruled out as soon as they are stored on Indian territory.
- To Russia: In Russia, the right to privacy and data protection would also enshrined in the Russian constitution. However, these rights would be limited by the Russian state's broad rights to ensure national security and combat terrorism. Thus, Russian authorities would use privacy laws as a means to enforce political aspirations, maintain control over the Internet, and protect the government's interests. Although the formal legal framework would appeare comprehensive at first glance, the enforcement and application of the legal provisions would show serious deficiencies. In the absence of transparency and judicial independence, intelligence and counterintelligence agencies were given virtually unrestricted access to all categories of personal data. These restrictions on the right to privacy would also be consistent with a striking record of violations against the European Convention on Human Rights and other fundamental rights. Lastly, the report refers to future plans to build a federal database, which should be up and running by 2025. This would contain the personal data of all Russian citizens, which the Russian government would then be able to access without the explicit consent of the individuals concerned. Therefore it would be recommended that before personal data is transferred to Russia, it should be checked extremely carefully whether an adequate level of protection can actually still be assumed in the specific case.
What lessons can be learned for practice from the legal opinion and the report of the study:
- Neither document and the findings made therein have any direct binding effect on the assessment of an individual case. However, the findings should be regarded as fundamental information about the data protection situation in the countries concerned. In individual cases, a data transfer may therefore still be permissible. However, the data exporter will need to implement further technical and organizational safeguards to prevent government access (see, for example, EDPB's "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data" dated 18 June 2021).
- US companies are only obliged to provide data when instructed to do so. There is no proactive obligation. In practice, it has become established practice to ask U.S. companies in the context of the TIA whether they have already become addressees of such an instruction under FISA 702. A corresponding negative response could be more significant in future risk assessments.
- At the same time, when conducting a TIA, more precise questions should be asked about whether an entity falls within the scope of FISA 702. It is recommended that in the future, U.S. companies be referred to the relevant passages in the expert legal opinion as part of the questioning during the TIA.
- For the IT sector in particular, it is likely to be decisive that doubts are now also being expressed about the adequacy of data protection in India. Here, as in China and Russia, it will be crucial to ensure an appropriate level of data protection by technical and organizational measures.