As its data flows woes grow, Google lobbies for quickie fix to EU-US transfers

As the legal uncertainty in Europe clouding use of US cloud services cranks up, Google has responded by firing up its lobbying engines to call for US and European lawmakers to get a move on and come up a new rubberstamp to grease transatlantic data flows as usual as the bloc’s regulators finally start to find their banhammers.

Last week, Austria’s data protection authority decided that a local website’s use of Google Analytics to have breached the bloc’s General Data Protection Regulation (GDPR) over the risk of US intelligence agencies being able to access site users’ personal data.

In a blog post calling for “a new EU-US data transfer framework”, Google’s Kent Walker flags this decision before seeking to downplay its significant — writing that Google has offered its eponymous analytics service to business for 15 years and “never once received the type of demand the DPA speculated about”, before adding: “We don’t expect to receive one because such a demand would be unlikely to fall within the narrow scope of the relevant law.”

It’s a reassuring-sounding soundbite by Google’s (and its parent Alphabet’s) chief lawyer and president of global affairs.

The problem is, legally speaking, it’s irrelevant — as it’s roughly the equivalent of Walker saying ‘waaa, EU law is not fair!’.

The lack of rights and redress for foreigners whose information gets scooped up by US authorities — or is at risk of getting scooped up — as a result of sweeping US surveillance laws (such as FISA 702), which apply broadly to electronic service providers like Google, is in stark conflict with the EU’s data protection framework which requires that an “essentially equivalent” level of protection applies to EU people’s information if it’s exported outside the bloc.

The key point is Europeans’ personal data must be effectively shielded from the risk of unauthorized access/misuse — NB: data doesn’t actually have to have been grabbed by the NSA for any laws to apply! — in order for the level of protection wrapping exported data to be considered legally adequate.

This is not a blanket ban on personal data transfers out of the EU to third countries because EU law leaves open the possibility that, where there are risks, so called “supplementary measures” may be applied to these kinds of transfers to raise the level of protection to the required standard.

These special measures could be additions at a legal, organization or procedural level (e.g. contract clauses, data retention policies); or, indeed, specific technical measures (like data localization; or true end-to-end encryption with zero access to the data via a third country-based provider or any of their subsidiaries) — or, for added assurance, a blend of several layered add-ons.

Google claims it had applied enough such extras to boost the level of data protection in the Austrian case.

However the DPA disagreed — finding Google’s claimed supplements did not cut the mustard, for all Walker’s claims of “extensive supplementary measures“.

It’s notable that his sentence immediately qualifies that claim — saying the measures apply “practical and effective protection of data to any reasonable standard”.

So, essentially, Google’s lobbying sleight of hand there seeks to replace actual EU legal standards over personal data transfers with a Google-defined “reasonable” standard (which has already been found unreasonable by at least two EU data supervisors… ).

It’s evident that rather than Google change its business practices — say, by offering Google Analytics users data localization plus encryption key escrow via an EU-based third party, plus some robust contractual clauses about challenging access requests — the tech giant is resorting to loudly yelling for lawmakers to ‘fix’ its legal headache with a quickie data transfer pact.

The problem for Google is that the legal conflict between US surveillance law and EU data protection law isn’t something that can be quickly and quietly papered over anymore.

The European Commission has tried doing that before, and while the Safe Harbor (RIP) arrangement for transatlantic data transfers stood for around 15 years before the EU’s top court struck it down, the replacement Privacy Shield only managed about four before the court struck again, even more definitively.

EU lawmakers are unlikely to want a third bullseye — even if they are keen on (and still in talks about) a replacement Privacy Shield to grease EU-US commerce.

The so-called ‘Schrems II’ CJEU decision that shattered the EU-US Privacy Shield did not close the door to personal data exports entirely but the court was careful to seek to pre-empt the risk of non-compliant-business-as-usual by underscoring that data flows must be assessed on a case by case basis and notified in advance to DPAs which — the court also made clear — can’t just sit on their hands and do in fact have a legal duty to suspend risky transfers.

The ruling also reiterated that EU-US transfers specifically are risky — hence blasting Privacy Shield (and Safe Harbor) to smithereens.

This is why US cloud services are so clearly in the frame.

The lack of a federal privacy law in the US which can offer an equivalent to EU’s GDPR is the underlying problem. And that essentially means the missing piece is also substantial reform of US surveillance laws — something that’s provided impossible to achieve so far (even regarding warrantless spying on US citizens, let alone foreigners).

In the meanwhile, more enforcements against non-compliant data transfers are looming.

If the Austrian’s decision over a single, local website’s use of Google Analytics risks sounding like small fry, around a hundred similar complaints were filed across the bloc back in August 2020, by European privacy campaigner noyb — also targeting use of Facebook Connect — so scores of similar decisions are pending.

Which means a potential pipeline of problems for Google in Europe over tools like Google Analytics…

Last fall the European Data Protection Board set up a taskforce to co-ordinate the response to this flotilla of complaints. So where one DPA has found use of Google Analytics breaches the GDPR others are likely to follow shortly.

(Note for example the Dutch DPA — which issued emergency guidance last week warning that use of Google Analytics “may soon not be allowed”. In an FAQ section of its website where it makes the warning — under the topic of “how can I protect the privacy of my website visitors with Google Analytics” — the regulator also wrote: “The AP [itself] is currently investigating two complaints about the use of Google Analytics in the Netherlands. Upon completion of that investigation, in early 2022, the AP will be able to say whether Google Analytics is now allowed or not.”)

In another notable recent decision, the European Data Protection Supervisor (EDPS) reprimanded the European Parliament over the presence of Google Analytics and Stripe in the code of a COVID-19 test booking website that had been built for it by a third party supplier. Again, use of Google Analytics was found to breach the regulation given the problem of US data transfers — although the website provider had also failed to properly implement cookie consents so there were multiple compliance problems in that case. And while the Parliament escaped a fine (on procedural grounds) the regulatory hot water led it to yank Google Analytics long before the decision landed.

So how many other European entities will now be looking increasingly uneasily at their website plug-ins? (After all, alternatives to tools like Google Analytics which don’t require schlepping data to the US do already exist. So the old ‘no one got sacked for installing US tech calculus may start to shift.)

Google’s blog prefers to spin the possibility that it’s about to lose a whole bunch of European customers into a typical Big Tech projection that the doom will rain down mercilessly as a nuclear storm — seeking to whip up fear among lawmakers over the impact on small businesses of them not “aligning” the literal law with Google’s preferred way of doing business.

Case by case

What’s clear is that the regulatory noose is tightening when it comes to Chapter V of the GDPR — and that has major implications for many US tech giants as their services often involve transferring user data outside the bloc.

The legal risks are varied, though, since data flows are now being analyzed on a case by case basis.

Which is also why having a top-level transfer deal is so sought for — since it massively simplifies compliance issues involved in exporting EU users’ data.

In another case, Facebook has been spectacularly successful at fending off regulatory action against its EU-US data transfers for literally years, thanks to its forum shopping and deep pockets to splash money on lawyers. But its data flows are surely operating on borrowed time — after a preliminary suspension order by Ireland in 2020; and Facebook’s subsequent failure to block it in the Irish courts.

Ireland’s regulator agreed it would “swiftly” finalize a decision on those EU-to-US flows over a year ago.

Nor is it only Google and Facebook on the hook here.

Since May, the EDPS has been investigating EU institutions’ cloud contracts with AWS and Microsoft over similar compliance concerns.

If the EU’s chief data supervisor concludes those US cloud services are also unable to adequately protect Europeans’ data it could essentially order that alternative services be found to take their place.

And that could then kick off a snowball of service switching, given the EDPS’ steering role as the EU’s top data supervisor.

So Google is quite right that the data flows issue could have multiple impacts.

A finding of compliance problems with those US cloud contracts is not certain, though — because, one again, each data transfer is different. And it’s possible that adequate supplementary measures are being applied in those cases.

AWS, for example, survived a legal challenge related to use of its service in France last year. In that case the website (Doctolib) had been hosted by AWS in the EU (with data centers in France and Germany). But as the EU entity (AWS Sarl) is a subsidiary of US-based AWS, which is subject to US law, the legal challenge concerned its extraterritorial effects — and the potential for US authorities to obtain data from an EU-based subsidiary via the US-based parent regardless of the data not leaving the EU.

The extraterritorial reach of US law creates an extra layer of compliance headaches for even those US cloud giants that do offer data localization via an EU subsidiary. (Or, to put it another way, data localization alone still may not be enough.)

In the Doctolib case, the French court ruled that the data was sufficiently protected owing to a series of applied supplementary measures — both legal and technical — and also based on their assessment of the specifics of the data transfers and procedures put in place.

Specifically, the data being processed by AWS was not considered by the court to be health data (which attracts a very high level of compliance requirements) as it was more limited in scope (related to booking vaccine appointments).

Additionally, the data retention had been limited to three months; data was encrypted and the key held by a trusted third party in the EU (not by AWS Sarl). And, furthermore, a contract between Doctolib and AWS Sarl included a clause setting out a specific procedure in the event of an access request by a foreign authority — including a guarantee that AWS Sarl would challenge any general access request from a public authority.

So, in other words, a full package of measures had been applied — and were, in the end, found to be sufficient by the French court.

Google’s Walker is therefore quite right when he writes that the CJEU’s July 2020 ruling “did not impose an inflexible standard”.

Compliance with EU-US data flows post-Schrems II has been demonstrated to be possible — and indeed available. Just not, per recent regulatory decisions, if you’re using Google Analytics…

Spinning for time

Despite what is clearly a major problem for Google in Europe, in his blog post, Walker seeks to spin the compliance issue as more an existential crisis for its customers (“publishers and small businesses”) — and even for the “open, global internet” as a whole — warning that the Austrian decision “may portend broader challenges” and suggesting “hundreds of billion euros” of damage could be done to Europe’s economy if lawmakers don’t figure out how to stop the regulatory banhammers from falling.

Yet given that other US services have found ways to comply with Schrems II that’s clearly plain wrong — as well as terrible hubris.

It is also hypocrisy. If Google was once synonymous with the open web, as a small, garage-based startup building a better search engine, the rapacious adtech giant — whose business is under investigation in both the EU and the US on multiple fronts, spanning antitrust, consumer protection and privacy charges, to name a few — that it’s turned into is a lot more walled garden than open web these days.

Instead of taking the necessary steps to adapt its business processes to respect EU law — by developing supplementary measures that are actually deemed sufficient by regulators — Google has reached down to rattle its sabre, pointing to its market power in a bid to scare legislators into aligning their pesky rules with how it mints money.

“Businesses in both Europe and the U.S. are looking to the European Commission and the U.S. Department of Commerce to quickly finalize a successor agreement to the Privacy Shield that will resolve these issues,” pens Walker, before trumpeting that: “The stakes are too high — and international trade between Europe and the U.S. too important to the livelihoods of millions of people — to fail at finding a prompt solution to this imminent problem.”

Google’s motivation in penning the blog post likely has more than half eye on cooling the nerves of shareholders who may be spooked by regulatory enforcements. Hence repeat suggestions that a fix is about to materialized with talk of governments “finaliz[ing]” a “revised agreement” that can be “a durable framework” (i.e. that won’t just get shot down again by the CJEU in a few years).

There is a very half-hearted and passing mention to US surveillance reform too, with Walker claiming: “We have long advocated for government transparency, lawful processes, and surveillance reform.”

But his loudest call is for a quick fix — with the Google president segueing instantly from the topic of surveillance reform to redouble his push for the quickest of fixes (“we urge quick action”), and further pressing: “At this juncture, we urge both governments to take a flexible and aligned approach to resolving this important issue.”

This is unfortunate phrasing since, technically speaking, the EU is not a “government”. But since Google’s grasp of the detail of EU data protection compliance has been found wanting we should not be surprised that it doesn’t really understand EU governance either.

TechCrunch contacted the European Commission with questions about the negotiations towards Google’s sought for quickie replacement data transfer deal.

A spokesperson for the EU’s executive cautioned that “some time” is needed given the “complexity” involved in trying to “strike a balance between privacy and national security”, as they put it — emphasizing that any replacement arrangement must be “fully compliant with the requirements set by the EU court”.

“Securing a new arrangement for safe transatlantic data flows is a priority for us and our U.S. partners,” they told us, adding that “negotiations have intensified in the past months, with discussions at technical and political level” — which they specified have included regular contacts between commissioner Reynders and his counterpart, US Secretary for commerce, Gina Raimondo (with the last one taking place in mid-December).

“Only an arrangement that is fully compliant with the requirements set by the EU court can deliver the stability and legal certainty stakeholders expect on both sides of the Atlantic,” they also told us, adding: “These negotiations take some time, given also the complexity of the issues discussed and the need to strike a balance between privacy and national security.”

Asked about replacements that companies seeking legal certainly in the meanwhile can make use of, the spokesperson said only [emphasis ours]: “Until we find a sustainable solution with the US, other tools for international data transfers such as the Standard Contractual Clauses can still be used under certain conditions. That is one of the reasons why we adopted modernised Standard Contractual Clauses in June 2021.”