Under China’s data protection law, if a data controller processes any sensitive personal information, it will be subject to stricter obligations. For example, it must obtain the individuals’ separate consent. It must take enhanced technical and organizational measures. More importantly, under the new Chinese regulation governing the cross-border transfer of personal information (see our article here for details), if it transfers even one individual’s sensitive personal information outside China, it will need to file the transfer with the Chinese data regulator. Thus, the accurate identification of sensitive personal information has become increasingly important, and will become more so under proposed new data audit regulations.

The China Personal Information Protection Law (“PIPL“) defines sensitive personal information as any personal information that, once leaked or misused used, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety.

The PIPL offers a few samples of sensitive personal information (e.g. biometrics, religious beliefs, medical health, financial accounts, whereabouts, and any personal information relating to minors under the age of fourteen). Recommended national standards such as GB/T 35273-2020 Personal Information Security Specifications (“Specifications“) and GB/T 43697-2024 Rules for Data Classification and Grading (“Rules“) also include non-exhaustive sample lists. During the past years, the identification of sensitive personal information in the market has relied heavily on such samples and lists.

In June 2024, a new Draft Guide for Sensitive Personal Information Identification (“Draft Guide“) was issued for public consultation, which proposes a different approach to identifying sensitive personal information. For example:  

• Facial recognition data: Under the Specifications and the Rules, only facial feature extraction or faceprint constitutes sensitive personal information. The Draft Guide now proposes to expand the scope to cover face images also, based on the rationale that facial feature extraction or faceprint may be generated from face images.

• Health data: Under the Specifications and the Rules, food allergy related data is specifically identified as sensitive personal information, which (unreasonably) subject many restaurants and catering companies to stricter data protection obligations. The Draft Guide now proposes to limit the scope of health data to disease, illness, disabilities and diagnosis- and treatment-related data.

• Finance data: Under the Specification and the Rules, transaction and expense records are identified as sensitive personal information, which may lead to an extreme conclusion that all the shops and malls keeping consumers’ purchase records process sensitive personal information. Under the Draft Guide, transaction and expense records would be removed from the list. Instead, sensitive personal finance information would be limited to bank, securities and fund account or card numbers and passwords, as well as token information and income details related to each specific account or card.

• Other data: The Draft Guide proposes removing communications records and web browsing records from the sensitive personal list, which is helpful especially for companies that monitor and record employees’ work-related emails and messages. The Draft Guide also clarifies that flight and high-speed train travel records fall into the scope of “whereabouts” data and thus constitutes sensitive personal information, whether in a consumer or potentially even employee-travel context.

It is uncertain when the Draft Guide will be finalized, and indeed how much it would be relied upon by the Chinese data regulator considering it would only constitute non-binding recommended guidance. Nonetheless, it is clear that identifying sensitive personal information is no longer a straightforward question, and the context under which personal information is processed will be critical to the assessment. To be fair, the focus on “risk of harm” has always been a key component of defining sensitive personal information in China. Therefore, going forward organisations looking to identify its sensitive personal information should place more focus on the consequences and potential harm to the data subjects if the data in question is breached or misused. A case by case and context-specific analysis will likely be required.

Alongside the better-known provisions of the EHDS dealing with secondary use of health data, the draft Regulation also sets out specific technical requirements for electronic health record systems (“EHR systems”).  In so doing, the law attempts to ensure the interoperability of such systems within the EU, and therefore the secure and seamless processing and transfer of health data – a key objective of the EHDS.

The following article provides an overview of the key requirements that manufacturers of EHR systems will need to observe in order to be able to place an EHDS-compliant EHR system on the market.

1. What exactly is an EHR system?

An EHR system is any system where the appliance or software allows the user to store, intermediate, export, import, convert, edit or view certain categories of personal electronic health data, and where the system is intended by the manufacturer to be used by healthcare providers in providing patient care, or by patient to access their health data.

As such, EHR systems lie at the heart of the EHDS – they are the central technical prerequisite for fulfilling the objective of ensuring the secure and smooth processing and cross-border transfer of health data.

An EHR system under the EHDS must consist of two core elements which form an integral part of the software:

• The interoperability component: EHR systems must have the ability to interact with software applications and devices from the same or different manufacturers in order to transfer and receive personal electronic health data. The technical specifications with regard to the health record exchange format which shall be commonly used to provide health data in a machine-readable format and support transmission of structured and unstructured health data will be determined by the European Commission.

• The logging component: EHR systems must be able to record logging information about access to personal electronic health data by users of the system. As a minimum standard, the logging information shall contain the following information on each time the data is accessed:

• Identification of the health provider or other individuals having accessed personal electronic health data;
  • Identification of the specific individuals having accessed to personal electronic health data;
  • Categories of data accessed;
  • Time and date of access; and
  • Origin(s) of data.

Additional data quality requirements for EHR systems are to be determined by the European Commission by means of implementing acts.

2. Which requirements apply to the manufacturers of EHR systems?

The requirements of EHR systems which, in accordance with the EHDS, need to be fulfilled to ensure compliance with the EHDS, include the following core requirements:

a) Ensure conformity with the essential requirements laid down in Annex II of the EHDS and the common specifications to be adopted by the EU Commission by way of a common template document

In common with other regulatory frameworks for products, manufacturers of EHR systems will need to undertake an assessment to demonstrate that their product complies with certain minimum requirements before it can be put onto the market in the EU.  Those requirements, under Annex II of the EHDS, are:

• General requirements, such as designing the EHR systems in such a way as to ensure they are suitable for their intended purpose without putting patient safety at risk. In addition, EHR systems must be designed and developed in a way which allows the system to be supplied and installed in accordance with the instructions of the manufacturer without adversely affecting its characteristics and performance during its intended use.

• Requirements for interoperability, such as providing an interface enabling access to and receipt of personal electronic health data processed in the European health record exchange format. An EHR system must not include features that prohibit, restrict or place undue burden on authorised access or exporting of personal electronic health data for permitted purposes.

• Requirements for security and for logging, such as providing reliable mechanisms for the identification and authentication of health professionals and supporting different retention periods and access rights taking into account the origins and categories of electronic health data. EHR systems must include tools to review and analyse the log data or must support the connection and use of external software for the same purposes.

b) Draw up the technical documentation of EHR systems before placing them on the market, and subsequently keep them up to date

The technical documentation must be drawn up in a way that demonstrates conformity with the above-mentioned essential requirements, and must be provided upon request to the market surveillance authority at short notice. As a minimum standard, the technical documentation shall contain the following elements:

• A detailed description of the EHR system, including, among other things, its intended purpose, date and version of the EHR system, how the EHR system can be used to interact with other hardware and software, a description of the hardware on which the EHR system is intended to run, a description of the system architecture and the technical specifications such as features, dimensions and performance attributes;

• A detailed description of the system in place to evaluate the EHR system performance, where applicable;

• The references to any common specification used;

• The results and critical analyses of all verification and validation tests undertaken to demonstrate conformity of the EHR system with the requirements under the EHDS;

• A copy of the information sheet which accompanies the EHR system;

• A copy of the EU declaration of conformity;

c) Ensure that the EHR system is accompanied, free of charge for the user, by the information sheet and clear and complete instructions for use

EHR systems shall be accompanied by an information sheet for professional users which shall specify:

• the identity, registered trade name or registered trademark, and the contact details of the manufacturer and, where applicable, of its authorised representative;

• the name and version of the EHR system and date of its release;

• its intended purpose;

• the categories of electronic health data that the EHR system has been designed to process;

• the standards, formats and specifications and versions thereof supported by the EHR system.

d) Draw up the EU declaration of conformity

By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the EHR system with the requirements laid down in the EHDS when it is placed on the market or put into service. Annex IV of the EHDS sets out the specific information which needs to be included in the EU declaration of conformity.

e) CE marking

The EHDS stipulates that EHR systems shall be affixed with a CE marking. The CE marking shall be subject to the general principles for CE markings set out in Article 30 of EU Regulation 765/2008. The Member States should build upon existing mechanisms to ensure correct application of the regime governing the CE marking.

f) Representative in the EU

Manufacturers of EHR systems established outside the European Union shall appoint an authorised representative established in the European Union. The representative in the European Union shall, among other things, be authorised by the manufacturer to communicate with consumers and professional users and to cooperate with the market surveillance authorities.

As well as the abovementioned requirements, there are also further requirements for manufacturers of EHR systems. These include a post-market surveillance regime of product monitoring as well as cooperation with the respective market surveillance authority. Further obligations also apply to other actors in the supply chain, including importers, other economic operators or distributors of EHR Systems.

3. Conclusion

The EHDS is a ground-breaking law for manufacturers of EHR systems.  It imposes a comprehensive pre- and post-market compliance framework that is designed to ensure that systems processing electronic health data are high-quality, secure, and capable of inter-operability across the EU market.  As such, manufacturers of EHR- systems are well-advised to begin preparation on these requirements at an early stage in order to gain a competitive advantage and to ensure that their products are capable of being sold and used lawfully on the European market.

With 2023 having come to an end, the fast-paced changes to the China data protection regime throughout the year are continuing well into Q1 2024.

As well as a near finalisation of the different routes to legitimise cross-border data transfers, the Cyberspace Administration of China (“CAC”) has begun to direct its efforts into harmonising its data compliance requirements across regions, as well as other aspects of data compliance.

Most notably, these include:

1. GBA Transfers – Implementation Guidelines on the Standard Contract for Cross-boundary Flow of Personal Information within the Guangdong-Hong Kong-Macao Greater Bay Area (“Implementation Guidelines”)

Following from the various cross-border data transfer mechanisms published by the CAC earlier in the year, the CAC and the Innovation, Technology and Industry Bureau of the Government of the Hong Kong Special Administration Region (“HKITIB”) jointly issued the Implementation Guidelines, containing the Standard Contract for Cross-boundary Flow of Personal Information within the Greater Bay Area (GBA Standard Contract), on 13 December 2023, to apply with immediate effect.

The GBA Standard Contract seems to be a less stringent version of the China Standard Contractual Clauses (“China SCCs”) route to legitimising cross-border data transfers to Hong Kong, given its limited scope of applicability.

See here for more information on the full China SCCs route.

• Scope of applicability. Under the Implementation Guidelines, personal information controllers and recipients registered or located within the Greater Bay Area (“GBA”) can sign the GBA Standard Contract to transfer personal information (but excluding important data) within the region.

• Key obligations and responsibilities. To rely on the GBA Standard Contract to legitimise cross-border data transfers, data controllers must fulfil the following obligations outlined in the GBA Standard Contract:
  
  
  • Providing notice and obtaining separate consent from data subjects in accordance with the laws and regulations prior to the transfer;
  • Not transfer any personal information outside the Greater Bay Area; and
  • Conducting a personal information protection impact assessment. However, note that there will be no need to file this simpler assessment with the authorities (a less stringent requirement compared with the formal China SCCs route).

• Filing procedure. Data controllers must still make a filing containing the signed GBA Standard Contract, together with other specified documents, with the Guangdong Province CAC or the Office of the Hong Kong Government Chief Information Officer within ten working days from the contract’s effective date.

• Onward transfers are permitted only within the GBA. The GBA Standard Contract must not be abused as a means of leveraging Hong Kong as a safe habour to transfer onwards to jurisdictions outside the GBA, without following the appropriate means of legitimising those cross-border data transfers.

Regardless of the above, the Implementation Guidelines still represent an important first step towards a much-anticipated relaxation of restrictions on personal information flows across the GBA, as seen in the Memorandum of Understanding to Facilitating Cross-boundary Data Flow Within the Guangdong-Hong Kong-Macau Greater Bay Area signed in June 2023.

2. Breach Notification – Draft Administrative Measures for the Reporting of Cybersecurity Incidents (“Draft Measures”)

On 8 December, the CAC – as a response to China’s concern with large-scale data security incidents within its borders – issued Draft Measures aiming to safeguard national cybersecurity via the standardisation of reporting cybersecurity incidents. The Draft Measures closed for public consultation on 7 January 2024.

If passed in its current form, network operators will be mandated to report any network security incident that may cause significant harm to relevant government bodies.

The incident reporting is categorised into different levels, based on the type of network operators.

The Draft Measures provide procedures in making notifications. Most notably, it introduces stringent notification timescales. Those cybersecurity incidents classified as “major”, “significant” or “particularly significant” should be reported within one hour of discovery – with information not then available to be supplemented within 24 hours.

3. Cross-border Data Transfers – CAC Certification route

Following the finalisation of two out of three of the cross-border data transfer mechanisms (CAC Assessment and China SCCs), the CAC now turns to the final route – CAC Certification.

Despite uncertainties around the CAC Certification, developments came to light from 25 December onwards, where the first certifications were granted for notable household names – such as Alipay, JD Technology and the University of Macau.

Most notably, it was reported that in considering the approval of the University of Macau’s certification, various internal governance processes were taken into account. These included but are not limited to: data spatialization, data classification and grading, identity authentication, data subject consent management, personal information impact assessments, data transfer risk assessments etc. – all of which provide a well-rounded governance of the entire lifecycle of data processing.

That said, there is little public information regarding  the basis on which these certifications were approved – in particular, whether the certifications only concern in-country processing of China personal information, or what specific business contexts were involved.

We expect to see more certification approvals during 2024.

See here for a recap on the CAC certification requirements.

Looking ahead – 2024

The China data protection regime is expected to witness more significant changes in the coming year.

Draft measures on important data, as well as compliance audits in the pipeline are indicative of the regulators shifting their focus onto wider data compliance requirements – after the frenzy on cross-border data transfers.  

Given the shift in regulator’s priorities from an external-facing to internal-facing focus of data compliance, it is especially important in the coming months for businesses with a presence in China to focus on formulating a China data compliance programme and remediating any gaps in compliance – now with a focus on internal procedures and governance.

Following the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF) (for further information see here), the UK Government has announced that from 12 October 2023, organisations in the UK can transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework” (“UK Extension”), without the need for additional data protection safeguards.

This follows the designation of the UK as a ‘qualifying state’ under US Executive Order 14086, which provides UK individuals with rights in relation to personal data that has been transferred to the US, including access to the newly established redress mechanism. The UK Secretary of State for Science, Innovation, and Technology, has stated that the “designation by the US of the UK was an important factor that led to the data bridge assessment being successful, providing increased safeguards and redress mechanisms for UK individuals”.

In order to rely on the UK Extension, UK organisations will need to ensure that the relevant recipient in the US is certified to the UK Extension and appears on the DPF List. Any US organisation that is subject to the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DOT) may certify under the DPF. Organisations that are ineligible or prefer not to rely on the UK Extension will still need to use SCCs, BCRs, or another transfer mechanism and carry out TIAs.

ICO Opinion

Following the UK Government’s announcement in relation to the UK Extension, the UK Information Commissioner (ICO) has published an opinion, stating that, “while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied”. These include:

• The definition of ‘sensitive information’ under the UK Extension not specifying all the categories listed in Article 9 of the UK GDPR. The ICO concludes that this “creates a risk that the protections may not be applied in practice“.

• Concerns about a lack of clarity as to how specific protections afforded to criminal offence data (i.e. limits on the use of data relating to criminal convictions when those convictions have become ‘spent’) would apply once the information has been transferred to the US.
• Concerns about the UK Extension not containing a right, substantially similar the safeguards in the UK GDPR, protecting individuals from being subject to decisions based solely on automated processing. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.
• The UK Extension containing neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent.

The ICO concludes that “the Secretary of State should monitor these areas closely to ensure UK data subjects are afforded substantially similar protection in practice and their rights are not undermined”.

Given that the EU-US DPF is expected to be contested – Max Schrems’ privacy organisation, NOYB, which led the previous legal challenges to both Privacy Shield and Safe Harbor, has already announced that it will also challenge the DPF, it is likely that similar challenges will be made in the UK in relation to the UK Extension. As the European Court of Justice no longer has jurisdiction in the UK, the approach of the UK courts to any challenge remains uncertain.  

Next Steps

• For DPF-eligible organisations, the UK Extension will streamline the compliance burden, enabling the flow of data from UK-US without the need to conclude SCCs and complete TIAs.

• US Organisations who wish to benefit from the UK Extension, will need to be certified to the UK Extension and appear on the DPF List. This should be a straightforward process for organisations who are already DPF certified.

• For those organisations that are ineligible to certify under the DPF (i.e. not subject to FTC or DOT jurisdiction), SCCs and BCRs will likely remain the default transfer mechanisms. As they are not covered by the DPF, such organisations will still need to conduct TIAs, although the changes to US surveillance laws under the EO should simplify the TIA process.

• The UK Department for Science, Innovation, and Technology (DSIT’s) will monitor the DPF to ensure that it functions as intended, as part of the DSIT’s requirement to monitor data bridges.

• There remains a residual risk that transfers to the US under the UK Extension are subject legal challenge. This should be managed with care and appropriate contingency plans adopted.

Summary of the key themes of the Draft Regulation:

• Scope of personal data: In addition to the list of “specific personal data” set out in the PDPL, the Draft Regulation introduces a mechanism for the government to expand the scope of “specific personal data”. The Ministry, in consultation with the PDP Agency, may designate other data as “specific personal data” if it has the potential to cause greater harm to data subjects, such as discrimination, material/immaterial loss and contravention of the law. It also clarifies that personal data will cover those in the public domain. This gives the government the flexibility to extend its control over time, which in turn creates uncertainty for businesses.

• Consent to data processing: Similar to the position taken under other data protection laws in Asia, data processing can be based on consent (though other bases of data processing are also available). Where consent is used, the data subject must be provided with a privacy notice and explicit lawful consent must be obtained.

With regard to children or persons with disabilities, consent should be obtained from the parents/guardians of the children and from either the disabled persons or their guardians.

Interestingly, a child is defined as any unmarried person under the age of 18. Controllers are also required to take measures to identify persons with disabilities. These provisions may lead to some uncertainty as to whether mere reliance on a data subject’s declaration is sufficient or whether a more proactive approach, such as verification and active monitoring, is required.

• Data subject rights: The Draft Regulation also sets out in detail the rights of data subjects and the timelines for responding to requests. For example, controllers must respond to data subject requests within “3 x 24” hours. This is a very short timeframe that is usually only applied in data breach notification scenarios in other jurisdictions in Asia.  

• Cross-border data transfers: The PDPL already provides that data controllers transferring personal data abroad must ensure that the recipient country has a level of data protection at least equal to that required in Indonesia. 

The Draft Regulation clarifies that the PDP Agency will be the authority to make the determination and the PDP Agency may in the future establish a list of jurisdictions meeting that threshold. If the receiving jurisdiction does not meet the threshold, measures similar to those adopted by other jurisdictions in Asia, such as cross-border agreements, standard contract clauses and binding group company regulations, must be put in place.

We expect the PDP Agency to provide more details on these practices, such as standard wordings and templates, in the future. Nonetheless, if these requirements are not met, the consent of the data subject could be used as a fallback in limited circumstances. In any event, controllers will be required to carry out a risk assessment and a legal instrument assessment prior to the transfer.

• Redress and out-of-court dispute resolution: The Draft Regulation places great emphasis on the redress for data subjects and the alternative dispute resolution mechanism in the event of breach.A data subject has the right to sue for violations, whether based on fault or negligence on the part of the controller, and receive material compensation, such as a sum of money, or non-material compensation, such as remedial measures. In particular, the Draft Regulation expressly gives priority to mediation among other dispute resolution mechanisms, and even provides for a Professional Mediation Institution that is equipped with expertise in data protection and certified in accordance with the Draft Regulation.

Alternatively, breaches of data protection may be punished by administrative fines up to 2% of the annual revenue or annual receipts of the violation. However, it is uncertain whether the percentage cap will be imposed on the local entity or on the group globally.

What next – practical steps

While the Draft Regulation signifies Indonesia’s commitment to strengthening its data protection framework in line with global standards, we expect that compliance with the data protection law in Indonesia could be challenging given the onerous obligations and uncertainty.

Given the PDPL will come into force in October 2024 and it now seems likely that the Draft Regulations will also come into effect at around the same time, we recommend that businesses prioritise the following:

• review existing data flows and the categories of data which are being collected and processed;
• consider existing mechanisms for obtaining consent;
• review processes for responding to data subject requests and data breach notification;
• review processes for conducting data protection impact assessments.

 On 14 February 2023, the European Data Protection Board (“EDPB”) published the updated and final version of its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (EDPB Guidelines 05/2021). In comparison to the first version of the guidelines published in 2021, the core messages of the paper remain the same. The EDPB sets out three essential criteria for qualifying a processing of personal data as a transfer to a third country. In the update to its guidelines, the EDPB now specifies these requirements in more concrete terms.

 Transfer to a third country

 Since the GDPR itself does not provide for a definition of the term “transfer of personal data to a third country or to an international organisation” and case law only exists to a limited extent in this regard, the EDPB elaborates three cumulative criteria to qualify a processing operation as a transfer:

1. the controller/processor (“exporter”) is subject to the GDPR for the given processing,
2. the exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”), and
3. the importer is located in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Art 3 GDPR or is an international organisation.

If one of these criteria is not met, the respective processing activity cannot be considered a transfer within the meaning of the GDPR.

Even if in such cases the provisions of Chapter V of the GDPR do not apply, the EDPB expressly points out that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place as they may be associated with certain risks if they take place outside of the EU (e.g. where an employee of an EU controller travels abroad and has access to the data of that controller while being in a third country). This risk may perhaps arise from conflicting national law or disproportionate access rights for the authorities of the third country. A controller must take these risks into account accordingly when initiating a transmission of personal data and take appropriate data security measures.

In this regard, the Committee of Independent German Federal and State Data Protection Supervisory Authorities (Datenschutzkonferenz – “DSK“) – a board consisting of the federal and state data protection supervisory authorities dealing with and commenting on current data protection issues in Germany stated in its resolution from 31 January 2023 on the assessment of access possibilities to personal data for public authorities of third countries under current data protection law (DSK-resolution of January 31, 2023), that the mere risk that public authorities of third countries might request a transmission of personal data to the third country is not sufficient to assume a transfer of data within the meaning of Art. 44 et seqq. GDPR per se.

Both the EDPB and the DSK provide examples of security measures to be taken in such cases. These include, among other things, the implementation of appropriate technical and organizational measures as well as a detailed examination of the law of the third country, any assurances given by the contractual partner and the possibility of complying with them, and the assessment of other risks associated with the transmission.

Specification of the criteria

The EDPB now specifies the above criteria in its second version of the Guidelines 05/2021. For this purpose, the EDPB also elaborates extensive examples of application, which illustrate the interplay between Art. 3 GDPR and Chapter V of the GDPR.

Of particular relevance is the clarification that it is sufficient for making available personal data (criterion 2) if, for example, personal data is accessed remotely from a third country or is stored in a cloud outside the European Economic Area (EEA), and the other criteria are met as well. However, if the data processing is of solely internal nature to the controller, i.e. when the data is not being transferred to another controller or a processor and therefore does not leave the organizational structure of the controller, personal data is not “made available” to another controller/processor. This is illustrated in the example 8.1 in the Guidelines 05/2021.

The twelfth and last example elaborated by the EDPB is also of high importance to the data protection practice. In this scenario, a controller based in the EU engages a processor who is also based in the EU but is a subsidiary of a company based in a third country. Understandably, the EDPB does not consider the transfer of personal data by the controller to the processor as a third country transfer. However, this constellation becomes problematic in cases where the processor, in its function as a subsidiary, is also subject to the laws of the third country in which the parent company is located with extraterritorial effect. This may result in authorities of the third country requesting that the personal data processed by the processor on behalf of the controller is being transmitted to the respective authority in accordance with applicable local law of the third country. If the processor complies with this and transmits the data to authorities in the third country, the EDPB considers this to be a third country transfer. If the controller has prohibited such a transfer in the data processing agreement, the processor acts contrary to the instructions of the controller and is itself considered to be the controller for this processing operation pursuant to Art 28 (10) GDPR. The controller is obliged to check in advance whether the commissioned processors are subject to such access rights of third country authorities and, if necessary, to take appropriate technical and organizational measures to ensure that the processing is also carried out in accordance with the provisions of Chapter V of the GDPR.

Conclusion

The legally non-binding Guidelines 05/2021 of the EDPB are to be welcomed insofar as they show in a comprehensible and easy-to-use manner in which constellations a third country transfer is to be assumed within the meaning of the GDPR, in particular taking into account the regulations on the territorial scope of application according to Art 3 GDPR. In addition, they illustrate that there may nevertheless be risks of violations of the GDPR by data controllers in cases in which a data flow to a third country does not qualify as a third country transfer. This constitutes in our opinion a rather abstract risk and shall not lead to equal risk assessment obligations for a controller as for actual third country transfers. However, given the complexity and multi-layered nature of the possible constellations of processing operations, companies are well advised to carefully examine the extent to which personal data is transferred to a third country when involving additional controllers or processors in order to consider and implement appropriate security measures and avoid potential fines. Finally, it is pleasing to note the EDPB’s clarification regarding the fact that the transfer of personal data by a processor based in the EU to an authority in a third country may be contrary to instructions and will, if so, qualify the processor itself a controller under Art. 28 (10) of the GDPR.

More on how to deal with third country transfers and detailed information on DLA Piper’s legal tech tool “Transfer” can be found here.

Since our last post, the French Supervisory Authority (the “CNIL”) has published a Q&A and a post on June 7, 2022 regarding Google Analytics, where it highlights the key points of its formal notices and gives some practical advice to website operators.

1. Lessons to be drawn from the formal notices regarding the use of Google Analytics

The CNIL confirms that, although the formal notices were issued only against certain French companies (notably specifically targeted by NOYB’s complaints) all websites using Google Analytics are concerned. Hence, the anonymization of the formal notices is a call from the CNIL to all website operators using Google Analytics to make their websites compliant.

Therefore, “all controllers using Google Analytics similarly to the companies targeted by the formal notices should consider the use thereof as unlawful under the GDPR”. Thus, the CNIL prompts all website operators using Google Analytics to find alternative solutions with sufficient safeguards.

While the legal issues raised by Google Analytics have been examined in coordination with other EU Supervisory Authorities, each website operator subject to a claim has been investigated on a case-by-case basis in accordance with the responses provided by each organization.

2. Why is Google Analytics non-compliant

• The standard contractual clauses entered into between Google and website operators are not sufficient to ensure by themselves an adequate level of protection. The supplementary measures implemented by Google – whether contractual, organizational, or technical – are ineffective against access requests by US intelligence services.
• The setup of Google Analytics does not prevent the transfer of personal data outside the EU since all personal data collected via Google Analytics is hosted in the US. The sole use of solutions subject to third-country laws is likely to raise difficulties in terms of access by foreign government authorities to personal data hosted in the EU (unless such access is based on an international agreement in compliance with Article 48 of the GDPR). This begs the question whether companies should only use solutions offered by EU companies.
• The CNIL furthers notes that (i) even though an IP-anonymization function exists, it does not apply to all transfers as it is optional and (ii) it is unclear whether the anonymization takes place before the data is transferred to the US. The CNIL further states that the sole use of unique identifiers may render an individual identifiable when combined with other information such as browser or operating system meta data. Finally, the CNIL explains that the combined use of Google Analytics with other Google services such as marketing, may increase the risk of tracing individuals since it may allow to retrace their browsing history on a huge number of sites.
• Regarding the encryption of the personal data, the CNIL finds that it is not efficient since Google LLC proceeds to the encryption and must provide access to the data under its custody as well as to the encryption keys necessary to access the data in the clear. To be considered as a sufficient supplementary measure, the encryption keys should notably be kept under the exclusive control of the data exporter, or other entities established in a country offering an adequate level of data protection.

3. Proxyfication and alternative solutions proposed by the CNIL but with stringent conditions

The CNIL opens a window enabling the use of Google Analytics by stating that a solution involving a proxy server that avoids direct contact between the user’s terminal and Google’s servers could be considered as a sufficient supplementary measure. However, the proxy server will have to meet all the criteria applicable to supplementary measures set forth in the Recommendations of June 18,2021.

The CNIL also refers to a list of audience measurement tools which do not require users’ consent. Amongst other, the following tools are mentioned:

• SmartProfile, version 21, from Net Solution Partner,
• Matomo Analytics, version 4, from Matomo,
• Eularian, version 6, from Eularian Technologies.

However, such list does not address the issues raised by international data transfers and notably the consequences of the Schrems II decision. Thus, although a data exporter uses a solution listed by the CNIL, it will not be exempted from carrying out a data transfer impact assessment in the event of data transfers to a third country.

If such data transfer impact analysis leads to the conclusion that supplementary measures are needed, the use of the proxyfication method as mentioned above for Google Analytics, which allows to send only pseudonymized data prior to the data export to servers located outside the EU when properly set up, could be considered as an appropriate measure.

This solution involves both technical and financial considerations for data controllers: the CNIL enumerates a list of measures that must be implemented in order to use a valid proxyfication, such as (i) guaranteeing that the IP address is not sent to the server of the measurement tool, (ii) replacing the user ID by the proxyfication server, (iii) removing any information on the referer website, (iv) re-processing information participating in the generation of fingerprint, (v) No collection of unique ID cross-sites, (vi) deletion of any data likely to lead to a reidentification, (vii) the proxyfication server should not involve transfers out of EU to a third country. However, the CNIL acknowledges that implementing all these measures can be expensive and complex. As an alternative, the CNIL recommends controllers to use a solution that does not transfer personal data outside the EU.

4. A risk- based approach is not admitted

The CNIL finally reiterates that controllers cannot take a risk-based approach relying on the likelihood of data access requests. As long as such access is possible, additional technical measures as described in the EDPB’s recommendations on measures that supplement transfer tools  must be taken in order to make such access impossible or ineffective.

The CNIL thus reaffirms the European position that has been taken since the Schrems II decision, maintaining the users of such tools in a difficult situation in particular when the likelihood of access to the data is very low.

For more information, please contact denise.lebeau-marianna@dlapiper.com, Partner, IPT Department DLA Piper France LLP.