In a new decision The Icelandic Data Protection Authority has ruled that a school in Reykjavík may not use a US cloud provider:
"[..] all processing in the Seesaw educational system should be seized and students' data deleted after being retrieved, if applicable, to be stored within each school."
The order comes on top of all the controversy surrounding shipments to the United States (and other third countries) that are not to be reproduced here.
However, it is worth noting that there was a lot wrong with the municipality's use of the system:
- the processing agreement between Reykjavík and Seesaw was insufficient,
- the municipality could not demonstrate a specified, explicit and legitimate purpose for the processing in question, which was therefore considered unlawful,
- the processing was neither fair nor transparent,
- the principles of data minimization and storage limitations were not implemented nor data protection by design and by default, taking into consideration the amount of data collected, the extent of their processing, the period of their storage and their accessibility,
- the data protection impact assessment did not meet the minimum requirements,
- the municipality did not demonstrate that it had ensured appropriate security of the personal data in question and
- the data was being transferred to the United States without appropriate safeguards.
A really good friend drew my attention to the decision and quite reasonably suggested that it might be the most expensive decision so far in the GDPR area. It is thus uninteresting that a fine of approx. 35.000 EUR. The most important thing is that the supervisory authority says that the municipality must not use the American provider.
And in a way it is also correctly observed, but I have to add that, as shown, there was quite a lot wrong with the treatment activity. Thus, it is difficult to see that it is precisely the transfer that disqualifies the use. Thus, if the data processor agreement did not do what it did not do, cf. point 1 above, then the transfer of the processing to the IT provider in the USA is therefore already not legal.
With this decision, companies and authorities have not really become wiser about how dangerous it is to use IT providers illegally / in violation of the rules in the USA without having taken all the steps that the data protection rules say we should.
Should I be sharp on the basis of the above, I would claim that the Danish Data Protection Agency cloud guide contains significantly heavier obligations for companies and authorities than just the transfer to the United States or third countries.
In my opinion, there has thus been too little discussion of the following requirements, which have been highlighted with the cloud guide (and others could be mentioned):
Documentation: The guide requires data controllers to divide their GDPR risk assessment into a risk assessment relating to data protection and one relating to processing security (pages 1 - 10).
Own Purposes: SaaS providers may not use personal information for their own purposes and must confirm that they do not do so (pages 2 and 10 - 13). It is my view that it is happening today to a large extent that saas providers use personal data for development. What effect it may have that saas providers as a starting point cannot use data for development (own purposes), is left uncertain.
3. You must know the end processor: The data controller must know the entire chain (page 15). No one knows this today, and most smaller saas providers located at AWS or Google Cloud / Azure do not either, so they can not pass the screening on pages 12 - 13.
It can be stated that the GDPR remains an area where there is an immense distance from the rules and then down to reality, as many of us are struggling to move closer to the rules.
All in all, at least for now, it can still be stated (and it can then be included in the reader's business risk assessment and briefing to management) that the risk of clouding in the US and other third countries is relatively low, but that the consequence of being discovered may be large.
If you are discovered, you should have made your data processor agreement well, including possibly including a transfer basis if the immediate party is in the US or a third country. And as far as possible, one should have chosen some relevant complementary measures.
The main thing, in any case, is that one must not take part in an illegal transfer and have done or considered virtually nothing as in the Icelandic case. As stated on page 19 in the fine calculation guide from the European Data Protection Board, which has just been sent for consultation, one should preferably not have shown "contempt for the provisions of the law [..]". This will - of course - lead to a higher fine.