EU-US data transfers under renewed scrutiny – the Shopify case
GDPR compliance of data transfers between EU & US for Content Delivery Networks (CDN) with European servers
Data transfers between the EU and the US are again under legal scrutiny. This time the culprits are not Google Analytics, Office 365, or video conferencing software. Instead, a German data protection watchdog investigated Shopify and the infrastructure services surrounding it, in particular Cloudflare.
Data transfers in online stores
Shopify is a Canadian-based e-commerce platform that is popular also with European merchants. Cloudflare is a US-based cloud computing service provider. Shopify integrates with Cloudflare – and similar services – as a Content Delivery Network (CDN) to provide enhanced security, performance, and reliability of web stores. Merchants can use important features such as a firewall and DDoS protection.
For that purpose, however, they have to transfer the IP address of their customers to the respective service. And that means: a data transfer to the US. As Shopify comes bundled with the CDN, disabling it is not an option.
Shopify stores under scrutiny in Germany
The data protection regulator of the Federal state Rhineland-Palatinate got in contact with one of the largest German operators of an online store on Shopify threatening legal action against the use of such CDN – and thus Shopify – on the grounds that such transfer was illegal.
The legal reasoning was that US authorities could access the EU data transferred to the US. The US Cloud-Act would permit that. This was true even if the data were stored on EU servers as the Cloud-Act permits such access, too. It is sufficient that the company owning the servers is controlled from the US.
This assessment of the Rhineland-Palatinate data protection regulator is in line with similar opinions of other state-level regulators in Germany.
Yes and no – but the data protection regulator has a point
Here at Engity, we share the legal assessment of the regulator in principle, albeit not in the case at hand.
In the discussion regarding data transfers to third countries, such as the US, it is often overlooked that a data transfer is not a yes-no or one-zero issue. Every data processing activity needs to have a legal ground, as well as every data transfer. Often it is necessary to weight the conflicting interests. Take the example of Art. 6 Section 1 lit f) GDPR or a transfer of personal data to a third country according to Article 46 Sec. 2 lit c) GDPR (Standard Contractual Clauses). If businesses use those paths of processing and transferring data, they need to take into account how sensitive the data transferred are, how good their protective measures are, to which extent those data are at risk, and how all of that weights against their own interest in the transfer at hand. The European Court of Justice (ECJ) was rather clear on those points in its Schrems II ruling.
An IP address is, under European law, personal data. It is, however, neither a very specific nor a particularly sensitive one. At the same time, the interest of an online store to use a service like Cloudflare is a very valid one and there is little that could fully substitute Cloudflare on the EU market. Not using such a service can leave an online business vulnerable to attacks.
Thus, we at Engity think that the Rhineland-Palatinate data protection authority is too strict in its reading of the GDPR – the use of Cloudflare should be possible for EU businesses.
Data transfers of sensitive data remain difficult
The situation is very different for identity providers in the IAM field. Login data and identities are extremely sensitive data as, when abused, not only can they facilitate identity theft, but they also open access to all the data "behind" a login or identification procedure. Those data may be of an extremely personal nature. Think of medical data.
At the same time, there are European Identity providers and IAM solutions – We at Engity are an example. Thus, when the interests are weighed against each other, Identities cannot be transferred to the US as long as the US-Cloud-Act is in force and no secure and lasting transfer mechanism between the EU and the US can be found and has been tested in court.
We do not believe that a new adequacy decision by the EU Commission on data transfer to the USA (Privacy Shield 2.0) will change this. Like the previous transfer mechanisms Safe-Harbor and Privacy Shield 1.0, this one will probably not stand up in court: nothing has changed in the legal situation. The rulings of the ECJ were rather clear. It is therefore not advisable to make long-term investments in digital infrastructure based on such a decision.
While in the case at hand we see regulatory overreach, the general legal assessment holds water. Time to act for businesses and organizations that do not yet use a European identity provider or IAM service.