The risk-based approach to GDPR – The In-House Lawyer

Herald Jongen, Nienke Bernard, Emre Yildirim, and Wouter van Wengen¹ at Greenberg Traurig discuss how the Dutch government provides a pragmatic and realistic interpretation of the high standards of GDPR by applying the risk based approach.

This article discusses the strategic and pragmatic approach employed by the Dutch government in negotiating with big tech companies to ensure GDPR compliance. Case studies include landmark agreements with Microsoft, Google, and Amazon Web Services (AWS). Greenberg Traurig also explore the role of the Dutch National Cyber Security Centre (NCSC) in shaping GDPR policy, particularly in relation to cross-border data transfers to the United States and the impact of the US Cloud Act. This article offers an in-depth analysis of the Dutch government’s risk-based approach towards GDPR compliance and its implications for the tech sector².

Risk-based approach in negotiating with big tech

The Dutch government continues to extend its influential hand on the tech sector, playing a significant role in orchestrating GDPR-compliant agreements with major cloud providers such as Microsoft, Google, and Amazon Web Services (AWS). These tech giants, by nature, are often reluctant to make alterations to their standard contractual documents. However, the Dutch government’s persistent efforts have yielded unique results.

Centralised approach

In particular, the Dutch Ministry of Justice and Security through its subdepartment, Strategic Vendor Management, Microsoft, Google Cloud and Amazon Web Services (SLM) is pulling its weight in attaining these results. One of SLM’s tasks is to facilitate the procurement of (cloud) services from Microsoft, Google and AWS, enabling their use by state organisations within the framework of laws, regulations, and nationwide cloud policy. To this end, they negotiate with these companies to establish ‘framework agreements’, incorporating safeguards for responsible and compliant use of (cloud) services.

Leverage

Through this centralised approach the Dutch government has substantial leverage, which is further bolstered by GDPR-tools for investigation into the vendor’s compliance with data protection rules, such as the data protection impact assessment (DPIA) and the data transfer impact assessment (DTIA). The DPIA is a process designed to help you systematically analyse, identify, and minimise the data protection risks of a project or plan. The DPIA is generally mandatory for certain sensitive processing, or processing on a large scale, which is often the case for big tech solutions for government used. The DTIA is a mandatory assessment of the protection level of personal data when transferred to a country outside the European Economic Area (EEA), without an adequacy decision. The obligatory nature of these assessments forces big tech companies to accept the scrutiny of their current data protection practices. Naturally, this leverage knows limits, as these big tech companies may also have a vendor-lock in advantage, which means that there are not always many (reasonable) alternatives to the products and services they offer. The Dutch government has managed to stay within the confines of these limits by being pragmatic and approach compliance with the GDPR from a risk based angle. Furthermore, the government understands that it takes ‘two to tango’ (negotiate) and that where possible compromises must be found. In essence, the government embraces the positive effects of technology, but mindful of mitigating risk.

Microsoft

In 2019, SLM negotiated a framework deal with my Microsoft for the government-wide use of Microsoft products and services. This deal yielded a landmark result since Microsoft agreed to implement contractual changes in its Microsoft Online Service Terms (OST) to achieve GDPR-compliant use of Microsoft products and services by the government entities. Subsequently, Microsoft announced via Chief Privacy Officer, Julie Brill, that it would update its privacy provisions in the OST for all of its customers, which led to the insight that horizontal commercial negotiations can be a remarkably effective tool in reassessment of big tech contracts and policies.

The Dutch Ministry of Justice’s regulatory approach towards supervising big tech has not only proven effective but has also garnered global admiration. This strategy showcases the Dutch government’s commitment to maintaining a balance between technological advancement and user privacy.

Google

After Microsoft, SLM and took on a new challenge entering into similar talks with Google for the use of Google Workspace services. This time, the negotiations were held in collaboration with ICT-cooperatives SURF (representing Dutch higher education and research institutions), and SIVON (representing Dutch primary and secondary educational institutions). Prior to these discussions, SLM and several education institutions performed data protection impact assessments (DPIAs) on the use of Google Workspace. Both DPIAs identified ten high risks, which needed to be remediated for compliant use of the services. After a period of implementation and testing of the remediation measures, the Dutch Minister of Education, Culture and Science informed Parliament in July 2023 that the high risks identified in the DPIA had been sufficiently mitigated.

AWS

On 1 June 2023, it was officially announced that the Dutch government had successfully established a framework agreement with AWS. This agreement paves the way for government-wide utilisation of AWS services, demonstrating the Dutch government’s commitment to leveraging new technology while complying with GDPR regulations.

Risk-based approach in data transfers

Another key ‘GDPR’ influencer with the Dutch government is the National Cyber Security Centre (NCSC). The NCSC is a subdepartment of the Dutch Ministry of Justice and Security, tasked with improving the digital resilience of the Netherlands, mitigating consequences of cyber incidents and in doing so prevent social disruption. The NCSC’s role has been particularly important with respect to cross-border data transfers to the United States and the risk and impact of the US Cloud Act. In recent years, the NCSC has published and promoted two instrumental memoranda on these topics, which are discussed below. In accordance with other Dutch government entities, the NCSC applies a risk-based approach to GDPR compliance, which is the underlying fundament for each of these publications.

Analysing the risk of US laws

On 21 February 2022, Greenberg Traurig advised the SLM on step 3 of the DTIA (as discussed above) with respect to data transfers to the United States (‘the Step 3 Memorandum’). Step 3 of the DTIA is to address the level of data protection offered by foreign legislation and regulations against the EU’s data protection standards as outlined in the Court of Justice EU Schrems II decision (‘the Rule of Law Standard’). In conclusion, the rule of law standard is not consistently met by US legislation and regulations, and therefore, technical or organisational measures should be considered to mitigate any risks.

In more detail the Step 3 Memorandum holds that:

US legislation cited in Schrems II includes FISA 702, E.O. 12333, PPD-28, and the Fourth Amendment. FISA 702, E.O. 12333, and PPD-28 were found not to comply with EU standards.
Recent changes to FISA 702 have not fully addressed the right to redress for non-US citizens, and thus, it likely still fails to meet EU standards.
Other relevant US legislation includes the Electronic Communications Privacy Act (ECPA), the Right to Financial Privacy Act (RFPA), and the Cloud Act. ECPA arguably meets EU standards if customer notification occurs; RFPA and administrative subpoenas are case-dependent, and their compliance with EU standards may vary.
There are ongoing efforts in the US to find a resolution to the data transfer issue post-Schrems II, but the underlying issues related to US surveillance practices remain unresolved.
State privacy laws in California, Virginia, and Colorado align with GDPR to some extent. However, they do not provide judicial redress as required by Schrems II when FISA 702 is applicable.
Practices incompatible with Standard Contractual Clauses (SCCs) exist when relevant legislation is lacking, particularly for entities not covered by specific privacy laws like HIPAA, GLBA, or state data protection laws.
The US Department of Commerce’s White Paper and the Annual Statistical Transparency Report suggest limited use of FISA 702, indicating that not all US organisations handle data of interest to US intelligence.
A processor’s commitment to Privacy Shield requirements does not overcome the lack of judicial redress mechanisms and therefore likely does not affect the rule of law assessment.
The Dutch State’s immunity under international law and the Foreign Sovereign Immunities Act (FSIA) provides protection from US lawsuits unless specific exceptions apply, but this does not necessarily protect Dutch State data from foreign surveillance.

US Cloud Act memorandum

On 16 August 2022, the NCSC published ‘the Cloud Act Memo,’ drafted on behalf of the NCSC by Greenberg Traurig. The Cloud Act allows US law enforcement agencies to request data stored by US companies overseas, raising concerns about the potential exposure of EU residents’ personal data.

The Cloud Act Memo concludes that while EU entities can be subject to the Cloud Act, there are strategies to mitigate this risk. These include using encryption technologies, adopting a risk-based approach to data storage, and reorganising business structures to avoid data transfers to the US. It also notes that initiatives like Microsoft’s EU Data Boundary may offer solutions for compliance. Also, the article points out the possibility that the Cloud Act could
reach data through subcontractors or providers involved with cloud services, indicating the need for a comprehensive approach to data protection.

US Cloud Act request memorandum

Following the Cloud Act Memo, a small number of people provided their commentary asserting that the Cloud Act Memo underscored the risk of using US-based cloud services in light of the extraterritorial application of the US Cloud Act. Therefore, on 17 November 2022, the NCSC published a new memo on the practical risk of the US Cloud Act (‘the Cloud Act Request Memo’).

The Cloud Act Request Memo concludes that the risk of exposure to the Cloud Act is low. Despite the reassuring findings, the memorandum suggests several strategies for further reducing the residual risk of data exposure under the Cloud Act. These include ringfencing, proper encryption, and pseudonymisation. Additionally, the memorandum discusses a market solution involving the use of encryption and pseudonymisation, which can be particularly effective for data analysis and machine learning. The solution involves encrypting data at rest, transferring it securely to a cloud provider, and pseudonymising it within a trusted execution environment, creating a pseudonymised data set. The additional information required for relinkability is only accessible to the data controller, further enhancing data protection.

What the future will hold

As rapid technological advancements in areas like artificial intelligence and confidential computing continue to shape and change the way we work, a thorough and pragmatic approach to GDPR compliance remains ever so important. We therefore expect the risk-based and centralised approach to continue to play a pivotal role in the future. The Dutch government has already shown its intent to continue to play a key role in further developments about this topic. Examples are the ‘government wide vision on generative AI’ and the model for a combined DPIA and ‘human rights impact assessment’, both published by the Ministry of Internal Affairs and Kingdom Relations.

Notes

Herald is a principal shareholder, Nienke and Emre are senior associates, and Wouter is an associate at Greenberg Amsterdam. All assist the Dutch government with negotiations with large tech and advise on data protection, AI, and technology.
See also the article from Lokke Moerel, professor of Global ICT Law at Tilburg University on the risk based-approach.