Høringssvar: GDPR

Local Government Denmark (LGDK), which represents all Denmark´s 98 municipalities, welcomes the opportunity to comment on "Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data ".

The draft recommendations lay out a roadmap of 6 steps for how to apply the principle of accountability to data transfers in practice. Step 3, 4 and 6 imply certain difficulties for the Danish municipalities described in more detail below. Additionally, Annex 2, containing examples of supplementary measures, gives rise to concern for the municipalities regarding the possibility of using third country transfers, particularly cloud solutions in the future. These concerns are also elaborated below.

Assessments on third country legislation and identifying effective supplementary measures should be carried out by a centralized authority

Step 3 in the draft recommendations requires the municipalities to assess whether the standard data protection clauses (SCCs), which are the transfer tool the munipalities rely on for their third country transfers, are effective in practice. Step 3 therefore demands for the municipalities to assess the law and practice of each individual third country in question, including the impact on the fundamental rights of the data subjects. Step 6 also requires for the municipalities to reevaluate the assessments at appropriate intervals. One should continuosly keep an eye on developments that will affect the assessments.

These are not tasks that the Danish municipalities are equipped for. It is not part of the tasks that municipalities normally perform and therefore it will require skill development, hiring of new employees or more likely the municipalities will have to pay law firms to carry out these assessments. These new expenses will make it more difficult for the municipalities to deliver good service to the citizens on the same budget.

For this reason LGDK finds it inappropriate that these steps should be carried out by each individual data transporter. In LGDK´s point of view it should be carried out by a centralized authority instead, e.g. by the Commission. The Commission already assess the adequacy of the level of protection in third countries in accordance with Article 45 GDPR. It would by far be a more effective and appropriate way of carrying out the required assessments and reevaluations.

LGDK suggests that this centralized authority also recommends which supplementary measures (Step 4) are required for each third country, since some supplementary measures "... may be effective in some countries, but not necessarily in others" (p. 3). Additionally, "Any supplementary measure may only be deemed effective ... if and to the extent that it addresses the specific defiencies identified in your assessment of the legal situation in the third country" (p. 21). It is a very difficult assessment to impose on the Danish Municipalities again considering this is not a part of their core tasks. And since there is a very strong connection between the assessment and choosing the supplementary measures considered effective in relations to the specific third country, LGDK considers it obvious and appropriate to have these tasks carried out as one.

As an alternative to having a centralized authority carrying out the assessments on third country legislation, LGDK suggests taking into consideration imposing this task on the suppliers, the processors, including the cloud suppliers. It is the suppliers who, in the first place, have chosen which third countries data should be placed in. Assumingly, they are already familar with the legislation of the countries where they have chosen to transport data to since they have either concluded agreements with the sub-processors in the third countries in question or have departments in these countries.

The examples of supplementary measures should provide room for flexibility

When it comes to securing the processing of data, GDPR provides plenty of flexibility for the controller (and the processor) to choose the appropriate technical and organisational measures. LGDK is therefore surprised by the fact that the supplementary measures presented in Annex 2 of the draft recommendations, despite the fact that they are presented as a non exhaustive list, leave no room for flexibility and instead line out stricter requirements for the processing, eg. strong encryption and flawless implemented encryption algorithm is required for data storage, cf. Use Case 1.

Especially Use Case 6 in the draft causes concern since almost all cloud services used by the Danish municipalities require access to data in the clear. As a consequence of Use Case 6, it would no longer be possible to transfer data in the clear via cloud services to third countries that require supplementary measures.

In their present form these new mandatory requirements and prohibitions will have major economic consequences for the Danish municipalities, roughly estimated 55 million Euros.

LGDK finds it unclear how these proposed mandatory requirements and prohibitions are in accordance with the flexibility in GDPR, cf. "Controllers may have to apply some or all of the measures described here irrespective of the level of protection provided for by the laws applicable to the data importer because they are needed to comply with Articles 25 and 32 in the concrete circumstances of the transfer" (78.), p. 22. Also taking into consideration the major economic consequences the LGDK recommends changing the Annex 2 so that it to a much greater degree reflects the flexibility of GDPR and provide more flexibility in the choosing of supplementary measures.