It’s called “sunk cost bias”: since I had already spent half of my weekend studying the DPC’s sanction against TikTok, back in the day, I couldn’t help but do the same with last week’s ruling that reviewed it.

Starting from the end: Irish judge Rory Mulcahy upheld the €530 million fine against TikTok but annulled the additional measures: mainly the suspension of international transfers, returning it to the DPC to rule again. At the end of the post, I explain exactly what this is about.

Why?

Essentially, by resolving in a (very) different way TikTok’s fundamental allegation, which was the same: reversing the burden of proof (that the DPC, not TikTok, had to prove):

(i) the non-compliance with international transfer regulations and

(ii) the effective capacity of the Chinese parent company to identify data subjects from China (IT support staff accessed from China data hosted in Singapore).

In this way, two of my main obsessions over the past few years have merged into one: international transfers and the SRB/Scania doctrine.

You are reading ZERO PARTY DATA. The newsletter on technology and legal news by Jorge García Herrero and Darío López Rincón.

In our free time from this newsletter, we resolve complicated issues related to personal data protection regulations and artificial intelligence. If you have any such issues, give us a hand. Or contact us by email at jgh(at)jorgegarciaherrero.com.

Where do we come from?

Let’s say it bluntly, and it’s not the first time:

All companies violate the GDPR’s international transfer regulations when exporting data to a third country that has not been “deemed adequate”.

Why?

Two reasons

a.- Because the normative standard of equivalence required is materially impossible to comply with.

And not because companies have not spent hours generating paper: the problem lies in a double factor far, very far from their control:

a.1.- On the one hand, the legislation and practices of the importing country’s authorities are what they are -that is, they simply do not meet the European standard of “essentially equivalent” protection-.

For the love of God, do states “deemed adequate” such as the UK, Canada, or Argentina comply with this standard? (Don’t mention the US or Israel to me, it makes me laugh).

The rule even applies within Europe: cases can be found in the European Court of Human Rights’ own case law in which one EU member state has spied on citizens of another.

a.2.- This structural and ubiquitous deficit simply cannot be effectively compensated for by contractual clauses (or binding corporate rules) or ordinary organizational measures.

I told this story in the form of tales: There is a “pea” of public character that neither all the private mattresses in the world can cover nor compensate for.

b.- Because the standard of verification of legislation and practices imposed by the EDPB leaves no other compliance options than hard encryption (illegible from the importer’s shore), without a proper opportunity for a risk-based approach or considerations about each specific data export flow.

So, do we disregard everything and let “the wine live on”?

The conclusion of all this is not, cannot be “let the wine live on”.

Spoiler: this has been the dominant conclusion to date.

Wine, or some of its abstemious variants: the “chronic absence of TIAs” (let’s face it: they are very complicated to make) or the “cloned TIAs lacking nuance” and without normative analysis to support them have been the usual tone. At best.

That said, wine is not such a crazy option if we consider the price charged by international law firms for conducting the normative analysis of each importing country, which is the key support for the TIA.

And the result: their TIAs are like bad magician tricks: literally always the same rabbit with a different collar.

It is obvious today that this option (we will call it the “Cardhu option”) can be achieved much faster and for much less today with the help of AI.

What has changed? We’re getting there, we’re getting to TikTok

Fortunately, we are already having judicial rulings on the matter, not just from compliance authorities.

We already have much clearer notions of “what doesn’t work” and “what works”

There are two different things here:

a.- The exporting (or importing) company can do little if the importing state does not offer an adequate framework, as we have seen.

b.- But friend! accountability does not disappear, as argued spectacularly by Judge Rory Mulcahy in his judgment.

Although the company cannot fix foreign legislation, it must analyze whether that legislation actually applies to its specific flow, whether there is a possibility of access, who can access it, for what purposes... and determine and apply the relevant measures in its power to reduce the risk.

TikTok clung with hands and feet to the risk-based approach and argued before the DPC and the competent judicial authority that it was up to the DPC to do what it itself did not do: carry out an assessment that accredited the existence of risk in general, and in particular in its data flow.

The “reversal of the burden of proof” card does not work in this case because -and so says the judge literally-, the risk is advised a priori, and TikTok did a poor job in this regard.

TikTok did not adequately address the risk that processing would physically occur on computers within China, placing that activity under the direct sovereignty and jurisdiction of its authorities.

This is the slap that TikTok received again in full face: for simple accountability, you cannot expect the DPC to do the work that you did not do correctly at the time.

Judicial ratification of the sanction.

The DPC in the contested sanction dismissed once and for all the issue of complacent TIAs and “additional measures” of little substance.

TikTok had SCCs, legal opinions, encryption, advanced technical and organizational measures (”Project Clover”), and all of this was not enough because the real problem was remote access from China by staff located in China to data of European users stored outside China.

Additional measures

Before the court, TikTok has managed to reverse, not the sanction, but the additional measures imposed (the suspension of data transfers, which is no small matter) by essentially arguing two points:

- The principle of territoriality (if the data is outside China, the Chinese government does not have legal jurisdiction to demand it). This was already extensively argued before the DPC and will likely be dismissed again.

What the judicial body imposes is the evaluation of a (third!) report on the matter provided by TikTok that the DPC refused to consider as out of time.

- Lack of motivation regarding the “Project Clover”: TikTok implemented a set of technical and governance measures (Project Clover), including advanced pseudonymization and the use of an independent third party (NCC Group) to audit data flows. The DPC rejected these measures but did not provide technical or legal arguments as to why it considered pseudonymization ineffective in preventing potential re-identification of users by the Chinese state.

In fact, the Irish Court has imposed a reversal of the burden of proof in terms of the identifiability test on the DPC.

This, this is the tweet.

In the TikTok case, two of my favorite topics come together: the SRB/Scania doctrine and international data transfers.

But it’s Sunday when I write this and I feel like a drink.

We can make an executive summary useful for those who have been (or ahem, still are) in the wine option, are tired of the Cardhu option and/or however have work to do on their international flows.

What doesn’t work:

· Tantrums have never worked (arguments attempting to justify the material impossibility of compliance, its merely formal compliance or not even that “because it’s the only thing that can be done”). We’ve all been there at some point.

· It doesn’t work to invoke SCCs as if they were miracle water or a Harry Potter spell.

· It doesn’t work to hide the decisive risk - remote access to data “in the clear”, unencrypted - behind ambiguous formulas about where data “is stored” or how little the access lasts like “the access is ephemeral”.

· It doesn’t work to argue encryption when the provider inevitably needs to decrypt to operate.

· It doesn’t work to rely on open or single consents from the data subject for continuous and recurrent transfers.

· And, in general, it doesn’t work the idea that it is enough for re-identification, access, or communication to be “prohibited” in the abstract if in the real world they remain materially possible: it is a logic shared with the Scania doctrine and pseudonymization: legal prohibition cannot eliminate the real risk on its own nor allow it to be ignored.

What works

In any case, certain arguments do work to mitigate the sanction, but in a limited sense.

· Tattoo this: The biggest risk is not having an insufficient TIA (a TIA is insufficient by definition, as we acknowledge above), but having no TIA at all.

· The risk-based approach works. The judge says “I do not rule out the possibility that a supervising authority might nonetheless conclude that there is, in fact, no meaningful risk”. That’s the spirit.

· It works to accredit real diligence versus Kabuki theater of compliance: having made a serious TIA, having correctly identified the data flow, having precisely described remote access, having updated the information provided to the data subject, having reduced the data perimeter, having implemented effective technical measures against concrete risks.

· It also works to adapt and improve (even during the sanctioning procedure) in terms of transparency, as occurred with the legalization of the privacy policy, which the DPC took into account to modulate the sanction at that point.

· In other words, these arguments do not “legalize” what structurally cannot be legalized, but they do accredit.

· At this stage, where I am aware that only 10% of those who started reading remain, I can say “in private”: it does not work, it never works to take the diligent officials of the supervisory authorities for fools.

Have a very good week.

Jorge García Herrero

Lawyer and DPO