Netherlands
341
against which extraterritorial legal regimes, and therefore countries, they will and can arm
themselves and what that means in terms of supplier choice’.
21
In other words, choose your
friends and enemies.
is ts in the Dutch government’s pragmatic and positive view of the cloud, fuelled
by the trailblazing landmark agreement between e Dutch State and Microsoft in 2019,
and the agreement with Google in 2022. is view is also demonstrated by the risk-based
assessment of data transfers, adopted by Dutch Ministry of Justice and Security in the DPIA
on Teams. In February 2022, the Ministry published a DPIA on Microsoft Teams, OneDrive
and SharePoint.
22
As part of this DPIA, the Ministry also published a data transfer impact
assessment (DTIA), based on the Rosenthal format for DTIAs.
23
e outcome of the DTIA
was, in summary, that it is extremely unlikely that personal data from Dutch government
customers are unlawfully accessed by US authorities, or by authorities in other countries
where Microsoft uses subprocessors. erefore, the risk was assessed as low and the use of
Teams could continue. In Austria and Germany there are some decisions that point in the
direction of rejecting the risk-based approach, so it remains to be seen what the EDPB and
the local supervisory authorities will say about it, if anything (soon).
e recent cloud policy of the Dutch government states that also most classied
government data may be stored in the cloud, as long as certain requirements are met.
Under the Dutch Implementation Act, international data transfers to third countries
or international organisations are generally not subject to restrictions beyond those set out in
Chapter V (titled ‘Transfers of personal data to third countries or international organisations’)
of the GDPR.
Standard contractual clauses (SCC) and binding corporate rules continue to be the
data transfer mechanisms that are generally most relied upon by organisations. e Schrems
II ruling and the guidance provided by the European Data Protection Board continues to
keep data controllers who use the SCC busy, while EU and US leaders are working together
on yet another attempt to facilitate trans-Atlantic data transfers with a framework, this time
dubbed the Trans-Atlantic Data Privacy Framework. It is yet to be seen how this framework
will take shape and dier from its predecessors, and more importantly, whether it will survive
the meticulous scrutiny that it will undoubtedly face.
Meanwhile, controllers are still facing the tough task to assess whether there is an
adequate level of protection in the third country (the rule of law test). orough and extensive
research is necessary, in particular regarding the various US regulations, and the assessment
by European and national courts and supervisory authorities will also have to be taken into
account. Although the EDPB provided six-step recommendations on measures that data
controllers and processor can take, the task at hand continues to be tough. As part of the
DPIA on Teams the Dutch Ministry of Justice and Security has published an analysis of Step
3 for the United States, so this can be used by companies. e conclusion is (of course) that
the US legislation does not meet the rule of law test.
24
21 How the CLOUD-Act works in data storage in Europe | By our experts | National Cyber Security Centre
(ncsc.nl).
22 https://www.rijksoverheid.nl/documenten/publicaties/2022/02/21/public-dpia-teams-onedrive-
sharepoint-and-azure-ad.
23 https://slmmicrosoftrijk.nl/wp-content/uploads/2022/02/Explanation-DTIA-on-MS-Teams-
SharePoint-and-OneDrive.pdf.
24 https://slmmicrosoftrijk.nl/wp-content/uploads/2022/02/Dutch-Ministry-of-Justice-step-3-EDPB-US.pdf.
© 2022 Law Business Research Ltd