Risk assessment • In a risk assessment, it is important to document • The Danish DPA has clarified that even if personal all the risk scenarios that may arise when using data is transferred to a US company through a given service (e.g., Google Workspace). In this Workspace, it could still be subject to monitoring case, Helsingør Municipality had not sufficiently under FISA 702, given the data pertains to Danish addressed how Google collected information citizens. Google LCC must therefore be considered about users and used it in other situations, such an ”electronic communications service provider”. as marketing and further distribution of this As a result, a data controller using Workspace information. would need to implement supplementary measures to comply with data protection regulations. • When conducting a risk assessment, data controllers must evaluate the use of data • These measures must generally be technical processors and ensure that they fulfill their measures, as organizational and contractual obligations under the data processing agreement. measures will not prevent US authorities from To verify this, the data controller may need to test accessing personal data. the online environments to ensure that personal • Although encryption is a useful technological data is not being mishandled or misused. measure for protecting personal data, it may not be • If there is a risk that the processor may engage effective in the context of FISA 702. If the recipient in unlawful activities, the controller must take of the data itself has access to the encryption key concrete technical or organizational measures this will not enhance the protection of personal to mitigate the risk - even if the likelihood of it data since FISA 702 may still require access to happening is low. personal data held by a US data processor. In such cases, the processor would be obliged to assist the Third country transfer authority in providing access to the personal data, rendering the encryption ineffective in preventing access to the data. Please note that this decision was made prior to the EU Commission’s adoption of the EU-U.S. Data Privacy Framework. The framework solves the challenges of the SCHREMS II case and thereby ensures that entities in the EU can transfer personal data to entities in the US that comply with the framework without conducting a TIA. However, general considerations concerning the transfer of personal data to other unsafe third countries still apply. 122