Dropping the Privacy Shield

In today's global business environment, transferring data between different countries is standard practice. However, as privacy regulations become increasingly stringent, those transfers are coming into question. Who controls the data? Who has access to it? What safeguards are in place to ensure that citizens’ rights are protected?

Transferring data from the European Union — Schrems II

Until July 2020, there were three mechanisms by which a U.S. company could legally transfer the personal data of EU residents to the U.S.:

  • Privacy Shield
  • Standard Contractual Clauses
  • Binding Corporate Rules

In what is being called the ‘Schrems II decision’, the Court of Justice of the European Union (CJEU) declared the Privacy Shield transfer mechanism invalid. To help keep their privacy regulations aligned with the EU, Switzerland quickly followed suit.

‘Privacy Shield’ refers to both the data transfer mechanism, now invalidated, and to the voluntary compliance framework in the U.S., which is still active as of today.

At the moment, the U.S. does not have an adequacy decision from the EU in terms of data exports.

Legal considerations behind Schrems II

Among the aspects considered in this decision were the U.S.’s Foreign Intelligence Surveillance Act, section 702, and Executive Order 12333. The CJEU’s concern is that:

  • Privacy Shield did not and could not ensure that EU residents’ data would be safe from U.S. governmental surveillance
  • EU residents would not have access to an effective judicial remedy if their rights to privacy were infringed

FISA 702 applies to “electronic communications service providers”, and permits the Attorney General and the Director of National Intelligence to authorize the targeting of persons outside the U.S. for the purposes of collecting foreign intelligence information. The NSA, for example, used this section, and EO 12333, to justify programs such as PRISM, which collects information from internet services like email providers and video chat programs, and Upstream, which goes into the Internet infrastructure to access information in transit.

This decision may feel like déjà-vu to those who watched a very similar situation play out in regards to Safe Harbor, a self-certification compliance mechanism, which was declared invalid by the CJEU in 2015.

Impacts on the use of cloud providers

However, Schrems II is likely to have far-reaching impacts. Companies using Standard Contractual Clauses (SCC) to transfer EU data to the U.S. are now required to conduct their own due diligence to ensure that there are supporting measures in place to ensure GDPR-equivalent protection for the data. SCC arrangements found to be non-compliant with this requirement by the relevant DPA may be invalidated on a case-by-case basis.

While this impacts a number of U.S.-based companies who previously relied on Privacy Shield, it also has the potential to impact a far wider group. 

The top three cloud providers in the world are Amazon (AWS), Microsoft (Azure), and Google - all U.S.-owned companies. Theoretically, they can all be compelled to permit U.S. government access to data, making the compliance situation of thousands of companies who handle EU residents’ data and use their services an interesting proposition.

It is also worth noting that although these large cloud providers offer data centers in a variety of global locations, those locations are all affiliated with the parent company, and can in theory be compelled to comply with U.S. governmental access requirements – FISA 702 has no territorial limitations.

Compliance options

There are a number of options being discussed to ensure the required equivalent data protection while not requiring companies to either stop using major cloud providers or stop transferring information to U.S. business partners.

Binding Corporate Rules

Of the original three EU-U.S. data transfer mechanisms, the one that wholly escaped the Schrems II decision was Binding Corporate Rules (BCR). BCRs are adequacy instruments wherein the burden of assessing whether or not a BCR arrangement is compliant rests with the supervisory authorities: BCRs must be approved by all concerned supervisory authorities prior to going into effect. 

However, in the post-Schrems II environment, if a review of a company’s BCR indicated that the companies involved were unable to provide equivalent security for EU data, it is possible that the BCR in question could be invalidated.

EU cloud services

One ongoing initiative is that the EU continues to push for the creation of an EU cloud, or rather the linking together of existing EU cloud services, compliant with all aspects of the GDPR. The project, known as Gaia-X, is currently led by France and Germany and is still in the very early stages. 

To date, there have been several attempts to create an EU cloud, none of which have been successful, but the increasing pressure for GDPR-compliant options - and calls for ‘vigorous’ enforcement by regulators - may have created the opportune moment.

Standard Contractual Clauses

SCCs will likely be subject to increasing scrutiny. However, if measures are in place to ensure that equivalent protection of EU data is met, they remain a valid transfer mechanism.

Although on the face of it, given that the governments of various areas (not just the U.S.) do maintain data access and surveillance programs that are incompatible with GDPR requirements, this may sound like an impossible condition, there are potential options.

Among these are pseudonymization. In this scenario, information sent overseas cannot be attributed to a specific EU data subject without the use of additional data kept separately. 

Pseudonymisation is a measure specifically mentioned in the GDPR as a solution to reduce the risks to the data subject and help controllers and processors to meet their data-protection obligations. An example of this kind of technology is Anonos’s Variant Twins, a system for dynamically de-identifying data that is then impossible to re-identify without access to additional data that would itself be stored and secured separately.

Evolving data privacy requirements

The last decade has seen data privacy go from a niche concern to one of the key topics in business. Like any area where the situation is evolving rapidly, legislation and enforcement may lag on real-world developments, but the one certainty is that data privacy is here to stay. 

A recent Gartner study predicts that by 2023, 65% of the world’s population will benefit from legislation and regulation protecting its personal data, up from 10% in 2020. This huge jump only underscores the importance of planning now to meet evolving needs. Most companies cannot function without collecting and processing personal data, so a major focus for the coming years will be how to ensure that that collection and processing is safe, transparent, and controllable.

This is particularly true for companies where personal information comprises a core aspect of their business. Assurance that individual privacy is respected and that adequate data protection is in place is vital in order to maintain consumer trust in service providers. Maintaining awareness of the evolving requirements, and taking consistent and effective steps to comply with them, are steps every company should consider taking - and these measures don’t stop at the company firewall. It’s equally important to ensure that all third parties and vendors who handle this kind of sensitive information are able to meet or exceed the required standards to protect consumers.