The decision of the European Court of Justice (CJEU) to invalidate the EU-US Privacy Shield agreement in the Schrems II case has raised significant questions around the future of lawful international data transfers and processing. For some, the CJEU’s decision came as a shock. In contrast, for others it was widely expected, with approaches to protecting data privacy shifting from contractual or policy-only measures to technological safeguards that enforce such policies.
However, there is no doubt that the mandatory court order by the CJEU in the Schrems II ruling
to immediately stop data flows failing to satisfy requirements for “supplementary measures” came as a surprise to most. However, with the introduction of guidance from the European Data Protection Board (EDPB), a way forward became illuminated.
It wasn’t until Max Schrems brought the Schrems II case against Facebook that the CJEU decision made certain GDPR obligations clearer and more specific. The court upheld that, regardless of where their servers are located, personal data of EU residents is at risk of surveillance by the US government when transferred to, held by, or processed by (directly or indirectly) US-owned companies.
Consequently, the CJEU invalidated the transatlantic EU-US Privacy Shield and ordered EU-based data controllers relying on the use of Standard Contractual Clauses (SCCs) to implement new supplementary measures to protect data for ongoing cross-border transfers to remain lawful - this includes processing of EU data in US-owned cloud and SaaS operations, even if the servers processing the data are located in the EU.
In the weeks following, the uncertainty over the future of international data transfers in the wake of Schrems II gathered rapid momentum. This uncertainty was highlighted by the massive demand for a series of dedicated webinars held throughout October 2020 to discuss the ramifications of Schrems II. These webinars were attended by over 3,400 privacy lawyers, chief privacy officers, data protection officers, and chief data officers from 60 countries, representing over 2,400 different organisations.
What became clear is that cloud, SaaS and outsourcing providers that may have relied on SCCs in the past can no longer do so and remain compliant with EU data privacy protection regulations without taking further immediate action. The good news is that solutions are available to support continued data processing in light of the Schrems II decision, as clarified in specific use cases and guidelines established by the EDPB.
The EDPB laid out two unlawful use cases and five lawful use cases. A huge shock to many businesses is that one of the unlawful use cases is the transfer of EU personal data to cloud providers or other processors requiring access to data in the clear when processing the data.
However, the EDPB did identify several lawful use cases, two of which can help businesses to shift their clear-text data processing and transfer processes to lawful approaches. Both require the use of supplementary technical measures, namely encryption and GDPR-compliant pseudonymisation.
Encrypted data is only protected in transit and in storage, but not during use. For data that businesses want to transfer and process, the EDPB set out their second lawful use case: “a data exporter first pseudonymises data it holds, and then transfers it to a third country for analysis - eg, for purposes of research.” While encryption should undoubtedly be applied as a security measure, it is vital to remember that privacy is about more than just security measures. After all, data must be protected when it is in use during processing, not only when at rest and in transit.
GDPR-compliant pseudonymisation is a solution cited numerous times within GDPR as a technical measure to protect data and is a high-quality supplemental measure confirmed by the EDPB that can allow businesses to comply with Schrems II without degrading the utility of the data. This enables organisations to protect data with numerous different privacy-protection techniques and enables data subject identity to be re-linked only in the right circumstances.
Amidst all of the post-Schrems II confusion and uncertainty, it can be challenging for businesses to know which way to turn to remain operational and compliant. The EDPB has provided clear and unequivocal guidance on what organisations need to do next, and everyone must begin looking at measures available to help them to comply going forward.
Ensuring that international data flows do not get stopped during these business-critical times is extremely important. With clear EDPB guidance on how to protect and use data lawfully, organisations must take the first steps toward compliance.
Gary LaFever is CEO and general counsel at Anonos