On 16 July 2020, the highest court in the EU, the Court of Justice of the European Union (CJEU), issued a final, unappealable ruling known as “Schrems II” which invalidated the EU-US Privacy Shield for international data transfers.
Previously, some companies engaged in “regulatory arbitrage” by choosing not to comply with privacy laws and baking the cost of non-compliance into their cost of doing business. Of great significance under Schrems II is that the CJEU ruled that unlawful international data transfer processing must be stopped, rather than fined. This makes a “regulatory arbitrage” approach impossible – lack of access to data halts business operations, and cannot be merely calculated into the cost of doing business.
Since the Schrems II decision, it has become increasingly clear that the location of servers supporting US-based cloud providers is immaterial under Schrems II. This is because the operations of these firms fall under the jurisdiction of US laws (e.g. the Foreign Intelligence Surveillance Act or "FISA” and the Cloud Act of 2018) which enable federal law enforcement officials to compel US-based technology companies to provide requested data stored on servers regardless of where the servers are located. This means it does not matter whether they are located in the US or on foreign soil. Examples of such clarifications include:
The CJEU ruled in Schrems II that contract-based Standard Contractual Causes (SCCs) and internal Binding Corporate Resolutions (BCRs) may continue to be used to support lawful international data transfers (including the use of US-based cloud providers) if adequate “Supplementary Measures” are in place to ensure protection consistent with EU data protection laws.
To comply with Schrems II SCC/BCR requirements, Anonos software enforces Data Embassy principles (www.DataEmbassy.com) that embody EU data protection rules to create privacy-secured versions of data called Variant Twins. These Variant Twins leverage GDPR-heightened requirements for Pseudonymisation, alongside Anonos patented proprietary techniques. Variant Twins prevent re-identification of individuals by national authorities without access to additional information that is held by the EU exporter. If a US-based cloud provider or other data importer processing Variant Twin data is subpoenaed, the importer would not be in a position to help US law enforcement or the Department of Justice to re-identify the data. Rather, they would have to go to the EU exporter for the “additional information” required for re-identification. Under EU and national laws, these exporters have an affirmative obligation to prioritize compliance with EU data protection regulations and resist foreign production requests. A graphical depiction of enforcing Data Embassy principles using Anonos Variant Twins is below.
Anonos patented technology enables organizations to leverage investments in cloud transformation journeys involving US-owned or operated cloud-based IaaS and SaaS capabilities (e.g. AWS, Azure, GCP, IBM and Oracle) in compliance with new requirements under Schrems II by ensuring the fundamental rights of data subjects.[1]
For more information, see Anonos 2-pager on Schrems II.
[1] Anonos Dynamic De-Identification (DDID) capabilities are protected by an international patent portfolio including Patents: CA 2,975,441 (2020); EU 3,063,691 (2020); US 10,572,684 (2020); CA 2,929,269 (2019); US 10,043,035 (2018); US 9,619,669 (2017); US 9,361,481 (2016); US 9,129,133 (2015); US 9,087,216 (2015); and US 9,087,215 (2015). Note that in certain implementations, Steps 1, 2, 4, 5 and/or 6 could be performed by an EU/EEA/Equivalency service provider on behalf of the EU Data Exporter.