Blog

Date
November 23, 2020
 
Written by
Gary LaFever
Schrems II Solutions: Cloud Promises Alone Are Not Enough LinkedIn Logo

Schrems II Solutions: Cloud Promises Alone Are Not Enough

The Schrems II [1] ruling has brought on a new wave of discussion, confusion, and heightened urgency with regard to cross-border data transfers, particularly cloud processing. Numerous organisations have tried to reassure their customers that they have everything under control and that nothing needs to change. However, it is clear that keeping things the same way they were before Schrems II is not enough. This has been reflected in social media discussions among legal experts and privacy advocacy groups. A review of recent social media comments shows the high level of interest among industry participants related to international data transfers post-Schrems II:

The following tweets are from Eduardo Ustaran (@EUstaran), a highly respected global privacy expert at Hogan Lovells:

After all these years, I don't think I had ever seen the level of anxiety aroung international data transfers that I have seen this week. The Law hasn't changed for 25 years and the mechanisms to legitimise transfers under #GDPR are well trodden. Why the anxiety?? The tips and measures offered by @EU_EDPB are a good starting point. But the onus is on us to make them work and demonstrate that they work. Let's not be anxious about that responsibility. Let's listen to the #CJEU and I can assure you that data globalisation will not be at risk.

These tweets prompted the following response from Romain Robert (@TetsuwanAstro), a chief litigator at NOYB (which prevailed in two CJEU rulings, the first annulling the Safe Harbour and the second annulling the Privacy Shield treaty for international data transfer), a Member of the litigation Chamber of the Belgian Data Protection Authority, and former Legal Advisor to EDPS and EDPB:

Yes the mechanisms have been used for years... and annulled... So please keep calm is seems that you're worrying for no reason Yes, let's go back before the CJEU a third time to make it clear because it was not so far...

Microsoft, a firm with a longstanding track record in trustworthy computing and publicly defending the privacy rights of consumers, entered into the Schrems II social media fray with the following tweet by Julie Brill (@JulieSBrill), Microsoft’s Chief Privacy Officer and former Commissioner at the US Federal Trade Commission:

Today, we announced Defending Your Data protections for public sector and enterprise customers who need to move their data from the EU. These protections reinforce our commitment to go above and beyond to defend our customers data and that of their users.

This tweet, and the attached document from Microsoft prompted the following responses by Max Schrems (@maxschrems):

This tweet, and the attached document from Microsoft prompted the following responses by Max Schrems (@maxschrems) This tweet, and the attached document from Microsoft prompted the following responses by Max Schrems (@maxschrems) This tweet, and the attached document from Microsoft prompted the following responses by Max Schrems (@maxschrems) Defending Your Data

Much of the angst and anxiety in the privacy community and acerbic rejoiners among respected privacy professionals could be avoided if organisations looked beyond the limits of policy alone. Policy approaches, whether reflected in treaties, contracts or Terms of Use, are not enough on their own to protect the fundamental rights of data subjects. Policy tools certainly help to provide clarity as to when situations involve wrongdoing or inappropriate use of data. However, by themselves, they provide “too little, too late” when fundamental rights of data subjects under the EU Charter of Fundamental Rights are at risk. A strong analogy exists between the need for technology tools as a complement to policy tools for protecting fundamental privacy rights and the need for injunctive relief as a complement to legal remedies. [2]

The shortcomings of policy-only approaches were at the core of the Schrems II ruling which mandates supplemental technical measures to ensure that the fundamental rights of data subjects are respected and enforced when data is transferred internationally.

In this regard, the EDPB Schrems II Guidelines [3] specifically cite Pseudonymisation as an additional safeguard for compliant transfer of personal data. In addition, the European Commission Implementing Decision on standard contractual clauses [4] specifically requires consideration of Pseudonymisation as an additional safeguard for compliant international transfers. Furthermore, early draft versions of the new Digital Services Act (DSA) and Digital Markets Act (DMA) highlight Pseudonymisation as a means to ensure the safe re-use of personal data and commercially sensitive business data for research, innovation, and statistical purposes.

Learn More About GDPR-Compliant Pseudonymisation

After holding several panels on Schrems II issues with the European Data Protection Supervisor (EDPS), None of Your Business (NOYB), Future of Privacy Forum (FPF), Promontory, Cooley, and Fieldfisher, we received over a thousand follow-up questions, and hundreds of inquiries requesting briefings. We created a no-cost Briefing Portal in response to overwhelming requests from General Counsels and senior-level privacy professionals for additional information. Over 500 have already pre-registered.

This Briefing Portal streamlines the process for interested professionals and provides a no-cost, self-paced educational platform. Access expert content, analysis, and discussion of the key concepts behind Schrems II, and learn how to support your clients or organisation to take action.

Register at SchremsII.com/Briefing to learn more about GDPR-compliant Pseudonymisation and other matters pertaining to lawful international data transfers after Schrems II using SCCs and BCRs.

[1] See judgment of the Court of Justice of 16 June 2020, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems ("Schrems II"), Case C-311/18, ECLI:EU:C:2020:559

[2] See https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1158124

[3] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

[4] See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.

[5] See https://www.ENISAguidelines.com

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS