Gary LaFever | August 19, 2020

To Comply with Schrems II / Privacy Shield You Don’t Need to Move Out of the Cloud

With the announcement that TikTok will be opening up a data centre in Ireland at the cost of $500 million USD, it is easy to wonder which large technology vendors and cloud providers will follow suit. These costs are huge, and an influx of large technology companies could put strain on already-stretched EU regulators. It might seem like a solution to the Schrems II/Privacy Shield problem to move facilities away from the US, or shift suppliers away from US-owned cloud operations, but this actually does not solve the problem. All US-owned businesses are subject to Schrems II, including US-owned cloud and infrastructure providers, regardless of where their technology is located. Trying to pick up and move entire data processing setups out of cloud-based and SaaS operations run by US and other non-EU vendors is costly, impractical, and unnecessary. There is another option: Schrems II left a door open for companies to comply by using technically enforced “supplementary measures” to protect data. Both individual organisations, and cloud/”as a service” providers can use these measures to get into line, allowing data flows to continue.

What Can These Safeguards Be?

The Court of Justice of the European Union (CJEU) required that if companies want to continue “transferring data” which includes processing by US-owned or operated cloud and SaaS providers, they need to use technically enforced “supplementary measures” alongside Standard Contractual Clauses (SCCs). This rule also applies to the use of data transferred globally within divisions of a company using Binding Corporate Rules (BCRs). Subsequent to the Schrems II ruling, the European Data Protection Board (EDPB) made it clear in its Schrems II Guidance, that supplementary measures must protect EU data to the same level as the GDPR requires. The privacy rights of EU citizens, residents, and their data can be upheld insofar as that data can no longer be lawfully transferred to or processed by US companies without these new safeguards in place.

The EDPB Guidance makes it clear this requires technical controls for protecting data. The reasoning behind this is the overarching surveillance powers that the US government can carry out - if the US government can access the data, contractual only controls are not good enough. Measures that companies already have in place, such as security controls (e.g. encryption) to protect data in storage and in transit, leave data vulnerable to US government surveillance when that data is processed and used. Traditional privacy protection mechanisms (such as static tokenisation, generalisation, and anonymisation) fail when data is shared widely and combined with other data sets: a study carried out in 2019 found that a machine learning model was “capable of correctly identifying 99.98 percent of Americans in any anonymized dataset using just 15 characteristics.”

Technical supplemental measures must protect data when in use and must be more advanced than traditional privacy-enhancing technologies. The GDPR and other newer privacy laws such as the CCPA hold the clues: the GDPR includes a nod to the use of technological tools called “Pseudonymisation”, and the CCPA refers to advanced “De-Identification.” No matter the name, however, the concepts are the same. These future-focused approaches utilise an approach known in privacy research circles, but apply it more broadly: the key is to "Functionally Separate" the information value of the data from the individual to whom the data relates. Using that approach, With these approaches clearly set out in currently-developing privacy laws, the CJEU is indicating that approaches along these lines must be used to protect data under Schrems II.

Pseudonymisation is specifically recognized by the EDPB as a means to make cloud processing lawful (Lawful Use Case No 2: Transfer of pseudonymised data). In addition, the EDPB Guidelines highlight that:

Pseudonymisation (as newly defined in GDPR Article 4(5) to have heightened requirements) applies to entire data sets and carries out the process of functionally separating data information value from identity. This process is applied to all identifiers in the data set (including direct as well as indirect identifies) making it extremely difficult to identify an individual by piecing together data. New technologies using Pseudonymisation combine this approach with dynamically-changing identifiers and other privacy technologies to make identification even harder, while preserving the information value of the data the whole time. This desire to preserve the value of data is incorporated into the GDPR and other privacy laws, (and is hinted at in Schrems II), given that all legal developments have left a “way out” for companies to continue to gain utility from data for innovation, technology development, and other societal benefits.

Implementing Safeguards on the Provider Side

Given the final and non-appealable nature of the Schrems II ruling by the Court of Justice of The European Union (the "Supreme Court") of the EU, providers should implement API or on-premises technological controls to protect data to avoid disruption to operations and reassure their customers that data is protected. The costs of implementing these controls are minimal compared to shutting down operations or shifting them to the EU.

After holding several webinars in October 2020 on Schrems II-related issues, featuring the European Data Protection Supervisor Max Schrems’ organization None of Your Business (NOYB – the force behind Schrems II decision), and other industry experts, Anonos received over a thousand follow-up questions, and hundreds of inquiries requesting briefings. In response to overwhelming requests, Anonos created: (1) a Schrems II Linkedin Group (currently, with 4000+ members); and (2) a Schrems II Executive Briefing Portal (currently, with 1100+ self-selected registrants).

Most recently, Anonos announced a virtual briefing on implementing Anonos technology for Schrems II compliance to achieve a defensible position, for which over 860 senior legal / privacy professionals signed up within the first 24 hours of registration. Register for the briefing at SchremsII.com/Webinar.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS