Gary LaFever | November 23, 2020

Schrems II Solutions: Cloud Promises Alone Are Not Enough

The Schrems II [1] ruling has brought on a new wave of discussion, confusion, and heightened urgency with regard to cross-border data transfers, particularly cloud processing. Numerous organisations have tried to reassure their customers that they have everything under control and that nothing needs to change. However, it is clear that keeping things the same way they were before Schrems II is not enough. This has been reflected in social media discussions among legal experts and privacy advocacy groups. A review of recent social media comments shows the high level of interest among industry participants related to international data transfers post-Schrems II:

The following tweets are from Eduardo Ustaran (@EUstaran), a highly respected global privacy expert at Hogan Lovells:

These tweets prompted the following response from Romain Robert (@TetsuwanAstro), a chief litigator at NOYB (which prevailed in two CJEU rulings, the first annulling the Safe Harbour and the second annulling the Privacy Shield treaty for international data transfer), a Member of the litigation Chamber of the Belgian Data Protection Authority, and former Legal Advisor to EDPS and EDPB:

Microsoft, a firm with a longstanding track record in trustworthy computing and publicly defending the privacy rights of consumers, entered into the Schrems II social media fray with the following tweet by Julie Brill (@JulieSBrill), Microsoft’s Chief Privacy Officer and former Commissioner at the US Federal Trade Commission:

This tweet, and the attached document from Microsoft prompted the following responses by Max Schrems (@maxschrems):

Much of the angst and anxiety in the privacy community and acerbic rejoiners among respected privacy professionals could be avoided if organisations looked beyond the limits of policy alone. Policy approaches, whether reflected in treaties, contracts or Terms of Use, are not enough on their own to protect the fundamental rights of data subjects. Policy tools certainly help to provide clarity as to when situations involve wrongdoing or inappropriate use of data. However, by themselves, they provide “too little, too late” when fundamental rights of data subjects under the EU Charter of Fundamental Rights are at risk. A strong analogy exists between the need for technology tools as a complement to policy tools for protecting fundamental privacy rights and the need for injunctive relief as a complement to legal remedies. [2]

The shortcomings of policy-only approaches were at the core of the Schrems II ruling which mandates supplemental technical measures to ensure that the fundamental rights of data subjects are respected and enforced when data is transferred internationally.

In this regard, the EDPB Schrems II Guidelines [3] specifically cite Pseudonymisation as an additional safeguard for compliant transfer of personal data. In addition, the European Commission Implementing Decision on standard contractual clauses [4] specifically requires consideration of Pseudonymisation as an additional safeguard for compliant international transfers. Furthermore, early draft versions of the new Digital Services Act (DSA) and Digital Markets Act (DMA) highlight Pseudonymisation as a means to ensure the safe re-use of personal data and commercially sensitive business data for research, innovation, and statistical purposes.

Learn More About GDPR-Compliant Pseudonymisation

After holding several panels on Schrems II issues with the European Data Protection Supervisor (EDPS), None of Your Business (NOYB), Future of Privacy Forum (FPF), Promontory, Cooley, and Fieldfisher, we received over a thousand follow-up questions, and hundreds of inquiries requesting briefings. We created a no-cost Briefing Portal in response to overwhelming requests from General Counsels and senior-level privacy professionals for additional information. Over 500 have already pre-registered.

This Briefing Portal streamlines the process for interested professionals and provides a no-cost, self-paced educational platform. Access expert content, analysis, and discussion of the key concepts behind Schrems II, and learn how to support your clients or organisation to take action.

Register at SchremsII.com/Briefing to learn more about GDPR-compliant Pseudonymisation and other matters pertaining to lawful international data transfers after Schrems II using SCCs and BCRs.

[1] See judgment of the Court of Justice of 16 June 2020, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems ("Schrems II"), Case C-311/18, ECLI:EU:C:2020:559

[2] See https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1158124

[3] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

[4] See https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Commission-Implementing-Decision-on-standard-contractual-clauses-for-the-transfer-of-personal-data-to-third-countries.

[5] See https://www.ENISAguidelines.com

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS