IAPP Schrems II Article:
A solution to enable ongoing lawful transfer of data


My name is Gary LaFever, and I'm the CEO & General Counsel at Anonos. I'm here to summarise an article that was published by the IAPP regarding German DPA guidance on how you can have lawful data transfers after Schrems II.


This article is a call to action for firms who want to continue using outsourcing, SaaS and cloud providers that are owned or operated by US, UK or other non-European Economic Area/equivalency ruling countries. This is the vast majority of companies. Bear in mind that this issue exists regardless of whether the processing occurs within or outside of the EU. The point is who owns and operates those services.


But there is hope, and there is a solution.


The German DPA released guidance on the kinds of additional safeguards available after the Schrems II invalidation of the Privacy Shield to enable ongoing use of Standard Contractual Clauses (SCCs) and Binding Corporate Resolutions (BCRs) for lawful data transfers.


The German DPA identified three potential approaches:

  1. - Encryption
  2. - Anonymization
  3. - Pseudonymization

But as IAPP the article points out, when you overlay these three options against what Max Schrems' organisation NOYB, (None Of Your Business) has published, you quickly come to the point that newly defined pseudonymisation under the GDPR is the only viable alternative.


First, encryption only protects data when in transit and in storage, not when it is in use, leaving it vulnerable during processing. NOYB further notes that the US government can use brute-force decryption to defeat it. Second, NOYB points out that intelligence agencies can also defeat anonymisation by enabling re-identification through the use of indirect identifiers, or "selectors." This leaves you with Pseudonymisation.


Pseudonymisation, as newly-redefined under the GDPR, requires that only the EU data exporter should be able to re-link personal data being processed to the identity of data subjects. As a result, properly pseudonymised data can act as an "additional safeguard" enabling the lawful use of SCCs and BCRs for data transfers without reducing data utility. This means that you can continue using cloud, SaaS and outsourcing services to gain insights and enable your business to innovate.


GDPR-compliant pseudonymisation enables these services to be used and leveraged in compliance with Schrems II requirements.


If you're interested in continuing cloud processing, SaaS or outsourcing operations provided by a company not organised under European Economic Area country rules or an equivalency country, contact Anonos.


Anonos technology enforces GDPR-compliant pseudonymisation to make cloud, SaaS and outsourcing processes lawful to achieve "Data Liquidity" - i.e., simultaneous Universal Protection and Unrivaled Utility to achieve your business goals.