August 1, 2020
Variant Twins Enable Lawful International Data Transfer

Variant Twins Enable Lawful International Data Transfer

Is your organisation - like the rest of the world - trying to determine what Schrems II “supplementary measures” are and how you can continue to lawfully transfer and process data in the cloud?

The decision by the Court of Justice of the European Union (CJEU) to invalidate the EU-US Privacy Shield1 for international data transfer has caused considerable confusion about the lawfulness of many processing practices, including analytics, AI, ML, data sharing and enrichment. The case, brought by Max Schrems, is popularly known as “Schrems II”, and its implications are far-reaching.

Now under Schrems II, data cannot be transferred to countries that do not have an adequacy decision absent new “supplementary measures”. Countries that do not have an adequacy decision include at present the US and the UK. Max Schrems’ website highlights that the CJEU ruling also applies to any “EU/EEA company that: is an integrated affilliate of a US company (e.g. Google, Apple, Amazon, Microsoft, Facebook, Instagram, Twitter, Yahoo and the like) or relies on storage or other type of processing in the US (many “average” EU businesses),” regardless of where the data is processed.2 This means that the application of Schrems II is extensive, and will capture a large number of activities, including processing using the infrastructure of major cloud providers.

The CJEU ruled that Standard Contractual Clauses (SCCs) can continue to be used but only if adequate “supplementary measures” are applied to the data. SCCs are “boilerplate” contractual terms that have been pre-approved by the European Commission. They enable private parties to transfer data from EU data controllers to non-EU data controllers and processors. Since the Schrems II decision, the European Data Protection Board (EDPB) has clarified that:

  • There is no grace period for complying with Schrems II, after the 16 July 2020 decision date; and
  • Schrems II requirements apply equally to SCCs and to Binding Corporate Rules (BCRs), which may be used by organisations to enable intra-company data transfers.

Due to concerns about potential warrantless searches under the U.S. Foreign Intelligence Surveillance Act (FISA), as well as other similar US statutes, the CJEU ruled in Schrems II that SCCs and BCRs require supplementary measures to ensure protection consistent with EU data protection laws. To help comply with this new requirement, Anonos® technology enforces Data Embassy Principles.3 These principles embody EU data protection rules and concepts to enable the creation of privacy-secured versions of data called Variant Twins® that dynamically de-identify the data to prevent reidentification of individuals by national authorities without access to additional information held by the EU exporter.4

Gartner awarded Anonos “Cool Vendor” in Privacy Management status because with Variant Twins “reidentification via usage of the original data is prevented in unauthorized use cases.”5 Gartner highlighted that Anonos technology enables GDPR-compliant business analytics, machine learning, and data sharing. This would include cross-border data sharing for secondary processing under Schrems II. As Variant Twins create strong resistance to unauthorized re-identification, EU regulators can view the combination of Variant Twins and SCCs/BCRs as a level of protection essentially equivalent to that in the EU (satisfying the requirements of GDPR Articles 46 and 47 to enable ongoing transfer and processing of EU personal data).

Using Anonos technology, a data controller can create privacy-secured Variant Twins from which it is impossible to re-identify individuals without access to “additional information” that is retained, and kept separately, by the EU data exporter. If a data importer processing Variant Twins were to be subpoenaed, the importer would not be in a position to help US law enforcement or the Department of Justice to re-identify the data. Rather, they would have to go to the EU exporter for the “additional information” required for re-identification. Under EU and national laws, these exporters have an affirmative obligation to prioritise compliance with EU data protection regulations and resist foreign production requests.

Variant Twins make it virtually impossible for anyone other than the EU data exporter to re-identify the data, because they provide protection of data while in use, and do so without any degradation in accuracy or value for secondary processing. For example, a recent independent data scientist analysis of Anonos Variant Twins technology by Mike Nemke, Director of AI & Machine Learning at Aptive Resources, concluded:

For Machine Learning tasks, Anonos Variant Twins provide performance comparable to clear text data. Both datasets were virtually identical in every measure - with Variant Twins providing obviously enhanced resistance to re-identification…as Director of AI & Machine Learning, I commonly lead the development of data science and machine learning models and products for large U.S. government clients. Our clients prioritize privacy of personal data in all of our projects, and based on my experience with competitive products and approaches, Anonos’ Variant Twins approach is best in class. In particular, based on our experience with this testing, we plan on adopting Anonos technology for analytics projects with datasets rich in personal data.6

Variant Twins serve as a critical “piece of the technology puzzle” for lawful data transfer and secondary processing. Unlike anonymised data, Variant Twins remain fully available for advanced secondary processing by data importers while retaining re-linkability to the original clear text data for secondary processing. This includes the identity of individuals when authorised, in the hands of the EU data exporter.

Anonos Variant Twins also help to:

  • Satisfy legal requirements for advanced secondary processing (including sophisticated analytics, AI, ML, data sharing and enrichment) where consent alone is not meaningful;7 and
  • Enable compliance with both security and privacy requirements under:8

    • Vertical industry laws and regulations (including healthcare, life sciences research, banking, IoT and telecommunications); and
    • Evolving data protection laws around the globe (including GDPR, CCPA).

About Anonos: Anonos enables lawful secondary processing like advanced analytics, AI, and ML while preserving 100% of data accuracy and expanding opportunities to share and combine data ethically. Anonos Pseudonymisation and Data Protection by Design & by Default technology enforce Data Embassy Principles to reconcile conflicts between protecting the rights of individuals and achieving business and societal objectives to use, share, combine and relink data in a lawful manner. Anonos patented Variant Twins enable sharing, collaboration, and analytics of personal data by technologically enforcing dynamic, fine-grained privacy, security and data protection policies in compliance with the GDPR, CCPA and other evolving data privacy regulations.

For more information, see https://www.anonos.com.


[1] Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18), “Schrems II”). See https://www.anonos.com/judgment-of-the-court

[2] See https://noyb.eu/en/next-steps-eu-companies-faqs

[3] See https://www.DataEmbassy.com

[4] See https://www.anonos.com/lawful-data-processing-after-screms-invalidation-of-privacy-shield-for-international-data-transfers

[5] See https://www.anonos.com/awards

[6] See https://www.anonos.com/data-scientist-expert-opinion

[7] See Professor Daniel Solove’s quote “Consent legitimizes nearly any form of collection, use or disclosure of personal data … individuals cannot adequately self-manage their privacy, and Consent is not meaningful in many contexts involving privacy” on page 10 of World Economic Forum publication - Redesigning Data Privacy: Reimagining Notice & Consent for Human-Technology Interaction, at https://www.weforum.org/reports/redesigning-data-privacy-reimagining-notice-consent-for-humantechnology-interaction

[8] See IDC Report - Anonos: Embedding Privacy and Trust Into Data Analytics Through Pseudonymisation at https://www.anonos.com/IDC_Anonos_embedding_trust_into_data