Skip to main content

The future of international data transfer in the wake of Schrems II

(Image credit: Image Credit: Billion Photos / Shutterstock)

Following the recent ruling by the Court of Justice of the European Union (CJEU) to invalidate the EU-US Privacy Shield for international data transfer, confusion has reigned about the legalities of secondary data processing. This includes the use of AI, machine learning, cloud-based advanced analytics, data sharing and enrichment.

The implications of the case, brought by Max Schrems and popularly known as “Schrems II”, are far-reaching. Companies based in countries that do not have an adequacy decision (a ruling that their data protection regime aligns with EU data regulations) now cannot lawfully process EU data. Currently, this includes the UK following Brexit as well as the US.

The Max Schrems website also highlights that the CJEU verdict applies to any “EU/EEA company that: is an integrated affiliate of a US company (e.g. Google, Apple, Amazon, Microsoft, Facebook, Instagram, Twitter, Yahoo and the like) or relies on storage or other type of processing in the US (many “average” EU businesses),” regardless of where the data itself is processed. Consequently, the application of Schrems II is extensive, and restricts access to a large number of activities, including processing using the infrastructure of major cloud providers.

The CJEU also determined that Standard Contractual Clauses (SCCs), which enable private parties to transfer data from EU data controllers to non-EU data controllers and processors, can continue to be used, but only if adequate “supplementary measures” are applied to the data to ensure protection consistent with EU data protection laws. This was decided due to concerns about potential warrantless searches under the US Foreign Intelligence Surveillance Act (FISA), as well as other similar US statutes.

Since the Schrems II decision, the European Data Protection Board (EDPB) has clarified that there is no grace period for complying with Schrems II, after the 16 July 2020 decision date, and that Schrems II requirements apply equally to SCCs and to Binding Corporate Rules (BCRs), which are used by organizations to enable intra-company data transfers.

Fine balance

As a result, businesses relying on the EU-US Privacy Shield for cloud-based processing by US-owned (directly or indirectly) companies must immediately stop, and identify appropriate safeguards that can be implemented, or else be at risk of being met with significant fines. One potential safeguard for this is for companies to use privacy-secured versions of data known as ‘Variant Twins’.

Variant Twins work by dynamically de-identifying data to prevent the re-identification of individuals associated with the data by national authorities without access to additional information that is retained and kept separately by the EU data controller. This would include cross-border data sharing as per the new requirements in Schrems II.

As Variant Twins create strong resistance to unauthorized re-identification, EU regulators can view the combination of Variant Twins and SCCs/BCRs as a level of protection essentially equivalent to that in the EU, satisfying the requirements of GDPR Articles 46 and 47 enabling ongoing transfer and processing.

Furthermore, Variant Twins make it practically impossible for anyone other than the EU data exporter to re-identify the data, because they provide protection of data while in use, and do so without any degradation in accuracy or value for secondary processing. Under EU and national laws, these data exporters also have an obligation to prioritize compliance with EU data protection regulations and resist foreign production requests, therefore maximizing the privacy of the data.

Variant Twins achieve the fine balance between the data utility and benefits of secondary data processing on the one hand, and protecting privacy on the other hand. Variant Twins accomplish this by combining the use of Functional Separation and Pseudonymisation of data.

Functional Separation is an approach frequently used by research institutions to separate the information value of data from the identity of the subject with respect to which the data relates to. Meanwhile, Pseudonymisation, as newly defined in the GDPR, separates the information value of data from the identity of data subjects in a way that only allows the re-identification of data subjects under strict controlled conditions.

Now is the time

In the context of Schrems II, the application of Functional Separation with GDPR-compliant Pseudonymisation, alongside appropriate technical and organizational controls to implement these techniques, enables Variant Twins to support ongoing lawful international, cross-border data flows with no loss of data utility and no threat to privacy.

Despite the fact that the CJEU has closed the door of the EU-US Privacy Shield, a new one has been opened with the ruling of the use of “appropriate safeguards” to further protect data when using SCCs or BCRs. The question that remains is what appropriate safeguards should be used in order to ensure that global data transfers can continue alongside increased protection for fundamental privacy rights.

So for UK and US businesses holding EU consumer data in their cloud servers, now is the time to make the right decision over implementing technologies that will enable them to maintain transatlantic data flows. Variant Twins can serve as this solution and a critical piece of the technology puzzle for lawful data transfer and secondary processing.

Variant Twin technology satisfies legal requirements for advanced secondary processing, including sophisticated analytics, AI, ML, data sharing and enrichment, where consent alone is not meaningful. It also enables compliance with security and privacy requirements under vertical industry laws and regulations including healthcare, life sciences research, banking, IoT and telecommunications, as well as with ever evolving data protection laws around the world including GDPR and the California Consumer Privacy Act (CCPA).

Gary LaFever, CEO and General Counsel at data privacy specialists, Anonos

Gary LaFever, CEO & General Counsel, Anonos.