Schrems II as an opportunity for organizational improvement

I wrote a blog post about my thoughts on Schrems II and additional safeguards. Please do not consider this as solutions but rather me guessing what possible additional safeguards are appropriate. I am trying to identify opportunities of improvement based on the complex information about Schrems II that is available right now. The key takes from this blog is to use Schrems II as an opportunity to start working risk-based and to improve the privacy by design and by default process.    

As many already know, the European Court of Justice (the “Court”) invalidated the EU-US Privacy Shield in the case known as Schrems II which renders the US a non-adequate country without any special access to Europe’s personal data stream.

Several organizations are currently trying to stop personal data transfers that are based on Privacy Shield or find a new transfer mechanism that allows for such transfers, such as the EU Standard Contractual Clauses (“SCC”). The possibilities to transfer personal data to the US or any other third country with SCC’s is severely limited according to the Court. As a result of the statement of the Court there is currently some uncertainty to what extent personal data can be transferred lawfully on the basis that the parties enter into the SCC’s. The SCC’s are still valid but only if they can be complied with and are not restricted by US national law.

Additional safeguards may be required for the SCC to be valid, and the recipient of personal data outside of EU/EES must inform the sender within EU/EES if the SCC is not complied with.

That said, the controller needs to ensure that the conditions of the SCC are followed which means that the processor must be able to answer:

1. How can we maintain control so that we know when you (the processor/vendor) do not follow SCC?

2. How can you give us evidence that the controls are being carried out? (continuous evidence is needed and not just audit certificate)

3. What additional controls do you apply to maintain SCC?

4. What technical measures are you taking to ensure that the personal data is not exposed to the US government under the Foreign Intelligence Surveillance Act (FISA) section 702 or Executive Order 12333 (specifically for US transfers)

The Court ruling carries an increased risk for companies that transfer personal data to third countries. This includes not just the US but also the UK (by next year when Brexit becomes reality) and China. This means even greater demands to work risk-based and to be able to demonstrate that the organization is working risk-based. A risk-based approach is already a legal requirement stated in Art. 24, 25 and 32 GDPR. When the organization due to Schrems II assess the risk of a certain personal data processing as “higher”, and that the reduction of the risk need to take into account current legal conditions, the solution will be to either end the contract with the vendor or to build better and stronger security and data protection controls than the existing ones.     

Unfortunately, it is not clear which additional safeguards and controls are the most appropriate as there is no formal guidance on this. There are broader discussions regarding potential solutions where American cloud service providers can collaborate with European companies that would be responsible for the storage within the EU, which might untie the knot, if the link to the US mother company can be severed.

Let us be pragmatic here – the only real solution regarding safeguards is if either the EU or the US, and the UK for that matter, changes their surveillance and monitoring laws which is probably not going to happen.
So, let us instead focus on “standard” data protection controls and what we have an opportunity to improve within the organization. Standard controls such as encryption, pseudonymization, and anonymization will become central to whether the organization can accept the risk with a US transfer based on SCC (obviously, there are more parameters regarding risk acceptance such as which kind of personal data is being transferred and which organizations that are in scope, etc.).

However, it is not as easy as just thinking that these will solve the issue. The processing analysis needs to be done case by case and consider the complexity with these kinds of controls that are somewhat mandatory according to GDPR. For example, a possible solution might be to encrypt the personal data at rest and in transit, and manage the keys within the organization so that decryption can only be done “at home”. However, it might not be useful if one wants to perform any use or processing operation on the data. Privacy requires that you also protect the data when it is being used.

Encryption, pseudonymization and anonymization are all things that many organizations must be better at in terms of understanding and adapting. But we should not narrow it down only to one or several solutions. Standard data protection controls must be integrated in the processing analysis by default. The business needs to improve their ability to design these controls based on the risk for the registered. It must be clear how the processing analysis lead to adequate data protection controls. That is, to be able to show which data protection controls that were chosen and why because of the previous analysis.

The Court ruling is an excellent opportunity for organizations to:

1. Develop and improve a risk-based data protection work. Too many organizations today lean on generic pre-defined personal data classification models and it-security baselines rather than designing controls based on the risk for the registered. This can often result in standard data protection controls such as pseudonymization and anonymization being missed out on completely in the implementation phase.

2. Develop and improve the privacy by design and by default (“PDD”) process according to Art. 25 GDPR. The organization need to develop a design process that enables and cultivates that personal data is de-identified as far and much as possible. Standard controls must be integrated in the processing analysis by default. The design process must also include methods for softer PDD-controls such as transparency, lawfulness, and fairness. Verification of the process is utterly important.

The organization should use Schrems II internally as a selling point to start working more risk-based, improve the PDD-process and increase quality, along with the basis that Schrems II compliance can be used as a competitive advantage.