A two-step, privacy-respectful ‘Data Protection by Design and by Default’ approach is required for all data processing whenever possible, according to 94% of over 1,300 attendees to a dedicated webinar held last week to discuss the ramifications of the recent Schrems II decision by the Court of Justice of the European Union (CJEU).
The Schrems II ruling invalidated the EU-US Privacy Shield for international data transfers involving EU personal data. The court ruling prescribes that EU data can no longer be lawfully processed using US-operated (or any other non-EU operated) clouds, SaaS or outsourcing providers without “additional safeguards” that prevent the data from being subject to surveillance by the US (or other non-EU countries).
Panellists on the webinar, which included representatives from the European Data Protection Supervisor (EDPS), None of Your Business – NOYB (Max Schrems’ privacy advocacy group), as well as industry experts from Promontory, Fieldfisher, Cooley and Anonos, discussed these “additional safeguards” now required for lawful cloud processing, SaaS and outsourcing. The webinar was joined by over 1,300 attendees, made up primarily of privacy lawyers, chief privacy officers, data protection officers, and chief data officers from the EU (80%) and US (20%).
Previously, some companies engaged in “regulatory arbitrage” by choosing not to comply with privacy laws, and baking the cost of non-compliance into the cost of doing business. However, the CJEU ruled that such unlawful data transfers and processing must be stopped, rather than fined. This makes a “regulatory arbitrage” approach impracticable, with a lack of access to data halting business operations inexorably.
Anna Buchta, Head of Policy & Consultation at the EDPS, explained during the webinar: “From the point of view of the regulators, we at EDPS and others have said many times already given the fundamental constitutional importance of this ruling, there has to be a before and after Schrems II. There will have to be consequences and that, unfortunately, may mean that certain transfers will not be able to continue with the available legal instruments without “additional safeguards” to ensure equivalent protection as under the GDPR. We need to realise that Schrems II has to have an actual impact in practice and I’m sure that this is also in this direction that the forthcoming guidance from the European regulators will go.”
Romain Robert, Senior lawyer at NYOB, noted that: “Security measures and encryption should already be there before any transfer because it’s an obligation under the GDPR and Article 32 so it’s an obligation for security. Pseudonymisation as well is also mentioned a lot of times in the GDPR but before any transfers. Pseudonymisation is not the solution to transfers. It should be done before any transfer in a specific situation like if you want to justify, for example, the change of purpose or if you want to evaluate the risk on the DPIAs.”
Mark Webber, Managing Partner at the Silicon Valley office of the law firm Fieldfisher, raised a potential concern about the potential ramifications of Schrems II for limiting technological innovation, He said: “I, for one, am very serious about privacy, but I don’t want to see this lead to more localisation, less use of the internet, and less use of technologies which will change our worlds. The internet is a great game changer for all, and I think we’ve all got a role in making sure we can continue to use those technologies and work with those businesses for the good of everybody.”
With the COVID-19 pandemic, many companies are relying even more heavily on cloud and SaaS services for timely insights about partner and customer ecosystems. However, the Schrems II decision makes many cloud and SaaS services involving international data transfer unlawful without new additional technical safeguards.
For more information on the future of international data transfers, visit the Schrems II Lawful Transfer LinkedIn Group, which already has over 1,100 community members.
Anonos patented “Data Liquidity” technology simultaneously achieves Universal Data Protection and Unrivaled Data Utility by embedding controls that flow with the data to enforce Data Embassy principles. Anonos enables the maximum lawful liquidity value of data for sharing between parties to support AI, ML, and BI applications and many others. With Anonos, companies can leverage their internal and external data while guaranteeing individual privacy rights as required under evolving data protection laws. Anonos has achieved what many thought was impossible: technology enabling data to be used and shared with the accuracy of clear text in a non-identifying and lawful manner. See https://www.DataEmbassy.com and https://www.anonos.com