Hopefully the last post on this topic, but in privacy-land the Schrems II ruling is simply still hot news. For legal professionals, privacy and security leaders, but also for CIOs who are concerned about their international architecture and cloud movements. So, what do we know so far, and how to cope...
81 days ago: The Privacy Shield is considered invalid to cover transfers of personal data from the EU to the U.S. Technically, SCCs and BCRs remain valid. But. The original SCCs are older than companies like Facebook, YouTube and Netflix themselves. Yes, they're soon under revision, but revised versions won't solve the problem entirely. Nor will a third version of the Shield likely stand any ground. The resulting situation we're in is a bit of a strange one: Before transmitting data, whether covered by SCCs or BCRs, the organization must conduct a legal assessment of the destination location. The desired outcome of such must be that the laws at the receiving end do NOT jeopardize the adequate protection measures that the organization can guarantee. If such can't be guaranteed, the transfer is ill-advised. Should the organization however continue its practices, that must be reported to the regulatory authority. Though no one knows how.
So now everyone must be a legal professional with specialist focus on 'the world'. After all the ruling doesn't only impact the U.S. as destination, but goes for all countries where SCCs otherwise would be needed too. And for the smart people who want to refer to Article 49 GDPR - that's intended as en exception, not a new rule. As example, some say that all of this implies that whoever deploys 'American' cookies -and I don't mean those criminally good tasting chocolate chip ones- can no longer be used in general. For EU-based organizations who contract 'data processors', one distinction is crucial:
Subsidiaries of U.S. companies in an EU member state, under the legal system of that member state, processing the data (only) in that same member state, are considered in general to not be compromised in this ruling.
U.S. legal entities though (communication service providers mainly), who may operate and process data subject to the EU's GDPR, are subject to American laws as well. This includes the infamous CLOUD Act. As such, they may be required to hand over data to U.S. law enforcement bodies. Such a conflict with the GDPR is a tough one, though there is a provision that lets the provider contest the request.
Some organizations find that last part assuring enough, some don't. Others are stretching their necks to see the future ahead including the 'European' cloud initiative Gaia-X. Though hopeful, it won't be ready in the foreseeable future. Then there are those looking into adding new and upcoming protection methods like the ones we featured in the Hype Cycle for Privacy, 2020. Note, also, that things may change rapidly. New laws may continue to disrupt level playing fields or influence assessments and viable technical alternatives. Examples include the EARN IT Act (pdf alert), and the LAED 2020 Act (also pdf alert).
Bottom line; all justification of whether or not one believes a cross-border transfer to still be legal, must from now on come from the preceding data protection impact assessment (DPIA). Since paper-based controls are often less trustworthy than technology, modern protection technologies and techniques must increasingly be part of the considerations in these DPIAs.
I'm looking forward to the spur of innovations that may enable continued, secure international data processing. Meanwhile, I'm hoping we won't lazily rely on end on yet another paper-based agreement only.