Where does your data live? It’s a simple question with an incredibly complex answer. In fact, it’s an answer that is increasingly testing new privacy laws on either side of the Atlantic and forcing device manufacturers and software creators to question what data, if any, they can use in their products.
This friction arises from last year’s court decision that Facebook’s transfer of personal data from the EU to its headquarters in the US breaches the General Data Protection Regulation (GDPR), leaving in limbo both multinationals and small-time players that leverage such data in their products.
The rise of cloud and the revision of data rules further confuse a complex issue. Let’s consider how companies and tech creators can stay in line with the law while making transatlantic data transfers.
The schrems II decision
Where data lives and the jurisdiction it falls under is facing increased scrutiny thanks to a recent court decision. Last July, The European Court of Justice issued the ‘Schrems II’ judgement with significant implications for the use of US cloud services.
The decision invalidated the European Commission’s adequacy decision for the EU-US Privacy Shield, a transatlantic framework on which more than 5,000 US companies relied to conduct data exchanges in compliance with EU data protection rules.
The court found the framework invalid for two main reasons. First, the court decided that US surveillance programs were not limited to what was strictly necessary and proportional as required by EU law. Second, the court determined that EU data subjects lacked actionable judicial redress and, therefore, did not have a right to an effective remedy in the US.
Importantly, however, the decision upheld the validity of standard contractual clauses (SCCs). These clauses ensure the lawful and secure transfer of personal data from within the European Economic Area to third countries.
The new data rules
Despite the validation of SCCs, lingering confusion and uncertainty have resulted in adopting new tools for safe exchanges of personal data. In June, the European Commission adopted two new sets of SCCs, one for use between controllers and processors and one for the transfer of personal data to third countries. These tools are intended to offer more legal predictability to European businesses and help, in particular, small and mid-size enterprises to ensure compliance for safe data transfers while allowing data to move freely across borders without legal barriers.
Moreover, the revised SCCs provide “more flexibility for complex processing chains” by using a modular approach, said the European Commission, and offer the possibility for more than two parties to join and use the clauses. The revised SCCs seek to provide a balance between emphasizing the legal framework of the GDPR while addressing lingering uncertainty in the aftermath of Schrems II. Companies have fifteen months to transition from the use of the previous clause to the revised system.
Without many viable alternatives for transatlantic data transfers, the new rules are a welcome development. However, before diving straight into resubmitting the paperwork for legacy SCCs, organizations are best advised to focus on a holistic evaluation of existing data flows and the roles of those involved in personal data transfers.
What companies can do
The good news is that, despite the infinite complexities of cloud computing and data rights, companies can take precautionary steps to stay in line with the laws. For example, encryption offers a simultaneous solution to perform US transfers under EU rules. Strong encryption can provide an effective measure for data transfers so long as the keys are reliably managed and retained solely under the control of the data exporter. If state-of-the-art protocols are followed, encryption can provide adequate protection against any data interception and manipulation by a third party. Likewise, multi-party computing protocols that split data into parts to process independently can prevent the reconstitution of personal data, thereby following the EU regulation.
Another way to comply with the data rulings is to stay clear of the cloud whenever possible. In the Internet of Things, for example, device vendors can tailor the connection type to ensure direct communication between the end-user and device. This type of peer-to-peer connection bypasses the cloud to enable private communication between user and device, and bypasses the risk of storing personal consumer data.
Of course, for those that do need to use the cloud for transatlantic data transfers, the best practice is to stick to the rules. The new SCCs provide additional clarification on what is and is not acceptable and go a long way toward addressing the requirement to legitimize transfers of personal data out of the EU. But, at the same time, the revised clauses continue to put the onus on individual companies to meet IoT GDPR standards.
Therefore, companies looking to leverage the SCCs should identify the cross-border transfers under their responsibility and perform a nuanced analysis of the recipient country’s level of data protection compliance with the GDPR. Moreover, if any of the countries are part of the Five Eyes Alliance - Australia, Canada, New Zealand, the United Kingdom and the United States - then an in-depth analysis will likely be required.
Regardless of the transfer method, there is no question that companies on either side of the Atlantic must think long and hard about the way they handle personal data. The various jurisdictions and legislations result in a tricky situation for tech companies today. Going forward, their best bet is to encrypt all data, follow the letter of the law and steer clear of the cloud if possible. It is no mean feat, but it is necessary to avoid the inside of a courtroom.
