Don’t Miss IAPP Webinar on Operating the U.S. Cloud Under Schrems

Don’t Miss this IAPP Webinar on 3rd November on Operating the U.S. Cloud Under Schrems

Learn how Statutory Pseudonymization can support technical controls that enable customers to improve the predictability of operations by enforcing the security of data when in use - under the shared responsibility model[1] - to help ensure that cloud use complies with requirements and applicable laws and regulations for:

?- Lawfulness of Processing

• Secondary Processing
• Schrems II (without relying on solutions that may not survive judicial scrutiny and political questions about the adequacy of protection)
• CLOUD Act

- Breach Resistant Processing

- Data Supply Chain Immunity

Benefit from hearing different perspectives from Cynthia O'Donoghue,?Alex van der Wolk,?Magali Feys?and?Gary LaFever on the following issues related to Operating the U.S. Cloud Under Schrems:?

The demand for technical controls that help to protect EU personal data when in use and prevent misuse in U.S.-operated Cloud does not originate from any one group. Rather, the growing demand comes from at least four groups, and the confluence of the interests of these different groups makes the current situation irreversible. The common theme across the interests, and perspectives of these groups is that technological controls are now critically important. These groups comprise the following:

• EU and US Governments: As much as both EU and US governments would like to put a new treaty in place to ensure ongoing trans-Atlantic commerce, governments will not abandon surveillance activities they deem critical for national security. The complexity of the situation and the disparity of stakeholder interests means that the current situation is not reconcilable on a long-term basis by “words alone” – regardless of whether the words are contained in contracts, policies, procedures, or treaties – and requires effective technologically enforced controls.
• Courts: These decisions cannot be ignored or (easily) reversed by the other stakeholder groups. For example, the Schrems II decision by the CJEU that EU personal data cannot be processed in cleartext in US-operated clouds without new technical controls is binding on all parties on both sides of the Atlantic. By contrast, recent decisions by the US Supreme Court (e.g., related to FBI surveillance and, more recently, the privacy rights of women in reproduction-related situations) highlight the fundamental differences in philosophy and law when it comes to privacy between Europe and the US. Technical controls can help to bridge these otherwise irreconcilable differences; words in a treaty are completely inadequate.
• Enforcement Agencies: Recently, EU enforcement actions against companies of all sizes and nationalities are increasing. Examples include, enforcement actions related to use of Google Analytics by entities of various sizes and the use of customer prospecting lists. Additionally, in the US, enforcement under new, more stringent state privacy laws has begun. These enforcement actions also highlight the increasing importance of technologically enforced controls.
• Non-Governmental Organisations (NGOs): Max Schrems and his organisation NOYB successfully initiated the legal actions that invalidated the Privacy Shield trans-Atlantic treaty and its predecessor Safe Harbor treaty and more recently are behind the 101 complaints filed against use of Google Analytics. This is before the effectiveness of changes in 2023 that authorize class action lawsuits/collective redress across Europe. Other coordinated actions against global companies involving NGOs teaming up across the Atlantic are on the rise as well. Activities by these NGOs again highlight the increasing importance of technologically enforced controls.

CJEU Schrems II Decision

The processing of EU personal data in U.S. operated Clouds requires compliance with Schrems II requirements promulgated by the CJEU and the EDPB, including the use of technical controls as supplementary measures when organisational and contractual supplementary measures cannot prevent surveillance by third-country governments. These obligations extend to onward transfers and processing by sub-processors, with respect to which the EDPB specifically highlighted concerns since “a large variety of computing solutions may imply the transfer of personal data to a third country (e.g., for storage or maintenance purposes).”

?US Cloud Act of 2018

In addition, a 26 July 2022 Dutch Ministry of Justice and Security (NCSC) legal memorandum stresses that the reach of government surveillance extends to data processed internationally by sub-contractors and cloud processors. Global enterprises that leverage non-EEA (e.g., U.S.) managed infrastructure (e.g., public cloud, multiparty data sharing and analytics) to process EU personal data will be subject to similar scrutiny.

?GDPR Pseudonymisation: EDPB and EDPS Recognition

?In addition to the EDPB recommending GDPR-compliant Pseudonymisation as a technical supplemental measures for international data transfers, the heightened EU GDPR requirements of pseudonymisation have been recognised by the EDPS as a means of enabling the lawful transfer of personal data to third countries not offering an equivalent level of protection. As noted by European Data Protection Supervisor, Wojciech Wiewiórowski, in an EDPS webinar titled Pseudonymous Data: Processing Personal Data While Mitigating Risks:

“Our legal data protection rules in the European Union and particularly GDPR itself considered pseudonymisation as a sort of model of all risk mitigating measures. This comes only after the first of all obligations, if you do not need the personal data do not process them. But if you need the personal data, then GDPR refers to pseudonymisation when it takes exemplifying the appropriate safeguards in many circumstances.”

Sign up for this IAPP Webinar on 3rd November on Operating the U.S. Cloud Under Schrems

[1] See https://cloudsecurityalliance.org/blog/2020/08/26/shared-responsibility-model-explained/