Irish High Court Affirms Schrems II
The Irish High Court has now confirmed that the Irish Data Protection Commission (DPC) is required to implement the Court of Justice of the European Union (CJEU) decision in Schrems II, specifically with regard to the transfer of Facebook data from the EU to the US. The settlement between the DPC and Max Schrems (the lawyer who brought the Schrems II case), noted that “the DPC is now required to stop Facebook's EU-US data transfers”, a strong statement that the findings of the Schrems II case will be enforced.
FACEBOOK HAS LIMITED TIME TO STOP TRANSFERS
This sends a clear signal to organisations that they cannot delay any further in the implementation of the requirements of the Schrems II case and the GDPR: the implementation of technical measures to protect data. Without technical measures in place, transfers of EU data from the EU to the US cannot take place. This new High Court ruling confirms that without appropriate technical measures to prevent foreign government surveillance, data flows will in fact be halted.
LOCALISATION IS NOT THE ANSWER IF US-OWNED INFRASTRUCTURE IS USED
Max Schrems also noted that: “We now expect the DPC to issue a decision to stop Facebook's data transfers before summer. This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data.” It is important to reiterate that data localization is not the only solution: rather, data can be transferred when appropriate technical controls are in place. In Facebook’s case, technical measures have not been implemented, as per the European Data Protection Board (EPDB) recommendations.
Section 702 of FISA and Executive Order 12333 still apply and allow the US government to collect data such as telecommunications information and personal data, for the purposes of national security: naturally, Facebook’s data flows are at risk of being stopped.
LAWFUL DATA USE, SHARING & COMBINING POSSIBLE WITH PSEUDONYMISATION
The EDPB recommends the use of GDPR-Pseudonymisation (visit: www.Pseudonymisation.com) as an appropriate technical measure to protect data when in use, such as for transfer, processing, and analysis of data that is connected to the US (either through US-provided cloud companies or US-associated companies located in the EU). By following EDPB recommendations organisations can continue to transfer and process data, without facing the same consequences as Facebook.
GDPR-Pseudonymisation enables functional separation of information value (the reason the processing desired) from identity so that the two can be controllably processed separately and combined only when/if required and lawfully permitted, with auditability of the process as well. See the Ten Truths of Pseudonymisation.
ANONOS WEBINAR COVERS EDPB GUIDELINES
The final guidance of the EDPB (which is expected to confirm their preliminary guidance) will be released shortly, and Anonos is offering a webinar to unpack this guidance and discuss the next steps. To pre-register for the webinar (the date and time of which will be announced as soon as final guidance comes out), click here: www.SchremsII.com/Webinar5
CONTACT ANONOS FOR TECHNICAL SUPPLEMENTARY MEASURES
To implement EDPB Guidelines such as GDPR-Pseudonymisation, contact Anonos to immediately set up the Quick Start software package for your organisation. The Quick Start package allows you to implement technology that delivers GDPR-compliant distributed trust controls. This package allows you to comply with Schrems II so that processing can continue. In addition, Anonos Variant Twin technology provides more than just protection, and allows expansion of your typical use cases to enable greater use, accuracy, sharing and combining of data along your entire data value use chain.