Quick Reaction to EDPB Schrems II Guidance
Quick reaction to yesterday's EDPB Schrems II guidelines on additional safeguards. Bottom line: it's hard to see a clear path for data transfers to the US (or other "non adequate" countries) based on SCC or other transfer mechanisms.
The EDPB offers three types of supplementary measures to augment SCC (or any other transfer mechanism): technical, contractual and organizational. But then goes on to say that contractual and organizational aren't enough. Technical are obligatory. See here:
As far as technical go, supplementary measures are considered effective if data are encrypted and importer doesn't have the key; if data are pseudonymized and the importer has no way of identifying; plus a couple of less common scenarios (e.g., multi party computation).
Importantly, technical measures are NOT recognized in the two scenarios accounting for the vast majority of real world transfers. Use cases 6-7 including transfers to cloud in the clear and remote access or transfer for a business purpose. See here:
Moreover, in assessing if SCC are "effective in light of all circumstances of the transfer", the exporter must weigh "objective factors" BUT "not rely on subjective ones such as the likelihood of public authorities’ access to your data in a manner not in line with EU standards."
This is (unpleasantly) surprising since GDPR is a risk based framework. Here the EDPB explicitly rules out risk analysis (e.g., I am a cosmetics maker sharing employee data with US HQ, what's likelihood of NSA access). I think it also contradicts EDPB's list of factors in Section 49 of the document.
Was the EDPB compelled by the CJEU decision to reach this harsh interpretation? Perhaps. The path was narrow. But I still think some of the restrictions do not necessarily flow from the language of the court, which was very spare, nor - as suggested above - from GDPR.
At the end of the day, all will depend on the regulators' appetite for enforcing their guidelines. If they are serious about these restrictions, they have their work cut out for them because I bet a majority of businesses beyond a certain (small) size threshold are caught. If not, these guidelines will remain law on the book, not on the ground. Either way, we will know soon.
Senior Legal Counsel on data protection law at Deutsche Bank AG Frankfurt
4 年That will impose significant burdens on companies with international data flows. The good news is that the EDPB will keep privacy pros very busy in the long run.
CEO Angles Technologies
4 年It's about time regulators will define technology as a vital tool for data protection, especially private and sensitive data. Relying on contractual or organizational protection is a good addition to the must-have technical data protection and breach prevention mechanisms. In a risk-based language - minimize risk instead of saying you're "managing" it...
Technology Policy Lawyer, Consumer Privacy Advocate, Ultra Premium Bourbon Startup Founder
4 年Great analysis as always, Omer. Axiomatic and implicit in this guidance is that what is technically sufficient now - if there is such a technology available in the marketplace - will not always be so as there's an assumption from the drafters that the capabilities of US intelligence and law enforcement would evolve over time to access data previously kept secured by this standard. In short, it seems that the guidance almost demands a continuous cat-and-mouse game by companies with the US law enforcement and intelligence community, which begs the question of whether technical "adequacy" could ever be achieved in the eyes of the EDPB? If so, who would judge that? How would they know? For how long would that judgement of technical adequacy hold. The "guidance", I'm afraid, either leads to a dead end or raises more questions than it answers.
FinTech / Web3 / Crypto lawyer
4 年In other words: before, products needed to be built securely enough to defeat opportunistic bad actors. Now they need to be built securely enough to defeat the NSA. I’m looking forward to a fun conversation with my Product and UX teams.
CEO & Co-Founder at QPrivacy.com
4 年A note; for the first time it seems the required solution is also genuine technical and not "just procedural and legal", I assumed it will happen more as Privacy Regulations evolve. There is a solution in place that "data are encrypted and importer doesn't have the key" more than that, once data is extracted back by the exporter, it can decode it and to benefit full data usability (Pseudonymisation). This solution can meet the Schrems ii case, it can also meet some other PIIs scraping scenarios. www.qprivacy.com