On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its judgment in the Schrems II matter. While the CJEU upheld Standard Contractual Clauses (SCCs) as a valid basis for transferring EU personal data to non-EU countries, it mandated that, going forward, organizations must determine whether the destination country’s laws regarding government access to personal data provide privacy protections that are “essentially equivalent” to those provided under EU law. With respect to the US, the CJEU went even further and found that the privacy protections under US law relating to intelligence agencies’ access to data do not meet the EU threshold. Accordingly, the CJEU declared invalid the EU-US Privacy Shield, a safe harbor provision adopted in 2016 that enabled the legal personal data transfer outside the EU to the US.
As a result, Privacy Shield is no longer a valid mechanism to ensure compliance with EU data protection requirements when transferring personal data from the EU to the US. And while SCCs remain valid, absent “supplementary measures” and the adoption of “additional safeguards” by a US data importer, transfers of EU personal data to the US, including those relying previously on the EU-US Privacy Shield framework, are now illegal. Moreover, on September 8, 2020, the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland followed suit and issued its opinion invalidating the Swiss-US Privacy Shield Framework based upon similar principles.
The Schrems II decision and Privacy Shield invalidation have created chaos and uncertainty across a number of industries. Indeed, banks and other financial services organizations, healthcare providers and payers, the travel industry, and marketers of all sorts, use, process and/or store various types of “personal data,” and all are frantically searching for solutions to avoid business disruption and possible legal exposure while the EU and US authorities work to resolve their differences.
While the CJEU in its FAQs do not provide any specific details regarding appropriate supplementary measures—saying that adequacy determinations will be made on a case-by-case basis for now—the Swiss FDPIC did provide some “practical advice” and guidance regarding technical measures that organizations might employ. Specifically, the FDPIC offered the following guidance with respect to effectively preventing governmental authorities in the US from accessing the transferred personal data, particularly data stored at any of the major US-based cloud service providers (CSPs) such as AWS, Google, and Microsoft:
“If data is stored solely in the cloud by service providers in a non-listed country, for example, encryption would be conceivable, along the principles of BYOK (bring your own key) and BYOE (bring your own encryption), so that no individual personal data would be available in the destination country and if the service provider would have no possibility of decoding the data themselves. For services in the target country that go beyond mere data storage, however, the use of such technical measures is demanding.”(Section 4.1(c) – emphasis added)
Based on what has been written since the EU and Swiss rulings, and given the current political climate, it will likely be some time before US and EU officials come to agreement on how to proceed, and perhaps even longer before US companies get any clear direction. In the meantime, for those in the US whose business relies on using, analyzing, storing, or processing EU personal data—including any one of the 5,237 active companies on the Privacy Shield list—waiting on a resolution is not an option.
Ionic can help. Encrypting EU personal data with Machina and setting access policies that comply with applicable EU and Swiss regulations offers a workable solution for organizations looking to adopt “supplementary measures” and implement “additional safeguards” to satisfy the requirements imposed by the CJEU and Swiss FDPIC. To build a strong argument that their data transfers to the US adhere to the requirements of their SCCs and remain legal post-Schrems II, organizations can use MachinaTM to:
- Employ strong encryption of data at rest and in transit;
- Maintain separate control over the storage, use, and access of EU personal data; and
- Keep and hold encryption keys separate from its US-based CSP.
Among other alternatives, Machina integrations with Google Cloud, AWS, and Microsoft Azure provide practical solutions along with seamless integration and ease of implementation for EU personal data stored in one of the major cloud providers. For organizations looking to externalize key management for BigQuery and Compute Engine completely outside Google Cloud Platform, Ionic offers Machina for Google External Key Manager (EKM). And those are just examples of the solutions Ionic offers.
We would welcome the chance to speak with you. Contact us for a commitment-free discussion about how we might be able to help you navigate this uncertainty.
Robert Ball is chief revenue officer and chief privacy officer at Ionic Security: Ionic enables unified data security and access control, by providing policy-based authorization, security, and visibility, in any environment. Robert also serves as the company’s general counsel and the chair of the policy council of the National Technology Security Coalition. Robert has 20+ experience at the intersection of technology and law & policy.