Home / Resources / ISACA Journal / Issues / 2021 / Volume 6 / The Impact of Schrems II on the Modern Multinational Information Security Practice Part 2

The Impact of Schrems II on the Modern Multinational Information Security Practice Part 2: Minimizing the Impact on Organizations

Author: Scott M. Giordano, JD, CISSP, IAPP FIP
Date Published: 2 November 2021
Related: Implementing the General Data Protection Regulation | Print | English | The Impact of Schrems II on the Modern Multinational Information Security Practice, Part 1

As discussed in “What the Schrems II Ruling Means for Modern Multinational Information Security Practice, Part I,” on 16 July 2020, the Court of Justice of the European Union (CJEU) rendered what is likely to be its most disruptive decision to international commerce to date, Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”). The prospect of surveillance of electronic data flowing into the US via transatlantic cables by US intelligence agencies was seen by the CJEU as a threat large enough to merit invalidating the US-EU Privacy Program and substantially burdening the use of Standard Contract Clauses (SCCs). Both of these mechanisms were previously used to legitimize personal data transfers from the European Union to the United States. As to the latter, the CJEU stated that continued use of SCCs must also include “supplementary measures,” apparently intended to frustrate surveillance by intelligence agencies when transfers of EU personal data from the European Union to the United States (and, potentially, other nations) take place. Given the decision’s immediate effect, data protection teams, including their legal counsel, must now determine how best to legally continue such transfers in support of the missions of their respective organizations. An analysis of the response from the European Data Protection Board (EDPB), the EU’s data protection law enforcement agency, can help data protection teams determine what measures they can take now to minimize the impact.

European Data Protection Board Falls Short

After the Schrems II decision was handed down, the need for authoritative guidance on navigating the mandates set forth became especially acute, and the logical (and perhaps only) candidate for issuing that guidance was the European Data Protection Board (EDPB). The EDPB is the overarching EU data protection authority, which, among other things, ensures compliance with EU data protection laws, cooperates with national supervisory authorities to enhance consistency in privacy laws and intervenes with the CJEU on data protection law. It came into existence in May 2018, along with (and as a creation of) the EU General Data Protection Regulation (GDPR). It represents a fusion of the Article 29 Working Party, an EU data protection think tank, and the European Data Protection Supervisor (EDPS), a regulatory agency that enforced data protection laws against EU institutions.

ALTHOUGH MEANINGFUL GUIDANCE FROM THE EDPB AS TO MEASURES THAT WOULD LIKELY WITHSTAND SCRUTINY BY AUTHORITIES WOULD BE WELCOMED BY PROFESSIONALS,[EDPB RECOMENDATIONS 01/2020] ONLY SERVES TO EXACERBATE THE PROBLEM.

On 10 November 2020, the EDPB adopted Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (Recommendations).12 The document provides recommendations of measures that could satisfy the “supplemental measures” mandate of Schrems II. It consists of (roughly) three sections: a summary of Schrems II and a list of the steps necessary to legally export personal data from the European Union to third countries using SCCs, use case examples of supplementary measures that could meet the mandate of Schrems II if perfectly executed, and possible sources of information to assess a non-EU destination country. Although meaningful guidance from the EDPB as to measures that would likely withstand scrutiny by authorities would be welcomed by professionals, this document only serves to exacerbate the problem. The seven scenarios or use cases that describe potentially effective (and, in contrast, ineffective) supplementary measures are poignant examples of this; in particular, Use Cases 1, 2 and 6 and their weaknesses are summarized as follows.

Use Case 1: Data Storage for Backup and Other Purposes Not Requiring Access to Data in the Clear
In this scenario, a data exporter uses a service provider in a third country to store personal data. The EDPB considers this to be effective if all of the following conditions are met:3

  1. The personal data are encrypted using “strong encryption” before transmission.
  2. The encryption algorithm conforms to the state-of-the-art of cryptography and can be considered “robust against cryptanalysis performed by public authorities in the recipient country."
  3. The strength of the encryption takes into account the time period for storing the personal data in question.
  4. The “encryption algorithm is flawlessly implemented by properly maintained software the conformity of which to the specification of the algorithm chosen has been verified (e.g., by certification)[.]”
  5. The encryption keys are reliably managed.
  6. Those keys are retained solely under the control of the data exporter or other trusted entities.

The second and fourth conditions are likely fatal to the successful use of this scenario. In essence, they ask for the organization (referred to by the GDPR as a “data controller” and also the likely importer in this case) to understand the cryptanalytic capabilities of a state’s intelligence community and law enforcement agencies. They also ask for a “flawless” implementation of the encryption algorithm. Given the inability to understand the cryptanalytical capability of a nation state’s intelligence organizations and that flawless implementation of encryption is vague and not likely to be met by most entities, this scenario sets a very high bar to clear.

Use Case 2: Transfer of Pseudonymized Data
Under this scenario, a data controller pseudonymizes (i.e., deidentifies) the data it holds and transfers them out of the EU to a third country.4 The EDPB considers this to be effective if all of the following conditions are met:5

  1. The data exporter has effectively employed pseudonymization technology to protect EU data subjects.
  2. The additional information necessary to reidentify those data subjects is held exclusively by the data exporter in a separate EU or third country.
  3. That additional information is itself protected by appropriate technical and organizational safeguards.
  4. The data controller has analyzed the personal data in light of “any information that the public authorities may possess” about the data subjects and that those data subjects cannot be reidentified, even with use of such information.
THE CJEU BURDENED EVERY ORGANIZATION TO DEVELOP SUPPLEMENTARY MEASURES ON A CASE-BY-CASE BASIS TO COMPENSATE FOR US INTELLIGENCE GATHERING ACTIVITIES INTO WHICH THEY HAVE NO INSIGHT.

The fourth condition sets a standard that is almost impossible to achieve—how can a professional know what information the public authorities possess about the data subjects in their data set? Most information held by the US intelligence community and law enforcement agencies is exempt under the US Freedom of Information Act (FOIA), so there is no meaningful way to ascertain such information in an EU-to-US transfer. Although pseudonymization as a technical control may have merit in protecting personal data, this scenario as a whole is likely not feasible for the typical data controller.

One section of the recommendations describes “Scenarios in which no effective measures could be found.”6 One such scenario (Use Case 6) is a cloud service provider that needs access to unencrypted personal data to perform some function—something that is likely familiar to many organizations.

Use Case 6: Transfer of Data to CSPs or Other Processor to Process According to Instructions in a Third Country
Under this scenario, “the EDPB is, considering the current state of the art, incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights.”7 The recommendationsspell out the details of such an infeasible scenario thusly:

  1. A controller transfers data to a cloud service provider (CSP) or other processor.
  2. The CSP or other processor needs access to the data in the clear to execute the task assigned.
  3. The power granted to public authorities of the recipient country to access the transferred data goes beyond what is necessary and proportionate in a democratic society.

The Schrems II decision all but declared that the legal authority granted to the US intelligence community and law enforcement agencies to pursue intelligence gathering under the auspices of E.O. 12333, FISA 702 and PPD-28 exceeds what is a “necessary and proportionate measure in a democratic society.”8 Therefore, it appears that any personal data transfer made to a cloud or other service provider with unencrypted personal data is per se unlawful under EU law.

The CJEU burdened every organization to develop supplementary measures on a case-by-case basis to compensate for US intelligence-gathering activities into which they have no insight. The EDPB merely raised the anxiety level and provided use cases with unrealistic requirements. Personal data transfers that cannot be adequately protected with supplementary measures must be stopped. Many organizations are fearful that their data transfers to a cloud or other service provider may be deemed illegal, subjecting them to high fines and other penalties.

Schrems II is likely not going to be the CJEU’s last word on this subject, either. For example, the European consumer organization Bureau Européen des Unions de Consommateurs (BEUC) recently filed a complaint with the European Commission over the personal data handling practices of Chinese media company TikTok,9 meaning more litigation over the subject of SCCs will likely occur.

The Post-Schrems SCCs

In November 2020, the European Commission published a draft Commission Implementing Decision with respect to updated SCCs, and the text of the proposed SCCs (the “Annex” to the Decision).10 The draft updates include some welcome changes, including the ability to:

  • Address processor-to-processor and processor- to-controller data transfers
  • Have more than two parties been part of the same data processing agreement
  • Add more parties to the same data processing agreement over time
ORGANIZATIONS SHOULD REVIEW THEIR PRACTICES AND CURB DATA COLLECTION WHERE POSSIBLE.

Changes that have been made to account for the Schrems II decision include mandates for

  • A mutual warranty by the parties “that they have no reason to believe that the laws in the third country of destination applicable to the processing of the personal data by the data importer...prevent the data importer from fulfilling its obligations under these clauses.”11
  • An assessment supporting the warranty by the parties that incorporates the specific circumstances of the transfer, the laws of the third country of destination and any safeguards employed in addition to those under these clauses12
  • Notification to the data exporter by the data importer if the latter received a legally binding request by the public authority of the destination country for personal data transferred pursuant to the clauses13
  • Review by the data importer of the legality of the request for disclosure by the public authority14

The impact of Schrems II on the updates to SCCs cannot be understated: A theme of protecting personal data during transfers out of the European Union permeates the text, ranging from the employment of safeguards to an anticipation of government access requests to the demonstration of compliance via documentation and the use of audits.

What Data Protection Teams Can Do Now

The EDPB’s Recommendations document cites the need to reassess the totality of the circumstances surrounding the transfers of personal data out of the European Union. That is accurate, and the immediate need to conduct a de novo review of those transfers is especially acute. There are steps that data protection teams can take immediately, including:

  • Organizations’ Article 30 Records of processing activities (i.e., data inventory) should be updated—Often, when organizations conduct data inventories, for every two programs or applications they find that use personal data, they find a third that was previously unknown. These are often programs or projects that have been abandoned or repositories that are Internet-connected even though they are not supposed to be. In some cases, they are sandboxes or other test environments that use live personal data (often in violation of policy) rather than test data. The list of opportunities for personal data misuse is long, and updating the Article 30 inventory is a good place to start bringing order to an organization’s data.
  • Organizations should determine whether all of the personal data collected and stored are needed—US organizations have historically tended to over-collect personal information because there is no penalty for doing so. Organizations should review their practices and curb data collection where possible. Organizations should determine what personal data are truly needed for specific business functions and identify the data that can be removed. The GDPR requires them to minimize the amount of data collected15 and to employ data protection by design and by default,16 so controllers should review any previous work performed in this capacity. Also, enterprise information governance software offers reporting that can give data protection team members a good idea of what data are being routinely used. Almost certainly, a small percentage of the total data inventory is responsible for the majority of data used daily (i.e., the 80/20 rule17), and much of the available data can be moved offline.
  • Organizations should determine what personal data can be localized within the European Union—Not all personal data that an organization processes needs to be viewed outside of the European Union. Personal data related to human resources (HR) functions inside the European Union are a prime example. For example, US- based human resources (HR) leaders likely will rely on local HR staff for administering EU employee benefits and do not need access to employee personal data. Servers that hold HR data can be placed on servers within EU territories, and access can be limited to those who have a need to know. All major enterprise HR software produces summary reports that US-based HR leaders can receive and review without revealing any personal data. Also, those leaders have the option of going on-site to audit compliance with enterprise policies.
  • Organizations should leverage EU jurisprudence for conducting data protection risk assessments—The proposed updated SCCs place a great deal of emphasis on the need to evaluate the risk associated with a data transfer. Arguably, that assessment for existing systems should have taken place even before Schrems II. One tool for such a risk assessment is the Article 29 Working Party’s white paper, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679.18 The Guidelines describe a threshold analysis for determining whether a complete data protection impact assessment (DPIA) is warranted, something normally done for personal data processing that poses a high risk to data subjects. Although it is not legally binding in EU courts, the Guidelines have substantial persuasive authority. Post-Schrems II, the Guidelines take on new relevance for looking at the potential for worst-case scenarios involving the transfer of personal data and mitigating them.
  • Organizations should leverage available documentation—The proposed SCCs also emphasize the ability to demonstrate compliance with these clauses. For example:

[T]he data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and allow for and contribute to reviews of data files and documentation, or of audits of the processing activities covered by these Clauses, in particular if there are indications of non-compliance.19

Documentation of data protection measures, including assessments and audits (e.g., SOC 2 Type II), employee training, and compliance with cybersecurity best practices (such as assessments or certifications granted by third parties, e.g., International Organization for Standardization [ISO]/International Electrotechnical Commission [IEC] ISO/IEC 27001) are already necessary for day-to-day compliance with a constellation of data protection laws. Schrems II has underscored the need to collect and review such documentation on a regular basis and have it ready if (and when) a data breach or other negative event takes place.

SCHREMS II RENDERED WHAT IS LIKELY TO BE ITS MOST DISRUPTIVE DECISION TO INTERNATIONAL COMMERCE TO DATE.

Conclusion

Schrems II rendered what is likely to be its most disruptive decision to international commerce to date. Specifically, the decision invalidated the US-EU Privacy Shield program as a legal mechanism for transatlantic personal data transfers and added a substantial burden to the use of SCCs as an alternative. If Schrems II is to be taken at face value, multinational organizations (or data controllers) relying on SCCs to transfer EU personal data out of the EU must review those clauses (and accompanying data processing agreements) immediately and determine what supplemental measures may be required, particularly for EU-US transfers. Some questions raised by the Schrems II ruling but left unanswered by EDPB’s recommendations include:

  • How does a data controller evaluate the intelligence gathering and cryptanalytic capabilities of state intelligence and law enforcement agencies vis-à-vis their ability to frustrate them?
  • What has been the effect of the Schrems II ruling on existing SCC-based data transfers from the European Union to nations that lack “the rule of law [and] respect for human rights and fundamental freedoms”?20 Have the transfers simply stopped, or do they continue?
  • What does this mean for:
    • Nations lacking adequacy (i.e., data protection essentially equivalent to that of the European Union), such as the United States, that share intelligence with those that possess it, such as Canada and Israel
    • Transfers to the United Kingdom, which has just received provisional adequacy status21 but has similar bulk intelligence gathering programs that have been called into question22
    • EU member states whose intelligence agencies have upstream Internet connections that have not been publicly acknowledged in the same way that E.O. 12333 was acknowledged
THE OUTCOME OF SCHREMS II IS THAT DATA PROTECTION PROFESSIONALS OF ALL TYPES AND THOSE SUPPORTING LEGAL COUNSEL NEED TO FORMULATE A WAY FORWARD TO COMPLY.

These questions mean that more litigation is almost certainly on the way as authorities and multinational organizations test the limits of the ruling in court. The outcome of Schrems II is that data protection professionals of all types and those supporting legal counsel need to formulate a way forward to comply. That will require:

  • Questioning assumptions about centralizing personal data stores and processing within the US
  • Taking a skeptical view of the variety and amount of personal data collected to provide a service to data subjects
  • Taking a new look at the available inventory of proven technology and data protection frameworks23 for more robust data protection

Although the potential for the balkanization of global data processing operations is unpleasant, it is now a very real possibility. Given how unhelpful the EDPB’s recommendations were, professionals are now left to their own devices to continue transferring personal data from the European Union to the United States. If (and how) Facebook resolves this, it will likely prove instructive for those supporting other US-based multinationals. Until then, they are largely on their own.

Resources

Gellman, B.; Dark Mirror: Edward Snowden and the American Surveillance State, Penguin Press, USA, 2020

Manpearl, E.; “Adapting U.S. Electronic Surveillance Laws, Policies, and Practices to Reflect Impending Technological Developments,” Catholic University Law Review, vol. 69, iss. 53, 2020, https://scholarship.law.edu/lawreview/vol69/iss1/8

Margulies, P.; I. Rubinstein; “EU Privacy Law and U.S. Surveillance: Solving the Problem of Transatlantic Data Transfers,” Lawfare, 10 March 2021, https://www.lawfareblog.com/eu-privacy-law-and-us-surveillance-solving-problem-transatlantic-data-transfers#

Endnotes

1 ISACA®, “The Impact of Schrems II on the Modern Multinational Information Security Practice, Part 1,” ISACA® Journal, vol. 6, 2001, https://www.isaca.org/archives
2 European Data Protection Board, Recommendations 01/2020 on Measures That Supplement Transfer Tools to Ensure Compliance With the EU Level of Protection of Personal Data, Belgium, 10 November 2020
3 Ibid.
4 European Union Agency for Cybersecurity (ENISA), Pseudonymisation Techniques and Best Practices: Recommendations on Shaping Technology According to Data Protection and Privacy Provisions, Greece, 3 December 2019, https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices
5 Ibid.
6 Op cit European Data Protection Board
7 Ibid.
8 Court of Justice, Data Protection Commissioner Facebook Ireland Ltd, Maximillian Schrems, Case C-311/18, 16 July 2020, https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=3705396
9 The European Consumer Organisation (BEUC), “BEUC Files Complaint Against TikTok for Multiple EU Consumer Law Breaches,”16 January 2021, https://www.beuc.eu/publications/beuc-files-complaint-against-tiktok-multiple-eu-consumer-law-breaches/html
10 European Commission, Data Protection— Standard Contractual Clauses for Transferring Personal Data to Non-EU Countries (Implementing Act), 2020,  https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12741-Data-protection-standard-contractual-clauses-for-transferring-personal-data-to-non-EU-countries-implementing-act-_en
11 Ibid., Clause 2(a)
12 Ibid., Clause 2(b)
13 Ibid., Clause 3.1(a)
14 Ibid., Clause 3.2
15 Ibid., Article 5(1)(c)
16 Ibid., Article 25
17 Church, T.; “What You Don’t Know About Pareto’s 80/20 Principle,” https://tomchurch.co.uk/what-you-dont-know-about-paretos-8020-principle/
18 European Commission, Guidelines on Data Protection Impact Assessment (DPIA), Belgium, 13 October 1017, https://ec.europa.eu/newsroom/article29/items/611236/en
19 Ibid.
20 Op cit Court of Justice
21 European Commission, “Data Protection: European Commission Launches Process on Personal Data Flows to UK,” Belgium, 19 February 2021, https://ec.europa.eu/commission/presscorner/detail/en/ip_21_661
22 European Court of Human Rights, Case of Big Brother Watch and Others v. the United Kingdom, France, 13 September 2018, https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-186048%22]}. Additionally, the UK and US routinely share intelligence data.
23 In 2019, both the NIST Privacy Framework and ISO/IEC 27701 Security Techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for Privacy Information Management—Requirements and Guidelines were published, offering guidance on protecting personal information at the enterprise level, including protection in a multinational context.

Scott M. Giordano, JD, CISSP, IAPP FIP

Is an attorney with more than 20 years of legal, technology and risk management consulting experience. He is vice president, corporate privacy and general counsel at Spirion, where he serves as a subject-matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance and risk management. Prior to joining Spirion, he served as director of data protection for Robert Half Legal and established the global privacy program for Esterline Technologies Corporation. During his career, Giordano has held senior positions at several legal technology firms and is co-inventor of Intelligent Searching of Electronically Stored Information. He taught the first law school course anywhere on electronic evidence and ediscovery.