Final guidance on Schrems II ruling: Data from EU could be held up if a third country lets authorities access it
We're looking at you, Uncle Sam
The European Data Protection Board (EDPB) has finalised its guidance to businesses in how they should proceed following the Schrems II ruling which struck down the Privacy Shield data-sharing arrangement between the EU and the US.
In its final version of the recommendations [PDF] on supplementary measures to accommodate the ruling, the EDPB said the transfer of data could be impinged on if legislation in a third country allows authorities to access data transferred from the EU, even without the importer's intervention.
In the Schrems II ruling, named after Austrian privacy activist and lawyer Max Schrems, the EU Court of Justice said that Section 702 of the US Foreign Intelligence Surveillance Act together with a US presidential order and a policy directive on data collection by spies failed to meet EU data protection requirements.
Bringing the case, Schrems argued that once his data was in the US, no EU-style data privacy controls were legally enforceable by him or anyone else in that situation.
Other modifications in the guidance include an "emphasis on the importance of examining the practices of third-country public authorities in the exporters' legal assessment to determine whether the legislation and/or practices of the third country impinge – in practice – on the effectiveness of the Art. 46 GDPR transfer tool," which includes the condition that enforceable data subject rights and effective legal remedies for data subjects are available in the country data is sent to.
Retained in the document is guidance about the use of encryption for protecting data in third countries, as is common with cloud companies moving data between jurisdictions.
- European Parliament's data adequacy objection: Doubts cast on UK's commitment to privacy protection
- Microsoft bins Azure Blockchain without explanation, gives users four months to move
- Privacy activist Max Schrems on Microsoft's EU data move: It won't keep the NSA away
- Privacy activist Max Schrems claims Google Advertising ID on Android is unlawful, files complaint in France
As raised by The Register last year, the guidance allows for data sharing with encryption only if the "keys are retained solely under the control of the data exporter, or by an entity trusted by the exporter in the European Economic Area or under a jurisdiction offering an essentially equivalent level of protection to that guaranteed within the EEA."
The problem arises with bring-your-own-key encryption, as applied by cloud providers, as they could be obliged by the authorities to hand over data. If the exporter uses that cloud service and puts the encryption keys into the cloud, or makes them available to the cloud provider to decrypt and process data inside the cloud, then that data could be intercepted, copied, or manipulated.
The Schrems II ruling already meant international data flows were subject to much closer scrutiny from the supervisory authorities, according to EDPB Chair Andrea Jelinek.
"The goal of the EDPB Recommendations is to guide exporters in lawfully transferring personal data to third countries while guaranteeing that the data transferred is afforded a level of protection essentially equivalent to that guaranteed within the European Economic Area," she said.
"We want to make it easier for data exporters to know how to assess their transfers to third countries and to identify and implement effective supplementary measures where they are needed. The EDPB will continue considering the effects of the Schrems II ruling and the comments received from stakeholders in its future guidance." ®