Privacy Impact Assessments, GDPR, and the Fall of the Privacy Shield

With the invalidation of the EU-US Privacy Shield, many US companies are wondering if they will ever be able to take possession of EU personal information. Now, to satisfy EU data privacy concerns, companies will need to adopt security/privacy technologies and processes that put more direct control of their data when utilizing cloud solutions. One of those tools could be proactively putting in place a Privacy Impact Assessment to show the EU GDPR authorities that the company has taken additional steps to protect EU personal information (PI).

The Schrems’ II decision

On July 16, 2020, the Court of Justice of the European Union (CJEU) ruling on the Schrems II court case struck down the EU-U.S. Privacy Shield as an accepted mechanism for transferring PI from the European Economic Area (EEA) to the United States. This case has been referred to as Schrems II. Additionally, the Standard Contractual Clauses (SCCs) for data transfers remain valid – and I discuss those in detail in this article. Note that they are subject to increased due diligence on the part of data exporters to ensure that the privacy laws of the importing country are adequate.

In its ruling, the Court focused on US Government surveillance practices, which the CJEU viewed as unjustly prioritizing US national security over the rights and freedoms of European data subjects. A related issue for the EU is that the US Government can issue secrecy (or gag) warrants to cloud services providers that demand the EU PI while blocking the cloud provider from alerting the US data processor to the data transfer.

Are Standard Contractual Clauses still valid?

EU companies are now forced to fall back on Standard Contractual Clauses (SCC), first created in February 2010 and approved by European Commission Decision 2010/87/EU. SCCs have been used as a fallback legal instrument for cross-border data transfers over the last decade.

Back in December 2019, the CJEU Advocate General (AG) issued a statement that in his opinion, the EU SCCs were still valid but that new obligations would need to be incorporated. In essence, the AG stated that the EU would need to examine the national security laws of the country of the data importer to determine whether they can in fact comply with the current terms of the standard SCCs.

Today, less than one year later, the Schrems' II ruling has led the Irish Data Protection Commission to question the legality of SCCs, potentially putting them in question as well.

With the invalidation of the Privacy Shield and uncertainty around Standard Contractual Clauses, how can EU-based companies legally transfer EU PI to a US company?

The Privacy Shield and the GDPR

The recently voided Privacy Shield was originally designed with the GDPR in mind, addressing both technological and procedural elements of privacy, and quickly became a permitted safeguard under the GDPR. GDPR Article 45 describes PI transfers based on an adequacy decision - "a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection."

Another GDPR Article, Article 35 states; “Where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

It’s important to remember that the Privacy Shield was invalidated in 2020 due, in large part, to eDiscovery and intelligence laws in the US. The various data protection authorities in the EU were concerned that US intelligence agencies and the US Courts’ eDiscovery process could ignore the Privacy Shield agreement (and SCCs) and demand access to the PI no matter where it is currently stored.

Many EU-based companies have expressed concern over the US Government's use of secrecy warrants – court orders that restrict third-party data repositories (cloud storage providers) from informing data owners when their data is accessed and copied by government agencies.

The underlying US law that other countries have issues with is the 2018 Clarifying Lawful Overseas Use of Data Act, otherwise known as the CLOUD Act. It includes two key provisions:

1. the ability to legally demand access to foreign stored data
2. the ability to create executive agreements for foreign access to US stored data.

The CLOUD Act amended existing US law to authorize US law enforcement and the courts to unilaterally demand access to data stored outside the US in US-based company repositories.

Under the CLOUD Act, there is no direct (end-user) process for individuals to challenge a legal order to turn over PI – only the cloud services provider can object. However, if the law enforcement tool used is a secrecy warrant, then the US data owner will never know their data was disclosed and copied. Additionally, a US court can require the production of that data despite the objection, even where the laws of another nation would be violated.

GDPR Article 35 – Data Protection Impact Assessments

The 2018 GDPR included the requirement (Article 35) to create Data Protection Impact Assessments (DPIA) when PI processing is likely to result in a high risk to EU data subjects. For example, when an EU-based organization transfers PI to a company outside the EU for processing and use.

A GDPR DPIA is a process to help organizations identify and minimize the possible data protection risks when collecting and transferring EU-based PI. Per the GDPR, a DPIA must:

• Describe the nature, scope, context, and purposes of the data transfer/processing
• Assess necessity, proportionality, and compliance measures of the process
• Identify and assess risks to individual data-subjects – i.e., access to PI from the US courts
• Identify any additional measures to mitigate those risks – the addition of technologies/processes that would reduce those risks

However, with the invalidation of the Privacy Shield, the open question about the continued validity of SCCs, and the passing of the CLOUD Act, the issue many EU-based organizations are now dealing with is; can a US-based company ever again qualify to receive EU PI?

Third-Party Privacy Impact Assessments (PIA)

A Privacy Impact Assessment is a process conducted by an organization, usually a third-party, to determine how a company’s existing technology/processes could compromise the privacy of the individuals whose data it holds, collects, or processes. A PIA is usually requested by an organization wishing to transfer sensitive data to another organization to help identify where data risk is present and what should be done to reduce it.

A PIA is typically designed to accomplish three main goals:

• Ensure conformance with applicable legal, regulatory, and policy requirements for privacy
• Identify and evaluate the risks of privacy breaches or other incidents and effects
• Identify appropriate privacy controls to mitigate unacceptable risks

The GDPR Data Protection Impact Assessment serves the same overall purpose as a third-party PIA but is triggered by the data collector to qualify the potential data transferee before PI can be moved to a US organization.

Could a third-party PIA pave the way for GDPR acceptance?

So how can EU data be legally transferred to US organizations now that the Privacy Shield is void? This is the number one question EU/US companies are trying to work out. The simple answer is that organizations will need to rely on standard contractual clauses until they are also invalidated via the CJEU in the near future due to the fact that SCCs do not address the main issue the CJEU had with the Privacy Shield – the possibility of the US courts or government agencies to secretly gain access to EU PI – legally. Without an answer to this problem, then creating a preemptive Privacy Impact Assessment would not serve the needed purpose.

One obvious solution for EU/US organizations that utilize third-party cloud providers is to consider encrypting all data locally before moving to the third-party cloud. This strategy ensures that third-party cloud providers cannot decrypt client data, forcing the courts and government agencies to go directly to the US data owner for the encryption keys – providing the data owner the opportunity to fight the (secrecy) warrant and would act as the acceptable process to identify appropriate privacy controls to mitigate unacceptable risks

If US data transferee's processes/procedures included local data encryption and local encryption key storage as a standard part of their data handling practices, then the GDPR DPIA/PIA and Privacy Shield issue could be partially alleviated and possible pave the way for easier data transfers to US organizations.

To speed PI data transfers to the US, organizations should proactively:

1. Include storage/information management technology which provides encryption of all data before movement to a third-party cloud
2. Design processes that allow for local (onsite) encryption key storage and protection
3. Work with an external service to proactively conduct and document a PIA that addresses GDPR DPIA requirements
4. Provide that annually updated PIA to your EU data partners

To reiterate, a DPIA/PIA includes not only a review of technology but also policies and procedures to document the company's commitment to safeguarding personal information, no matter from where it originates. However, the main roadblock for EU and US companies is the issue of secrecy warrants served on third-party cloud providers to turn over client data without notice to the data owner.

To restate a main point of this blog, encrypting data before movement to the third-party cloud removes the threat of secrecy warrants/subpoenas and forces the government or courts to come directly to the US data owners – providing them a chance to fight the subpoena for their data privacy legally.

By locally encrypting data before storage in a third-party cloud, one of the main issues the EU had with the Privacy Shield is removed. This is not to say that a company's challenge to a subpoena would be won every time. However it does raise the secrecy factor and ensures a company knows if their data is being accessed by a third party.

The Archive2Azure archive and Security Gateway

Unlike SaaS-based cloud solutions where the SaaS provider uses its own encryption keys to encrypt your data, the Archive2Azure Security Gateway enables encryption of your data on-premises before it's moved into your Azure cloud tenancy – utilizing your company's encryption keys – which remain secure onsite, at all times. Additionally, your encryption keys can never be accessed or used by Archive360 – or any other 3rd party entity.

This on-premises encryption process has the added benefit of significantly reducing the risk of a data breach triggering privacy regulatory notification requirements – a very costly process. In fact, the California Consumer Privacy Act (CCPA) stipulates that the breach notification requirement is not triggered if the breached data was encrypted AND the encryption keys were kept separately. Even though it is not explicitly stated, it is believed the GDPR authorities would rule the same way if presented with the same situation.

Archive2Azure with the Security Gateway provides the best of information management and archiving security/privacy in the cloud over that of SaaS platforms.