Episode #4: Privacy Impact Assessments, the GDPR, and the Fall of the Privacy Shield

Transcript:

Bill Tolson:

Welcome to the Archive360 podcast titled, Privacy Impact Assessments, the GDPR, and the Fall of the Privacy Shield. With me again today for this podcast is Jim McCarthy, Chief Compliance Officer and General Counsel for Archive360. My name is Bill Tolson and I am the VP of Compliance and eDiscovery at Archive360.

Bill Tolson:

With the invalidation of the EU-US privacy shield in July, many US companies are wondering if they will ever be able to take possession of EU personal information again. Now with the current regulatory environment around EU data privacy concerns, companies will need to adopt processes and technologies that put more direct control of the data in their hands when storing and utilizing data in cloud solutions. In this podcast, Jim and I will explore the issues that cause the Court of Justice of the European Union to invalidate the privacy shield, and additionally, what US companies can do to address the issues to get the data flowing again.

Bill Tolson:

There are two potential tools to address this PI data transfer roadblock, and they are, number one, using local on-premise encryption and key storage to ensure cloud service providers cannot independently decrypt and access your company's data, including for government subpoenas, and number two, proactively putting in place a third party privacy impact assessment to demonstrate to the EU GDPR authorities that the US-based company has taken the needed additional security steps to better protect the EU PI. So with that in mind, the invalidation of the privacy shield came here recently from what's known as the Schrems II decision. So Jim, can you explain the main issues that the CJEU had around the privacy shield and why [inaudible 00:02:15] EU and US companies scrambling to figure out if the issues can be addressed?

Jim McCarthy:

Sure. And it's good to be with you today, Bill. Let's put this into context. What are we talking about? We'll speak to data transfers to the United States. What is that? What does it apply to? And I like to think about it like this. Very simply stated, it's any data about an EU citizen that's maintained in any EU company's computers that's shared with a US company. It's simply that broad. Put some examples to get a clearer idea. An insurance broker in England reduces claim notes to its computer CRM system, and then shares that information with its own US parent. This is what we call a restricted transfer that's subject to this new law. A German bank shares its own customer's data, its accounts, with its US affiliate; a restricted transfer. And there's also not only these overt things Bill, but we're also talking about benign applications.

Jim McCarthy:

Let's say that there's a localized business in the EU that doesn't need to share its data to operate its business, so let's say a hotel. But let's say that same hotel uses a cloud IT service for bookings, like one of the popular sites, TripAdvisor, Kayak, et cetera. And they store or process the hotel's data outside the EU; another restricted transfer. So when we start to look at all the different applications, we'd start to get an idea how big and how much ground this covers.

Jim McCarthy:

And I think it's best stated by our own US secretary of commerce, Wilbur Ross. As soon as the Schrems II decision came out, he identified that this was really about a $7 trillion transatlantic economic relationship that affects more than 5,300 companies. So that's what we're talking about, Bill. That's what's on the line. And it's good to have that context when we're talking about the issue. And the issue in the Schrems II was about what we now refer to as the US privacy shield, and these are simply a structure that's built to assure these EU regulators that the protections that United States has over personal data is not compromised. And in that, compromised by even the United States law enforcement and investigation of those people's records. So that's the background, that's the issue that we're talking about in this decision.

Bill Tolson:

Yeah. The Schrems II was really interesting, in that it, number one, invalidated the privacy shield and put everybody questioning, "Well, how are we going to transfer data?" Because there is a lot of data transfer from the EU to the US for all kinds of economic reasons as well as as many others. But interestingly, I think right before... Within a half a year of this case being decided, the US passed the Cloud Act, which basically gave the US government as well as, I think, the US courts the ability to ask for data held by US companies, no matter where that data was held; to ask for it to be presented to them for intelligence reasons, or eDiscovery, or whatever it happened to be.

Bill Tolson:

And because of the Cloud Act being put into law, the EU saw that as, on their side, massive government overreach, in that EU personal information was no longer protectable under the privacy shield. Because the privacy shield had nothing to do with the legal capabilities of the government agencies as well as the court system. So reading the decision and the notes around it, the fact that the US government or court system can demand information, even PI from EU custodians if it's held by US companies, really, I think was one of the underlying decisions for why the court invalidated the privacy shield. Is that correct?

Jim McCarthy:

It is. And I think it's important to step back for a moment. The privacy shield litigation that we call a Schrems II, some background on that may be important, is that Schrems II, as the name may imply, originated from the predecessor case that we call Schrems I, which was the initial litigation that invalidated what was known as the Safe Harbor Provision of US law. And the privacy shield that we're talking about and Schrems II is simply the successor mechanism that was created hastily once the Schrems I decision was made in 2015. So it's five years later, but we're still really just finding out what the scope of these decisions mean for transatlantic commerce.

Bill Tolson:

Yeah. And that's really the main discussion point for this podcast is, now that privacy shield has been invalidated, looking at GDPR for example, GDPR has an article in it that stipulates what they call data protection impact assessments, which is basically a privacy impact assessment. How can the data collector, the EU company passing data to a US processor, how can they ensure that that PI is not going to be basically pulled into a intelligence agency net or into an eDiscovery, without the owner of the data having some say about it? With the privacy shield gone away in that specific Schrems II case, they referred back to something that's called standard contractual clauses-

Jim McCarthy:

I'm sorry Bill, go ahead.

Bill Tolson:

... as the fallback tool. But that same decision also called into question the viability of relying on STCs, standard contractual clauses, in the future, because they don't do exactly what the privacy shield didn't do as well, and that's protect EU PI from government's access. So that decision that the court basically put into play, the possibility that standard contractual clauses will be invalidated shortly, because again, they don't address the main issue. In fact, I've seen in some of the articles that Schrems is already positioning for a third lawsuit going directly after SECs.

Jim McCarthy:

It stands to reason, right, Bill? I mean, the first mechanism that we set up was under fire in Schrems I, that was the Safe Harbor. The second is the privacy shield, stands to reason that the next artificial construct that they build, which doesn't address the central issue like you say, is going to be next as far as litigation. And you could say that the result of the second Schrems was arguably worse than that in the first. Not only the invalidation of the transatlantic transfer program was challenged successfully, but it de-stabilized the main alternative transfer message. So I think now you have a situation where the CGEU, that's the judicial branch of the EU, is now establishing its own primacy on the subject matter, rather than looking at the individual states that are impacted.

Jim McCarthy:

So I think you are right. I think we will set the stage shortly for Schrems III. And if anyone's interested in where we're getting this name from, who is Schrems? We've addressed it in prior podcasts Bill, but I always thought it was interesting to note that Max Schrems was a Austrian law student that initially complained to the Irish Data Protection Commissioner that his Facebook account was... Facebook was headquartered in... European headquarters in Ireland, could actually be obtained by US authorities. And after the Edward Snowden disclosures in 2013, he became a privacy activist. And so it's Max Schrems we have to thank for the name here, Bill, but it certainly moved beyond Facebook.

Bill Tolson:

Yeah. Yeah. And speaking about Facebook, it's really interesting. A month ago almost exactly, an EU privacy regulator sent Facebook a preliminary order to suspend data transfers to the US, in reality to itself in the US, about its EU users. Basically it's an operational and legal challenge for Facebook and other tech giants. And the order to stop doing data transfers is really based off of number one, the privacy shield going down, and then this question around SECs. But the EU privacy regulator, in this case I think was Ireland, saying to suspend the data transfer, suggests that it has also found standard contractual clauses aren't sufficient under the Schrems II ruling.

Bill Tolson:

If that logic stands, then SCCs probably will be ruled invalid for other large technology and telecommunications companies that fall under the purview of the US surveillance laws discussed in the EU court ruling, including under the Foreign Intelligence Surveillance Act, section 702. But very quickly, back on Max Schrems, I mean, the guy has really made a name for himself, and he is now a practicing attorney. I would suggest that his billable rate is probably pretty high.

Jim McCarthy:

It certainly has had some notoriety on it. Bill, one other part of the ruling that the CGA-EU had in July was that they found that the ombudsmen that act as the safety valve for examining whether or not personal data is transferred to the US in violation of the rule, now they found fault with that ombudsman. And that should be concerning to people who still rely on standard contractual clauses, because arguably that's what we put into place now, is that sort of evaluation as to whether or not the particular transfers in question are problematic. So I think that it would be difficult to rely on the standard contractual clauses as a long-term plan.

Bill Tolson:

Yeah. I agree, and I think lots of people agree on that. In the face of Facebook being told to not send data to the US based on the current tools, I think two weeks ago Facebook put a comment out on a press release saying, "If this ruling holds," meaning Facebook stops sending stuff and stop sending data to yourself in the US, then Facebook stated that, "We cannot do business in the EU anymore if that's the case." So, I mean, this is obviously... Going up the ladder of priority for both the governments over there as well as the big tech companies here, and depending on how these things are decided, what could big technology, Facebook, and the rest of them do in sending information back and forth?

Bill Tolson:

I mean, it really puts a question mark there, and Facebook really set the stage to say, "We can't do business this way, so there's a real possibility that we're going to have to turn off Facebook in the EU." Now do I think that's going to happen? Probably not, but that really brings up the issue or the question of, if the biggest issue the EU has with US laws is the ability for the courts or government agencies to legally get access to all data held by US companies, obviously with the proper court rulings, is there anything that US companies can do to put in place that would help them conform with, or address the issues that the EU court had, but allow them to continue to move data across?

Bill Tolson:

And again, in my mind... And we haven't mentioned this yet in this podcast, but one of the biggest issues that I think that the EU has is, number one, the government demanding access to the data, legally, obviously, but also nowadays with all of the data or most companies storing their data in the cloud, the ability for US agencies or the courts to go to a cloud provider and demand that that cloud provider number one, decrypt their client's data and hand it over to them. And, "Oh, by the way, it's a secrecy warrant so you cannot tell the data owner that we actually did this." When I talk to customers and potential clients and stuff, that's one of the biggest problems they have, is that this data which positions them as potentially being out of regulatory compliance with the GDPR, and we all know the size of the fines there can be huge, but then the data being copied without them ever knowing it, really sets CSOs on edge, that's for sure.

Jim McCarthy:

Sure. And let's look at it from the other side. The purpose behind these things, these gab orders if you will, that restrict the ISP from disclosing that to their customer is clear. I mean, law enforcement does not want to tip off the subjects to whom they're investigating that they're being investigated.

Bill Tolson:

Sure. And it's hard to argue with that.

Jim McCarthy:

Yeah. We want robust law enforcement techniques, and we have this struggle now, how do we deal with businesses in a relatively flat and smaller world that geographical boundaries don't make sense anymore? That's what we're up against, and so let's circle back to your question, what options do companies have? Because this is the current situation or a complex of laws that these companies that have transatlantic relationships, commercial relationships, simply cannot satisfy both ends. What do they do?

Bill Tolson:

Yeah. I mean, I don't think that the issue is completely addressable, but I think parts of it are. And we've talked about this and the idea that number one, a data processor in the United States, somebody taking possession of EU PI, now with these rulings and with worries from before, they're somewhat hesitant to put this data in the cloud, because they don't want a court or a government agency going to their cloud provider and getting the data without them knowing about it. And the issue is, can that be stopped or slowed down, but mostly stopped, because it's in the cloud and there's a third party actually controlling it? The only obvious way to stop it is to store everything on prem. Don't put it up in the cloud, therefore if a government agency wants the data, they have to get the legal authority to do it, and then come directly to you, the data owner, and then you can choose to fight it in court and all kinds of neat stuff.

Bill Tolson:

But if it's in a third party cloud, you may never know that data has ever been accessed. So the question is, are there policies, procedures, and technologies that could at least address some of those? And one of the obvious ones is, if you're going to put it in the cloud, encrypt it. And don't rely on the cloud provider to encrypt the data, encrypt it yourself on prem before you store it in the cloud. Then an entity can come to the cloud provider and say, "Give me the data and decrypt it," and what's going to happen? The cloud providers going to say, "Sure, I'll make a copy of it for you, but it's fully encrypted. I don't have the encryption keys." Therefore, at least one issue is addressed. So this idea of encrypting, especially this type of data, but any kind of data that you're going to move into a third-party cloud repository, encrypted it on prem and then move it up to the clouds, and keep your encryption keys on premise. Therefore you control who actually has access to it, not the third party cloud provider.

Jim McCarthy:

Yeah. Well, I want to stop you there, Bill, because candidly, of all the options that are out there, that's the one I'd like to focus on, because... And let's circle back to encrypting it before it leaves the house. What other options could be available? I mean, one could be data localization where businesses simply retain all of their data within their own jurisdiction. It's hard to imagine how many companies that work from country to country could carry out their business if data that originates within the EU can't come out of it. So these are the practical difficulties of this decision.

Jim McCarthy:

The other option, which is not at all comforting either, is do nothing different and just wait. Wait to see if the regulators are really going to crack down. And the risk of that, as you know, is the really heavyweight of the GDPR fines. You mentioned that they were high, but how high? I mean, it could be as much as 4% of your worldwide revenue, right? Or tens of millions of dollars. So doing nothing and hoping for the best, not a great option, either.

Jim McCarthy:

Another option is, you could examine whether or not this type of information that your company has is likely to be the focus of some sort of subpoena. But that's not all that comforting either. So I like the thing you just hit on, and I'd like to circle back to that. How would this work? Talk to me if you would about encrypting data before it goes to the cloud, because that would seem to me a way to minimize the risk of PAI getting revealed if it happens to have to go to other countries because of the manner in which they do business?

Bill Tolson:

Well that's a good point. I mean, to be extra safe I would suggest number one, as the EU company transferring the data, where obviously they're going to do it all electronically... So number one, the data should probably be encrypted in transit, but also once it reaches the data processor or the company in the US who's taking of the data, obviously in vast majority of the time, due to digital transformation and all kinds of neat buzzwords, it's probably going to be stored in the cloud. The idea that before you move it into a third-party cloud, and we're not disparaging third party clouds; they're making the world work, so it's great. But you need to understand what the security is and what the governments or the courts can do to demand access to it.

Bill Tolson:

And so what you want to do is take the possibility of the third-party cloud provider, take them out of the equation so that yeah, your data exists up there, but if it's totally encrypted and unreadable, fine. Maybe they give the encrypted copy to the government, and the government warns you, "You cannot tell these guys that we took this stuff." Unusable and cannot be used, cannot be accessed and so forth. So my thought was this: Would the combination of strict data encryption procedures and technologies, that at least put the decision on responding to a government order in decrypting the data into the owners hands versus a third party? The combination of that technology, as well as maybe looking at the idea of companies who are regularly taking possession of EU personal information.

Bill Tolson:

If they are maybe contracting with a large third party consulting company or law firm to proactively put in place privacy impact assessments that the company could hold up to the EU regulatory officers and say, "Listen, we've gone beyond this point. Number one, we have created or we have purchased technology that gives us more management and control of the EU PI above and beyond the Cloud Act, but also we've had a third-party organization come in and look at number one, the technology, but also our policies and procedures, and have given us a grade on a privacy impact assessment." Would having those two things in place maybe take the place of the invalidated privacy shield, or the probably soon to be invalidated standard contractual clauses? Would it take the speed bumps away?

Jim McCarthy:

Bill, this is an interesting idea because as part of the privacy impact assessment, they could identify the use of this encryption strategy front and center to show that the data can not be accessed traditionally, if they are subject to some type of investigation that gives the European regulators some sort of pause. I like this idea.

Bill Tolson:

Yeah. I think that's the basis of their, to put it bluntly, their heartburn over this whole thing. What we're trying to do is to say, "Okay, privacy shield has gone away, SCCs are probably going to go away." And if that's the case, because of the data protection impact assessment requirements in the GDPR, it seems to me that data transfers, like it was referenced in the Facebook case, are going to have to stop. I mean, even not doing anything, I think, on the EUs side, they're going to be telling those companies that are collecting PI, "You cannot transfer anything to the United States period, because nothing addresses our concerns." And the idea is, besides SECs that really don't address the actual issue, putting these technologies and impact assessments in place proactively, would that show potentially enough ownership to the EU that the data is being protected at a much higher level?

Jim McCarthy:

I think the EU would be hard pressed to find that there's a genuine risk to that data if it's encrypted before it gets to the ISP. What is interesting to me is how US law enforcement may react to something that is so unreachable, even by way of a subpoena. And I'm thinking about encryption strategies that go over the 256, you know? It's just interesting. It's interesting, but the option that you've laid out with this encryption in advance is a very interesting work around.

Bill Tolson:

Yeah, it would at least show the companies in the EU who are going to transfer the data, as well as the EU data protection authorities, that there is a much higher level of protection, potentially, with these solutions. And it all comes down to, will the US company fight, or at least question, a government or court request for data, versus a third-party cloud provider just saying, "Sure, here it is. And no, we won't tell them."

Bill Tolson:

That's probably partly the heartburn we saw from the Schrems II decision, that the data owners in the EU will never know if that data was accessed by the United States Government or the courts. So I think it's an interesting subject, and I think the idea of having privacy impact assessments preemptively, that also takes into account the additional security technology, I think it would be interesting to present that to the EU GDPR folks, say, "Does this rise to the level of reducing your hesitancy?"

Jim McCarthy:

Yeah. It's almost a loaded question. How could it not, short of keeping all of the data within its own jurisdiction, the individual jurisdictions of EU?

Bill Tolson:

Exactly. I mean, potentially-

Jim McCarthy:

Yeah. And that's not a practical solution given the national commerce.

Bill Tolson:

No, it's not. Yeah. I mean, obviously data has value otherwise we wouldn't be talking about this. And the European Union is to be commended for going above and beyond the rest of the world in protecting the data from misuse and all kinds of other stuff. I think we understand what the US government was doing, because we've had so many examples of data, the Apple iPhone case and so forth, of potential terrorist data not being accessible. And that was one of the main drivers for the Cloud Act, but it was so far reaching that it put into question this idea of just standard industrial data transfers. And we really need to address that.

Bill Tolson:

And by the way, I don't want to end the podcast before we mention, number one, Archive360 does provide a cloud-based information management and archiving system. The difference is it's not in a third party cloud, it's in the client's own Azure tenancy, so they have complete control of it. But we also provide the ability to do on-premise encryption before transfer to the cloud, where those encryption keys used are kept on premise locally under the protection of your company itself. So, I mean-

Jim McCarthy:

Yeah. Let me ask you something about that, Bill. When you say the encryption keys are onsite, so in effect the internet service provider does not have the encryption keys. Is that right?

Bill Tolson:

Exactly. They hold the data, but they hold it in an unusable format that they cannot open or view.

Jim McCarthy:

So if the internet service provider had a wayward employee, and I'm thinking a Paige Thompson-like employee that was responsible for the Capital One breach-

Bill Tolson:

Yeah, at Amazon, yeah.

Jim McCarthy:

This would protect against that scenario happening because the ISP doesn't have any access to the encrypted data.

Bill Tolson:

Exactly. And that's exactly right on the AWS Capital One case, as well as... One of the issues that the chief information security officers have had with the cloud in general, is, "Boy, I'm going to move it up to a SAS cloud, and within the third-party SAS cloud, they're going to encrypt it for me, and therefore it's safe." Well those encryption keys are stored in the cloud, controlled by the SAS provider. So the potential worry is, "Well gee, one of the employees in the third-party cloud is going to grab the keys and look at my data."

Bill Tolson:

You can argue whether it's even worth enough to do that. I would suggest, especially law firms storing data in the SAS cloud, that those data sets are extremely valuable, and those would become a major target. But even more so, like on the Capitol One AWS case, that was, I believe a privileged escalation case, where the person at AWS started a phishing campaign, I think within Capital One. And I may be wrong on this, but I don't think I am, they basically transitioned from a phishing campaign into basically getting people to give her more and more privilege within the system, privilege escalation.

Jim McCarthy:

Right. [crosstalk 00:34:21]. I didn't want it to sound earlier that I meant that she simply had the encryption keys and then went to town disclosing that information. I think this was more sophisticated than that, where she recognized certain vulnerabilities in the Capital One system. And then-

Bill Tolson:

And the data was not encrypted.

Jim McCarthy:

Correct. But if the data was encrypted, then that would have presented a sizeable challenge for her and any other would-be hacker to reveal it.

Bill Tolson:

Yeah. It would have been a major roadblock. She probably could not have viewed the data. The idea is that if the data is encrypted locally and the key stored locally, you put it up in the cloud, it doesn't matter if people run ransomware against you or phishing, or privilege escalation. If the keys themselves are protected locally, then you're protecting yourselves from all of those kinds of activities. So it really is kind of a straightforward, drop dead easy way to stop these kinds of risks. And based on the topic we're talking about, I think really addresses 70, 80% of the GDPR issues with privacy shield and SCCs.

Jim McCarthy:

Yeah. And like we've seen with many of these standards that some people believe are unworkable in total, efforts made to achieve what's called substantial compliance go a long way.

Bill Tolson:

That's a great point, and we've run across this in the US courts as well. If you don't do anything, and you should have known that you should have done something, that that sends one message to a judge. If you did a lot, and really documented what you were trying to do to meet a certain obligation, that also means a lot to the judge. You're not just sitting there saying, "Well, we'll see if we get sued," versus doing all the right stuff, and gee, on occasion yeah, you still you'll still might lose out on data leakage or something like that. But doing industry best practices for example, goes a long way in sending a message to a data protection authority or to the courts that you were trying to be compliant.

Jim McCarthy:

I like the idea, Bill, where you couple the impact assessment encryption of your data locally first, before migration to the cloud. I think that has a great one, two punch. And I think it does show that substantial compliance. And I think if any companies were reticent to go forward with their cloud initiative, this should be the type of strategy that they employ to get rid of those feelings of uneasiness that a CSO may have.

Bill Tolson:

And that's a great point. What I just talked about in reference to the local encryption and encryption key storage, I mean, that goes for all companies, not just companies dealing in EU personal information. With ransomware exploding and bases being encrypted and then let loose on the internet to basically release the private information, having local encryption, local key management, addresses a lot of the ransomware issues as well.

Bill Tolson:

Well Jim, I think that's was a great discussion, I think that wraps up this topic and this podcast. If anyone has questions on what we talked about today, please send an email mentioning this podcast to info@archive360.com, and we'll get back to you just as soon as possible. You can also check out some of the blogs where we talk about this topic up on the Archive360.com/blogsite. And check back with us on a regular basis because we will be posting blogs on new topics regularly. So thank you all, and thank you Jim.

Jim McCarthy:

Bill, it was good joining you today and I look forward to speaking with you again.