The Misconception of the SchremsFebruary 17, 2021
We have undeniably had a turbulent time in various discussion forums and support chats. Even in many negotiations, the dialogue has been tuned up a few octaves since the Schrems II ruling came into force, which it did on 16th July 2020. The ruling meant, among other things, that the Privacy Shield Agreement was annulled with the United States. The meaning and interpretation of this verdict have been summed up by many as saying that "Now everything is over," all American systems must be overridden and old honest on-premises systems must be dusted off.
Schrems lays down like a wet blanket over future development opportunities where some loud people take command of sense and balance. We see a big snowball effect whose original instigator, the Austrian Max Schrems, started through his report to the European Court in 2015.
We believe that we must stop being intimidated by Schrems because its effects are grossly misinterpreted and overly dramatized. Let's not forget that we have several useful technical solutions. Have we then created “much ado about nothing”? Well, sure the Schrems comes with implications but not as far-stretched as some try to indicate.
But we still want to exclaim a "DON’T ROCK THE BOAT!"
Briefly about the background
The GDPR (General Data Privacy Regulation) - the legislation on data security regarding personal data that applies within the EU and governs how we must handle data linked to natural persons. Data may not be handled outside of the EU… BUT the GDPR does, however, state a number of countries outside the EU where it is accepted that data is handled. This is because there are considered legislations in these countries which, to the same extent as in the EU, gives individuals the opportunity for legal certainty. This includes countries such as Argentina, New Zealand, Israel, Uruguay, and many others.
Previously, The United States was also included in the special agreement, The Privacy Shield, thus achieving the same legal status as countries within the EU. The agreement enabled international organizations to manage and move data with greater ease and simplicity between the EU and the US. However, this ended in the making of Schrems II that ruled that the Privacy Shield would not provide the same comprehensive protection (i.e, an adequate level required by the GDPR) and was therefore not applicable. This means that there is no longer a valid general agreement to rely on when transferring personal data between the EU and the US. Therefore, there is no legal transfer of data between the two if it's not supported by any other basis in the Data Protection Regulation (GDPR).
Is it so simple then, that the result means that we need to back out from using lots of tech solutions?
Note the key sentence in the paragraph above, "If the transfer cannot be supported on any other basis in the Data Protection Regulation (GDPR)". This is where the solution for companies lies. The GDPR provides an opportunity to agree through contract supplements that data will be transferred to so-called 3rd countries outside the EU if security can be ensured in other ways, technically and legally.
How this can be done can be read in the agreement structure, Article 46 of the GDPR, and its reference to Annex 1 of the standard clauses. It may sound like a word twist but is not particularly complicated. The recommendation is that you raise the issue with a legal advisor to clarify the question of whether it is relevant for you to handle data as a Personal Data Owner or an assistant outside the EU. The clause enables a normal procedure in the handling of data.
Of course, it requires high-level technical protection, but I believe that this is a basic requirement regardless.
Intimidation with Schrems, part 2
Some claim that Schrems makes storage impossible with American suppliers such as Microsoft (Azure), Amazon, and Google. Mainly because the Privacy Shield does not apply, it would not be possible to store any data on these servers even if they are located within the EU. This is because they are American companies. Here you mix the cards properly and it becomes a scare shot that gives a bad conscience already when using Outlook, Office365, storage services, mobile management (are there any suppliers at all in the EU when it comes to mobile?).
What is actually being referred to is another piece of legislation that was implemented in the US on March 23rd in 2018, the clarifying Lawful Overseas Use of Data Act (US CLOUD act 8), intending to remove previous obstacles in the US legislation for American IT companies to leave out personal data when required by US authorities, regardless of the geographical and physical location of that data. The purpose was law enforcement and, conversely, also gave other countries the qualifications to request data for the same purpose from US companies.
The US Cloud Act is of course problematic because US authorities could require that, for example, Microsoft, Amazon, or Google disclose data that you store there by simply applying for it in US court. With a ruling, the US cloud service providers might have to disclose data. But some contradict that they would do it.
The EU Commission has taken a closer look at the Cloud Act and believes that the Personal Data Owners and Personal Data Assistants may not disclose data to the US authorities even if a warrant would be presented, knowing that it would be a violation of the GDPR. This means that there is a conflict between the American and the European legislation as the cloud companies usually have a European company with which they make the storage agreement. As a European company, you are subject to European law. From that perspective, the EDPB sees "Very limited opportunities for a data controller in the EU to comply with a direct request from a US authority". It follows that agreements with Microsoft, Google, and Amazon should not be a problem at all as it is a European entity you enter into agreements with.
Here you should also ask yourself three things;
- How likely is it (ie what type of data is handled) and what is the probability that this particular data would be requested?
- If data were to be requested, what potential damage could it cause to the individuals/ customers in question?
- How can you protect data so that it becomes useless for someone who requests it without your consent?
I often think that the first two points are significantly exaggerated, ie data is not of much interest to a US authority. But of course, it is a matter that must be decided by everyone through a risk assessment. However, the last point, the one regarding security, can significantly eliminate the willingness to collect data because the cost of decrypting it is too great to match any gain.
Here it is worth noting, that for a "warrant" to be issued by a court in the USA, it is required that there is a strong suspicion that a specific crime has been committed. This means that US authorities cannot use the Cloud Act to embark on "fishing expeditions" and trawl for evidence of criminal activity in general."
In that case, is everything about Schrems and Privacy Shield nonsense?
Absolutely not. Of course, you must ensure that you have the right storage space and that you ensure technical protection at a high level. You should also ensure that you have agreements with your suppliers that capture these aspects and consult with a legal adviser.
Why are there so many "schrems" right now?
I see mainly three reasons why there is so much concern about the issue right now:
- Europe lags significantly behind the major American IT providers. There is simply no European alternative that can compete. Therefore, the issue is being roughly pushed by Swedish and European data providers to find an edge (other than technology) to challenge them. "Follow the money" is probably the main reason why some parties are pursuing the issue and their options are costly.
- Data security in relation to privacy is a hot and current issue in many contexts through popular services such as Facebook, Twitter, LinkedIn, and more. Many shares their opinions on the subject without much backing from facts.
- The US conspiracy has always been a popular topic. At the same time, it must be noted that even if the purpose of the American legislation was good, one has overlooked the sanctity of privacy which is better captured in the GDPR.
How did we solve it in Heartpace?
We store all of the information within the EU and only within the EU and we've also ensured that if data for any reason would leave the EU (at the request of others than our customers), that it would then be useless in the light of the required decryption effort. Therefore, we offer standard encryption and pseudonymization in several layers, but also the possibility to handle decryption keys yourself via AWS CloudHSM. With today's available computing power, it would take billions of years to decrypt such information that we handle. Thus, it is logically possible to decrypt but not practical, a distinction most people miss in the discussion about security. Of course, Heartpace also works under the GDPR and will not disclose information to 3rd parties.
We also offer additions to our third country handling agreements if it is necessary for the customer to handle data within and outside of the EU.
Do this at once
Keep in mind that it is in the simple safety aspects where it usually fails. For example in the password management, distributed accesses, and carelessness with physical attributes such as computers and telephones. The immaturity is still great and if you want to achieve increased security, you must ensure that the least common denominator is higher.
Source material / references:
- The Data Protection Ordinance's articles include 46
- Delphi - Collision between the Data Protection Ordinance (GDPR) and the US Cloud Act
https://www.delphi.se/sv/tech-blog/kollision-mellan-dataskyddsforordningen- och-usas-cloud-act /
- Pod - Svensson Mattisson
https://svenssonmattisson.podbean.com/e/panik-over-schrems-ii-domen-%E2%80%93-och-flera-fel-i-the -social-dilemma /
- SKR - New EU ruling on transfer and handling of personal data has a major impact
- Safespring whitepaper - How to handle it
https : //www.safespring.com/marketing/whitepapers/Safespring_White-Paper_Att-tanka-pa-i-och-med-inforandet-av-GDPR-och-CLOUD-act.pdf
- IT Advokaterna - Guidance on Schrems II from EDPB
- EDPB - GDPR: guidelines, recommendations, best practices
https://edpb.europa.eu / our-work-tools / general-guidance / gdpr-guidelines-recommendations-best-practices_en
- EDPB and EDPS analyze disclosures under the US Cloud Act
https://www.imy.se/nyheter/2019/edpb-och-edps-analyserar -utlamnanden-under-us-cloud-act /
- AWS Cloud HMS - The importance of encryption