Privacy Shield provided for simple grounds for transferring data from the European Union to the USA. The news of invalidation of Privacy Shield as a result of the verdict of the European Court of Justice (ECJ) has now settled. It’s a matter of law, and the associated decision contains a rather complex reasoning. Understanding the impact on technology is fascinating, although the implications may be a bit controversial.
I read the whole legal document titled “Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid” in search for interesting tidbits, so you don’t have to.
What matters in practice is the technology impact. In this post, I am trying to provide some preliminary assessments with a potential way forward. But first, let’s make one thing clear. This verdict is not limited to transfers of data to the USA. The Court’s verdict concerns the processing of EU data by any third-country (i.e. India, United Kingdom, South Korea, China, etc.).
This is the crucial statement of the verdict:
105 Therefore, the answer to the second, third and sixth questions is that Article 46(1) and Article 46(2)(c) of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
Privacy Shield did not guarantee such a level of protection because the decisions on the federal level are beyond the reach of companies that would process the data.
This, in turn, introduces two possibilities:
- Either the third country offers the same data protection level as the EU (meaning: ordinary “civilian” regulations, as well as those related to police or national security processing), or
- The data cannot be “simply” transferred to such a third country unless the above can be guaranteed in some ways
This guarantee can be reached with measures of the law, and possibly also with organizational measures or technical measures (as the European Data Protection Board already notices “analyzing the Court’s judgment to determine the kind of supplementary measures that could be provided in addition to SCCs or BCRs, whether legal, technical or organizational measures”). The legal part we put aside. What about "technology" and “organization” (i.e. design of processes or procedures)?
First, you need to remember that such an assessment must be made on a case-by-case basis. But perhaps in certain situations, the tandem of technical+organizational can help . It seems that following the verdict of the ECJ there may essentially be two possibilities, all with major implications to the “cyber sovereignty” thinking, but also, well, modern cryptography.
Some options
The “cyber sovereignist” view. The “easiest” part is to treat the verdict like a ban (and data protection authorities will likely need to interpret it as a ban in some situations, soon?). So the “simplest” (and to some, extreme) solution is not to transfer any data outside the European Union zone and treat the verdict as the like of “data localization law” (a law that forbids the transfer of data outside the territory of the EU; to some degree such acts exist, for example, in Russia, China, India, etc.). Just store the data in European Union and case closed? Not so fast.
Store the data in the EU - data localization
In practice, such interpretation of the ECJ verdict’s impact may favor the position of large cloud storage/computing platforms with data centers in Europe (such as Amazon, Google, or Microsoft?). All that the data processor needs to do is to design the processing in a way for the EU data never leaving the EU - so process it locally, use appropriate zones. This would certainly need some systems rearchitected, but for applications where it can be done, it can be done with relatively little pain. So the technological/organizational solutions: cloud, with appropriate zones in use. And of course one must also consider things like the joys of the US jurisdiction or aspects such as the CLOUD Act ("to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil"). Some cloud storage companies with data centers in certain countries (i.e. think China) potentially already had to solve such challenges long time ago.
Use technology such as modern cryptography
Another way to respect the ECJ verdict is to use more technology. Specifically - modern cryptography, i.e. don't think of this as merely encryption. Systems can be designed and constructed in ways that may make it possible to transfer the encrypted data to a third country, and even process the data in an encrypted form (i.e. like in fully homomorphic encryption). All one needs to guarantee is the decryption keys never leaving the EU - so like, never becoming within the reach of third-party authorities, as a matter of the process. Even better if technology guarantees, like when it's supported natively in systems or the used databases (but keep in mind the different needs in the data at rest and the data in transit pardigms).
This requires substantial technological changes, as well as organizational ones (i.e. European headquarters/branch must protect some data "from" the third-party headquarters/branch). In some applications, this may of course prove not be possible so easily (i.e. to be useful, data should be in clear-text format) but let's not rule out the possibility that this may be doable in some other cases. Especially if secure two-party computation is practical, and the progress in many domains such as non-interactive zero-knowledge proofs (or zk-SNARKs), etc. There are a lot of bricks one can use to build something.
So the technological impact of the verdict is that very likely it can be respected with the use of technology & organizational setup, at least in some cases. This can be done either with cloud computing (what would be a Pyrrhic victory for “cyber sovereigntists”, as it would make large cloud storage/computing providers even more popular, and the winning ones would be those that already have established presence, entrenching the current market even more?). In other cases, it may be done with the special cryptographic design. In any case, a company may want to be able to prove what the systems guarantee. Proofs may be on paper or systemic (i.e. built into systems). Probably the second option is better.
As a side note, it's interesting to wonder to what extent this verdict might introduce some challenges for some distributed platforms, including blockchain-based. That’s another story, but in the meantime perhaps it is better to refrain from placing personal data directly on the blockchain, choosing other designs instead.
Summary
The verdict is more a matter of legalistic interpretation. It brings implications for technology nonetheless. Assuming that no agreement can be quickly reached, some of these new needs may require re-architecting of systems.
We are talking about technological changes, as well as organizational design/procedures. Compliance with the verdict may be costly and will need the right people and skills, but we're in an era of regulating technology, anyway?
Did you like the assessment and analysis? Any questions, comments, complaints or offers for me? Feel free to reach out: me@lukaszolejnik.com