Where does your data live? It’s a simple question with an incredibly complex answer. In fact, it’s an answer that is increasingly testing new privacy laws on either side of the Atlantic and forcing device manufacturers and software creators to question what data, if any, they can use in their products.
This friction arises from last year’s court decision that Facebook’s transfer of personal data from the EU to its headquarters in the US breaches the General Data Protection Regulation (GDPR), leaving in limbo both multinationals and small-time players that leverage such data in their products.
The rise of cloud and the emergence of competing jurisdictions — be they regional (California Consumer Privacy Act) or continental (GDPR) — further confuse a complex issue. Let’s consider how companies and tech creators can approach this new era of data rights and solve the increasing complexity of transatlantic data transfers.
Schrems II: The Complexity of the Cloud
Where data lives and the jurisdiction it falls under is facing increased scrutiny thanks to a recent court decision. In July, The European Court of Justice issued the “Schrems II” judgment with significant implications for the use of US cloud services.
The decision invalidated the European Commission’s adequacy decision for the EU-US Privacy Shield, a transatlantic framework on which more than 5,000 U.S. companies relied to conduct data exchanges in compliance with EU data protection rules.
The court found the framework invalid for two main reasons. First, the court decided that US surveillance programs were not limited to what was strictly necessary and proportional as required by EU law. Second, the court determined that EU data subjects lacked actionable judicial redress and, therefore, did not have a right to an effective remedy in the US.
Importantly, however, the decision upheld the validity of standard contractual clauses (SCCs). These clauses ensure the lawful and secure transfer of personal data from within the European Economic Area to third countries. Despite the validation of SCCs, lingering uncertainty has resulted in the adoption of updated clauses for safe exchanges of personal data. This month, the European Commission adopted two new sets of SCCs, one for use between controllers and processors and one for the transfer of personal data to third countries, to offer more legal predictability to European businesses and help, in particular, SMEs ensure compliance with requirements for safe data transfers.
Regional and Continental Rules
Meanwhile, differing regional and continental data rights present additional legal curveballs. While the EU receives blanket protection from its GDPR, the U.S. is a patchwork of state laws. The most prominent IoT security bill to date is the California Consumer Privacy Act, which clarifies that people can opt out of both the sale and sharing of their personal information to third parties.
Therefore, not only do US cloud companies need to consider the data rights of European customers, but they also need to ensure that California customers can have some form of data control. Interestingly, the same consideration does not yet apply to Texans or Floridians. As with many decisions in the US, data rights are largely left up to state legislatures. The absence of a singular ruling means that companies must stay up to date as further states pass data privacy mandates that are soon to come into effect, like New York, Maryland and Hawaii.
This ongoing discrepancy between blanket continental regulations and regional rulings requires further vigilance.
What Companies Can Do
The good news is that, despite the infinite complexities of cloud computing and data rights, companies can take precautionary steps to stay in line with the laws. For example, encryption offers a simultaneous solution to perform US transfers under EU rules. Strong encryption can provide an effective measure for data transfers so long as the keys are reliably managed and retained solely under the control of the data exporter. If state-of-the-art protocols are followed, encryption can provide adequate protection against any data interception and manipulation by a third party. Likewise, multiparty computing protocols that split data into parts to process independently can prevent the reconstitution of personal data, thereby following the EU regulation.
Another way to comply with the data rulings is to stay clear of the cloud whenever possible. In the Internet of Things, for example, device vendors can tailor the connection type to ensure direct communication between the end-user and device. This type of peer-to-peer connection bypasses the cloud to enable private communication between user and device, and bypasses the risk of storing personal consumer data.
Of course, for those that do need to use the cloud for transatlantic data transfers, the best practice is to stick to the rules. The new SCCs provide additional clarification on what is and is not acceptable and go a long way toward addressing the requirement to legitimize transfers of personal data out of the EU. But, at the same time, the revised clauses continue to put the onus on individual companies to meet IoT GDPR standards.
Therefore, companies looking to leverage the SCCs should identify the cross-border transfers under their responsibility and perform a nuanced analysis of the recipient country’s level of data protection compliance with the GDPR. Moreover, if any of the countries are part of the Five Eyes Alliance — Australia, Canada, New Zealand, the United Kingdom and the United States — then an in-depth analysis will likely be required.
Regardless of the transfer method, there is no question that companies on either side of the Atlantic must think long and hard about the way they handle personal data. The various jurisdictions and legislations result in a tricky situation for tech companies today. Going forward, their best bet is to encrypt all data, follow the letter of the law and steer clear of the cloud if possible. It is no mean feat, but it is necessary to avoid the inside of a courtroom.