Sunny Seon Kang, Senior Privacy Counsel and Head of Policy at Inpher discusses supplementary measures for enhancing data privacy in light of the Schrems II decision
When the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield in Schrems II, over 5300 American businesses—including Google, Amazon, Facebook, and Microsoft—lost their primary mechanism for international data transfers with the European Economic Area (EEA).
Since the July 2020 decision, the U.S. Department of Commerce and the European Commission have commenced negotiations for a new data transfer framework that will enhance protections for individual privacy. Moreover, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing on December 9, 2020 to discuss the impact of Schrems II on trans-Atlantic data flows.
Even with these discussions ongoing, companies currently face a difficult transitional period in a time where the free flow of information is critical.
With the Privacy Shield repudiated for its lack of adequate protections for privacy, the United States no longer has authorization under Article 45 of the EU General Data Protection Regulation (GDPR) to receive data flows from the EEA on the basis of legal equivalency.
Until clear rules are adopted to replace the Privacy Shield, U.S. companies must adopt these alternative safeguards to facilitate cross-border data transfers from the EEA: Standard Contractual Clauses (SCCs) established by the European Commission, and Binding Corporate Rules (BCRs) adopted by the organization and approved by the relevant EU supervisory authority for the purposes of intra-company transfers.
But relying on these contractual tools alone may not be sufficient. Both the CJEU and the European Data Protection Board (EDPB) emphasize that the validity of SCCs and BCRs will depend on the use of supplementary measures—such as privacy-enhancing technologies—as an additional safeguard against unauthorized data access.
This article examines privacy and security risks that cannot be resolved by standalone SCCs and BCRs—and thus require the adoption of privacy-enhancing technologies as a supplementary measure.
In particular, this analysis will examine the EDPB’s recommendation of “split or multi-party processing” from its November 2020 guidance on ‘measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.’
Understanding how decentralized analytics powered by “secure multi-party computation” can preserve privacy and facilitate EU-U.S. data flows in the post-Schrems II era will be a key bulwark against a fractured and localized digital economy.
Standard Contractual Clauses and Binding Corporate Rules: Necessary but Not Sufficient
The CJEU’s main rationale in overturning the Privacy Shield was the program’s practical limitations as a safeguard against overbroad foreign surveillance programs. The guiding principle of the Schrems II ruling was to strengthen data transfer mechanisms such that EEA individuals are protected from government access to their data under U.S. law.
Therefore, filling the void of the Privacy Shield is not as simple as replacing the self-certification program with SCCs and BCRs. These alternative transfer tools must do their part in curbing government overreach for EU data.
SCCs and BCRs constitute a commitment by the parties of the transfer to handle personal data according to the pre-approved terms set by the European Commission and other EU supervisory authorities. However, as contractual tools they have limited efficacy as an ex ante, preventative safeguard against unauthorized data access, use, or leakage.
First, just as companies often fail to honor their privacy policies, contractual safeguards for data transfers are fallible. Privacy protections stipulated in SCCs and BCRs sit on paper, and thus cannot actively mitigate the impact of a security breach or unauthorized access to plaintext data. As discussed in more detail below, organizations are recommended to adopt technical safeguards in the form of privacy-enhancing technologies to supplement and enforce their SCCs and BCRs.
Second, SCCs and BCRs are private agreements that cannot bind U.S. public authorities. The EDPB explains:
Due to their contractual nature, standard data protection clauses cannot bind the public authorities of third countries, since they are not party to the contract. Consequently, data exporters may need to supplement the guarantees contained in those standard data protection clauses with supplementary measures to ensure compliance with the level of protection required under EU law in a particular third country.
The CJEU affirms that SCCs and BCRs must be supplemented with technical measures that can ensure a “level of protection essentially equivalent” to that guaranteed in Europe. Simply put, commitments made in SCCs and BCRs must be made actionable.
European Data Protection Board Guidance on Supplementary Measures
As such, the EDPB—the European body which oversees the application of the GDPR across the EU—recommends data exporters to:
- Identify their cross-border transfer needs;
- Choose a valid transfer mechanism under Article 46 of the GDPR (SCCs, BCRs, Derogations, etc);
- Assess the law and practice of the recipient country on public authority access to data;
- Identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence;
- Take any formal procedural steps required for the adoption of your supplementary measures; and
- Conduct iterative assessments to monitor the safeguards in practice.
Considering Privacy-Enhancing Technologies: Secure Multi-Party Computation
The EDPB ‘Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’ (Supplementary Measures Guidance) was adopted on November 10, 2020 and closed its public consultation period on December 21, 2020.
In this guidance, consideration of privacy-enhancing technologies—such as secure multi-party computation (MPC)—forms the fourth step of a data exporter’s due diligence plan outlined above, as a supplementary measure that may be required to “bring the level of protection of the data transferred up to the EU standard of essential equivalence.”
Other recommendations and use cases include pseudonymization, encryption in-transit, and a protected hosting service provider and recipient, but this article examines ‘Use Case 5: Split or Multi-Party Processing’ and the compliance benefits of decentralized analytics.
The EDPB Supplementary Measures Guidance describes “split or multi-party processing” as a measure intended to protect EEA data against government access:
The data exporter wishes personal data to be processed jointly by two or more independent processors located in different jurisdictions without disclosing the content of the data to them. Prior to transmission, it splits the data in such a way that no part an individual processor receives suffices to reconstruct the personal data in whole or in part. The data exporter receives the result of the processing from each of the processors independently, and merges the pieces received to arrive at the final result which may constitute personal or aggregated data.
This process describes MPC, a cryptographic privacy-enhancing technology that can prevent the transfer of plaintext personal information to a jurisdiction with potentially inadequate protections for privacy and fundamental rights.
In non-technical terms, MPC enables multiple parties to securely compute on a shared dataset without seeing any underlying personal information held by the other participants. It does so by transforming personal data into random auxiliary numbers that can be put together to securely run functions across multiple data sources, but reveal nothing in isolation.
No personal data is exposed or transferred across parties, as the parties only see the output of the function and not the private inputs. And after each computation, the random auxiliary numbers are deleted; rendering them virtually impossible to intercept or re-identify.
This technique curbs the unnecessary collection, sharing, and retention of personal data, and overcomes the vulnerabilities of mainstream anonymization techniques, which can subject individuals to the unforeseen risks of third-party data access.
Benefits of Decentralized Analytics in a Post-Schrems II Era
Collaborative information-sharing on advanced privacy-preserving technologies such as MPC is critical for systemic accountability and data protection, because they:
- Prevent the multiplication of data security and privacy risks inherent in third-party data transfers;
- Self-execute fair information principles such as data minimization, purpose limitation, storage limitation, and privacy-by-design; and
- Keep data resident in the premises of each data source whilst enabling collaborative computation—thereby advancing compliant knowledge-sharing in cross-border environments.
By facilitating cross-border analytics without impacting data residency, MPC helps companies navigate the extraterritorial impact of the GDPR and allows collaboration with firms operating in jurisdictions with pending adequacy decisions from the European Commission.
Decentralized analytics are integral to unlocking information flows that can support innovation and widen global economic activity on data.
This capacity is key to addressing the threat of data localization, which could (1) restrict data flows that are necessary for international trade and cooperation, and (2) burden companies with the cost and the increased security vulnerabilities of duplicating their data infrastructure in multiple jurisdictions.
The CJEU and the EDPB assert that the validity of SCCs and BCRs will depend on whether a supplementary measure is instituted to bring up the level of data protection of the transfer to EU legal standards.
The EDPB Supplementary Guidance suggests that MPC can be an effective technical safeguard in cross-border transfers involving multiple parties to ensure a level of privacy required in the post-Schrems II era.
In line with the EDPB’s recommendations, institutions should implement privacy-enhancing technologies as a data firewall in case there is any ambiguity or political uncertainty in the recipient jurisdiction’s policies on government access to data. Alongside SCCs and BCRs, privacy-enhancing technologies should be systemically built into the processing mechanisms to protect data from unnecessary exposure.
Sunny Seon Kang is Senior Privacy Counsel and Head of Policy at Inpher. She advises on U.S. and international data privacy laws, FinTech regulations, and AI policy. Prior to joining Inpher, Sunny was International Consumer Counsel at the Electronic Privacy Information Center (EPIC) and a Fellow at Stanford Law School. She has testified before the U.S. Consumer Product Safety Commission on IoT data security, filed FTC complaints against Facebook’s data practices, and advised regulatory agencies on GDPR implementation, algorithmic accountability, and privacy by design. Sunny has also worked on emerging technology and privacy matters under the former California Attorney General Kamala D. Harris. She holds degrees from University College London, UC Berkeley School of Law (LL.M. in Technology and IP), and Stanford Law School (J.S.M. in Juridical Science). She is a member of the New York bar. Sunny’s works have been published in Just Security, Morning Consult, and the Association for Computing Machinery.
Suggested citation: Sunny Seon Kang, Post-Schrems II, Privacy-Ehancing Technologies for Cross-Border Data Transfers, JURIST – Professional Commentary, January 25, 2021, https://www.jurist.org/commentary/2021/01/Sunny-Seon-Kang-Post-Schrems-II-Data-Transfers.
This article was prepared for publication by Anne Bloomberg, a JURIST staff editor. Please direct any questions or comments to her at email@example.com
Opinions expressed in JURIST Commentary are the sole responsibility of the author and do not necessarily reflect the views of JURIST's editors, staff, donors or the University of Pittsburgh.