On July 16, 2020 the Court of Justice of the European Union issued the Schrems II decision in the case Data Protection Commission v. Facebook Ireland. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.
The decision also impacts other personal data transfers from Europe to the U.S. The decision requires companies and regulators to conduct case-by-case analyses to determine whether foreign protections concerning government access to data transferred meet EU standards.
In the aftermath of the Schrems II decision, Neira Jones asked me to join Enza Iannopollo, senior analyst at Forrester, for the sixth episode of the Thales Security Sessions podcast to discuss data transfers in the post-Schrems II and post-Brexit era. The objective of the podcast was to examine how the current rules and regulations for securing information and maintaining privacy will impact our future. In addition, we tried to investigate whether the work and lifestyle changes brought about by COVID-19 will have a regulatory impact that organizations need to plan for.
The truth is that the Schrems II decision will have a great impact not only in the U.S. but also across the world. The termination of the data transfer from EU to other countries could literally mean a partial or complete shutdown of that business or maybe the whole company. However, the level of the impact depends on the geography and the vertical of each organization and the strategic privacy planning they have done for sustaining compliance with GDPR.
On the other hand, the work from home initiatives because of the pandemic have grown the businesses’ appetite to adopt public cloud infrastructures. This increased reliance coupled with the EU – UK post-Brexit agreement and the EDPS guidance for business to perform a risk assessment before transferring data, creates a new environment. Businesses may have to supplement contractual clauses and legal remedies with technical controls to ensure that data transfers are transparent, safe and lawful. These safeguards should cater to both direct data transfers and transfers performed by a third-party.
It is therefore important to use solutions that identify and classify all data owned by an organization, as not all data are created equal and some categories warrant heightened protection. Data classification will help reduce the level of complexity for protecting data either at rest or in transit. Data protection is a market differentiator, because consumers care about their data and how it is being handled by companies... and they are taking action to protect it.
In addition, data protection, security-by-design, transparency, accountability, and responsible development policies and practices should be at the heart of deploying emerging technologies to reduce their impact in marginalization and discrimination of social groups.
If you would like to delve into how recent developments affect data beyond borders, you can listen to our Security Session podcast, Episode 6: Data Beyond Borders: The Schrems II Aftermath.