Writing about legal topics is always a challenge. I am not a lawyer, but as an analyst and advisor, however, I almost inevitably encounter the implications of laws and current case law. Thus, this text describes only a personal assessment and is not intended to be, and should not be used as, legal advice (and in any case KuppingerCole Analysts do not provide legal advice). At the end of the day, any action should be clarified with colleagues properly qualified to do so, including the legal team.
The ruling of the European Court of Justice (ECJ), which has gained some notoriety under the name "Schrems II", has caused great uncertainty among many organizations. The fact that the data protection standard, as currently practiced in the United States of America, is to be considered non-compliant with the requirements of the European Union and the General Data Protection Regulation has had a direct significant impact on an assessment of the processing of personal data abroad, especially of course in the USA. The mechanism previously known as "Privacy Shield" was rendered void overnight. This, of course, particularly impacts the use of cloud services, which had grown significantly over the past year and a half, not least due to the pandemic-induced migration to digital services.
The resulting state of limbo and lack of legal certainty required a comprehensive solution. This is now available in the form of the final version of the "standard contractual clauses for the transfer of personal data to third countries" (published on June 4, 2021). This document, which was published by the European Commission, and the measures it describes are intended to make it possible to continue transferring personal data to countries outside of the EU and to process it there.
More than just paper – tangible supplementary measures are needed.
However, merely amending the contractual basis is not enough: tangible technical and organizational measures that ensure the minimization, pseudonymization (as defined by the GDPR) and encryption of transferred data must be developed, and implemented precisely as described. This not only puts the onus on the providers of such Internet services (and their supply chain, end-to-end) to support these measures, but also forces the users of cloud services, for example, to practice data hygiene and reduce the volume of data, which can only be beneficial in terms of improved data protection. The SCCs (Standard contractual clauses) will only be considered effective providing these measures are in place.
Call for action
Considering this development as a layman in legal matters this document and the updated SCCs represent an important first step in my opinion. Even if the actual problem (the root cause) namely the possibility of American authorities viewing personal data on the systems of American providers, is not solved. Consideration must now be given to each individual case where personal data is transferred outside of the EU to select and fully implement the correct tools for encryption, pseudonymization and minimization of data at rest, in transit and during processing. While this will involve considerable effort, it is certainly more favorable when compared to the previous legal uncertainty.
This is where we as analysts and advisors come into play. Concepts, technologies, and products that can help implement appropriate technical and organizational measures are evolving quickly. Information Protection and Secure Information Sharing will become increasingly important. These include, for example, Azure Information Protection or advanced tools that enable the transparent encryption and use of critical information, including personal data. Sensitive data discovery, data cataloging and encryption concepts will play a significant role in light of this development. This holds true for structured data and unstructured data alike. Data governance will become a key area to exercise appropriate control over data of varying sensitivity. Data catalogs and data management will facilitate transparency regarding the nature, location and flow of data.
Finally, the requirement for organizational and technical measures to protect transferred data will also have a significant impact on the spread and use of more sophisticated, emerging technologies for encrypting data during use. For example, providers of technologies for homomorphic encryption can make a substantial contribution to the definition and implementation of appropriate measures.
KuppingerCole Analysts research – including our market compasses and leadership compasses – builds the foundation for an in-depth view of those markets and technologies. Our advisors will support in defining and architecting real life concepts and technologies to underpin the standard contractual clauses (SCC) with tangible controls.