On March 25th, 2022 the European Commission and the US government announced a new agreement governing the transfer of data between the EU and the US. Mike Small and Annie Bailey join Matthias to have a first look as analysts (not lawyers) at this potential milestone for data privacy between the European and the US regions.
Hi, Matthias. Thanks for having me back.
And we have Mike Small. He is an Analyst and he is really focusing strategically on cybersecurity and governance. And he is working out of the U.K.. Hi, Mike. Good to see you.
Hi. Hi, guys. And thank you for inviting us to this discussion.
Today, we want to talk about a topic that is a very fresh topic that has happened just a few days ago when there has been announced that made the press, that the EU and the US have signed a data transfer deal to ease privacy concerns around the transfer of personal data between the EU and the US. And that made quite some noise and quite some headlines. So, first of all, why is that? What is the fuss about?
So what all the fuss is about is that President Biden came to Europe because there is a war going on in Europe. And one of the things that was announced was that there is a potential agreement between the US and the EU in the area of privacy. So to me, it's really interesting that given the enormity of the circumstances that brought President Biden to the EU, that it was important enough to discuss the area of privacy of personal data and at the same time.
Yeah, well, I think that leads or that brings a lot of questions to what brought us to this point right now. So what was the lead in to this discussion and this agreement, which we don't have details on yet, but we know exists.
Okay. So the background to this is that a law student called Maximilian Schrems based out of Vienna, objected to the fact that when he put his personal data into Facebook, where Facebook said it was being held in Ireland, he discovered that it was being transferred to the US. And so he took Facebook to the European Court. And the first of these litigations that he started ended up with the invalidation of what was called Safe Harbor. And that led to the Privacy Shield, which was the guarantees that were given by the US over the treatment of personal data. Now, Dr. Schrems disagreed with the provisions that were made by the Privacy Shield. And so he took Facebook and others to the European Court of Justice a second time. And the result of that was that in July 2020, there was this judgment, which was called Schrems II, which had the the overall effect of invalidating the Privacy Shield. And now so in terms in more detail, perhaps we can go back to that. But ultimately this means the steps that were taken by the US to protect the privacy of European residents' data that was held in cloud services or in any other way in the US was deemed not to be fully compliant with GDPR. And this led to obviously a lot of inconvenience and a lot of problems for organizations.
But what actually does that mean for organizations that do that, that want to transfer data from the EU to the US? What was the result of this Schrems II judgment?
Well. That's really an interesting point because this judgment took place in July 2020 and everybody wondered what that really meant. And so the European Data Protection Board spent six months or thereabouts looking at what that really meant. And in November 2020, they produced a draft document which was their recommendations. And in a way, this document was absolute dynamite. It was almost totally ignored, but it was really dynamite because what that document, what those recommendations said was that legal safeguards are insufficient. And the reason for that is that you can have a contract between your organization and a cloud service provider, but that contract is lower in the hierarchy of things than government legislation. So in specific terms, within the US, the Patriot Act overrides any of the contracts that you might have with any of the US based cloud service providers. So that means that you could you could find that the US government or the Chinese government or some other government could actually demand legally of the cloud service provider. They hand over your data and the cloud service provider would have to do it. So as a consequence of this, the EDPB said that organizations were responsible for checking that the cloud service provider provided equal safeguard to what there are in the EU. And if they didn't, the organization themselves had to take what were called supplementary technical measures. And these are fairly onerous in terms of what you had to do.
Yeah. Perhaps I can jump in and just draw attention to that, what you just said, so that if contracts are not sufficient then to protect organizations, it's really up to organizations themselves to take on that responsibility to check and then implement additional safeguards. That's perhaps in a nutshell, what Schrems II is all about.
Yes, in a nutshell, that's what it is all about. And those supplementary technical measures are not insignificant, and they depend upon you know, exactly what the data is doing. So, for example, if all you are doing is storing the data passively, then you can satisfy those requirements by encrypting the data using state of the art encryption and keeping hold of the encryption keys in the EU. Now, so that's kind of good for really one situation, which is data backup. But most people are using cloud services to do real processing and that actually introduces further complexities. So again, if you look at the Schrems II that that sort of identifies that data sovereignty is not in fact sufficient. It's necessary but it's not sufficient. You have to consider the other ways in which the data could be obtained. Now, you may say this is actually, shall we say, a little bit excessive because most organizations are not Facebook, and most organizations and are not actually collecting your data. They're simply trying to do that processing, which may include your data. So there's a difference between an organization that's actually actively trying to gather the data of people from, shall we say, another organization which is simply saying, well, we need your name and address to be able to share the stuff you bought. And that is perhaps the problem that the Schrems II judgment hasn't differentiated between these things and the EDPB examples are really quite extreme. So again, to give you another example of the EDPB recommendations, which goes through business process as a service. So you may say, well, in fact, it's clearly the case that this technology and you're storing data in a database in the US, but let's imagine that you have your data held in a database in Dusseldorf. But you have a human resources consultant in Pittsburgh, Pennsylvania, and they need access to that database. Well, actually, as the judgment goes, that access is in fact letting that data go out of the EU. And so that's pretty restrictive.
So do you have any ideas how to move forward. We know that there was an announcement about an agreement, but do we know anything about that yet?
I think the simple answer is no. We don't know the details, but the European Data Protection Board did publish a document in January of this year, which is a draft. And what appears to be what is being discussed and negotiated is to find a way that organizations in Europe can confirm the first thing that we said, which is that if they move their data into a cloud service provider in the US, then they have a way of establishing that that data will be treated with the same governmental level controls that it would have been had it been held in the EU so that you can move back to contractual and legal controls rather than having to depend upon more complex technical things like pseudonymization and even not allowing the ability for business processes as a service to take place outside of the EU. So that seems to be the idea. Now, when you look at what the press announcements have said and well, having gone through Brexit from the UK, it took a long time and nearly all of that time there were press announcements where it said there is intensive negotiations going on. And that was almost exactly what the words were in the press announcement from Brussels following the announcement by President Biden that there are intensive negotiations going on.
As we are analysts and not lawyers we can only look at the results coming from such a ruling, from such laws, from such data transfer. When we talk to our customers, to the people that read our research documents, what would be as of now the expectation and the recommendations that we would give towards people who are actually in this situation, not necessarily Facebook, but more the more traditional type of organizations that use cloud services, Mike?
Yeah. Okay. So the recommendations that we would give are really based around what the European Data Protection Board recommendations are, which is that it depends upon what is happening to your data in the cloud and in particular, we're not really talking about advice on business processing as a service, but most of the organizations are interested in can we use the cloud service. So if you look at the capabilities that are required to comply in absolutely the letter of the law, if you are holding or processing personal data under the EU definition of personal data, then the minimum is that you need to encrypt it. But if you're going to process it, you should theoretically have it encrypted whilst it is being processed. And so one of the major vendors offers you a solution, which is that they have what they call double key encryption, which basically means that they never see it. But your processing it on your desktop or laptop in in the EU. Another approach is what is called enclaves or protected enclaves, that there are processor chips which have built into them guaranteed and, shall we say, verified capabilities, which mean that when the data is being processed, it is only decrypted into a secured enclave which is inaccessable and guaranteed to be inaccessible by hackers. And that's because, well, there are loads of Open-Source tools that you can find that can scrape the contents of a room. You clearly need to encrypt the data when it is in transit. Now, the other approach which is taking off is the approach of using pseudonymization and pseudonymization is a kind of encryption technology where you can still process the data. And the good thing about pseudonymized data is that it can be used by artificial intelligence, machine learning to do training and then subsequently to do analysis. But it doesn't really sort of work terribly well where you've got an old fashioned hand coded piece of application. But the UK's ICO says if you're going to share data, then the safest way to do it is to pseudonymize it? Now, beyond that, there are technologies that are really in the nature of emerging technologies. One is something called multiparty computing, where there are a series of mathematically provable protocols where you can share data between people without actually divulging all of the data. And the classic example of that is there is a way for people to say, well, let's say we've all going to get a pay rise. And typically this is the problem of the financial services traders that every year they get a bonus, but they're not allowed to tell their bonus to their colleagues. So whoever's got the biggest bonus should buy the drinks. Well, there is actually a protocol which allows you to figure out who got the biggest bonus without defining what that bonus was. So that is currently used in some systems for auctions, but it's not generally available and pseudonymization is a kind of subset of that. And the third one is homomorphic encryption, which is a way of encrypting data that allows it to be processed. But that is still highly computationally intensive. So it's something like 40 times more intensive than ordinary encryption. So the trouble is that most of those answers are fairly difficult. And at the same time you have the way that the law is being interpreted is pretty draconian. So for example, in April 2021, the Portuguese Data Protection Authority actually gave the Portuguese Census Office 12 hours notice to cease and desist from using a US based cloud service. So if you are in one of those kinds of organizations, then you're going to find it pretty, pretty difficult and challenging to comply with the law as it's interpreted at the moment. So what I guess everyone is hoping is that there will be some kind of agreement reached whereby, shall we say, we have a Safe Harbor 3 or another iteration of some kinds of guarantees that is underwritten by the US government that enables the the people in Europe and the European information commissioners to believe that that data is being treated in a similar way if it is living in in the US towards us, because that deals with the data protection.
Right. We do not know much about what has already been done as of now, but nevertheless there has been a press release by the White House. Annie, what is the content? What do we know as of now?
Yeah. So we get a brief glimpse which of course, does line up with what you've been explaining, Mike. And it's really looking for implementing a new mechanism so that EU residents or citizens are able to seek redress if they feel that they are unlawfully targeted by for example, intelligence activities, if their data has been transferred to the US. And so really bringing in a practical and a legal step forward, rather than needing to only rely on the technical measures which Mike was explaining. It does also look to address those intelligence activities and acts, the Patriot Act, for example, and strengthen the civil liberties and the privacy protections considering those relevant acts that made the US-EU Privacy Shield and compliant to begin with. So those are some of the main focuses that we have an idea of now and again, this is at a theoretical level. We don't have the details yet. For the most part, it's been referred to as a transatlantic data privacy framework. But it would be hopeful if we did think about this as a Privacy Shield 2, or a Safe Harbor 2 or 3, whichever iteration we're on. And this would be the optimistic look here, that these agreements are being strengthened to better include data privacy and better respect this in all jurisdictions. The less optimistic way to look at this would be to think of it as a Schrems III agreement, where this doesn't go past the political sway that one country could have over the contracts between enterprises. And so if it does end up that this agreement ends up back in courts, we could think of this as a Schrems III as an extension of the breakdown of data privacy rather than the strengthening of it.
Mike, what's your opinion? Do you agree with Annie's analysis?
Oh, yes. I think that what everyone is hoping what everyone wants is to have an agreement which will not be challenged in court because it will actually be substantive and meaningful. The worst outcome is a politically driven fudge which ends up being challenged in court and which will then leave many more years of uncertainty over things.
Right. This is a not very typical episode of this podcast because we are really dealing with the actual news that just has happened. I want to highlight that Max Schrems will be a speaker at the EIC in Berlin in May, and maybe we do know more by then, of what has happened in the meantime between today and the EIC and of course, we will cover this topic in the future as well so that you can find more accurate, more substantial information on what's going on in that area as of now. As an outlook, what should we expect with regards to that topic going on? Annie and Mike, maybe starting with you, Annie. What are your expectations in that area in general?
Yeah, well, a big hope and I'm not sure if I can put it as an expectation yet, but something that I would really look for is a differentiation between social media platforms and enterprise business data transactions. I think we do need more conversation around this and hopefully more detailed information in the agreement which has come out. So I'm very curious to see where it stands on that differentiation.
Right, I think this differentiation is very important. And I hand over to you, Mike, I think this is also an important point from your point of view, right?
Oh, yes. I think that differentiation is important. And there is in fact, one further thing and as all good tales come to the end, you always say, well, but that is another story. And we've talked about data sovereignty but there is also the problem of technological sovereignty. And with this interconnected world, we have seen the challenges that come when one part of the world falls out with another part of the world. And at the moment, we are all heavily dependent upon services that are delivered from outside of the EU, depending upon technology which is coming from outside of the EU. And it would be quite disastrous if there were some situation where we fell out with the providers of that technology, which meant that we could no longer do the processing that we expect. So there is a lot more under this iceberg than just the talk. Come to EIC and find out more about it.
Absolutely. And we just really dipped our toe into the water of where this iceberg is. So we just started this conversation. Thank you very much, Annie and Mike for being my guests today and for discussing this really current developments that are going on. And I hope that there will be more as a substance around these these publications available very soon. Thanks again, Mike and Annie, and latest see you at EIC in Berlin.
Thanks for having us.
How can we help you