What is Schrems II and Why Does it Matter?

By Marcus Grazette, Europe Policy Lead at Privitar

The Schrems II judgment significantly changed the rules for data transfers from the EU or the UK to the US. The European Data Protection Board (EDPB) has published new, draft guidelines. Organizations can use Privitar’s Data Privacy Platform to de-identify data in line with the EDBP requirements for international transfers. However, this is not a general solution – it will only be appropriate for some use cases and some types of data. This blog explains what has changed and when de-identification can help.

What is Schrems II?

The GDPR restricts international data transfers. International transfers are only GDPR-compliant if the organization seeking to transfer data to a third country uses one of the specified legal mechanisms. In practice, most organizations rely on either an adequacy decision or on one of the legal tools in Article 46 of the GDPR, which include standard contractual clauses and binding corporate rules.

Prior to the Schrems II judgment, US businesses could benefit from a special type of adequacy decision called Privacy Shield. EU businesses were able to transfer data to any US business certified under the Privacy Shield program. Thousands of EU businesses relied on Privacy Shield to underpin their data transfers to the US.

In July 2020, the European Court of Justice invalidated Privacy Shield. The Court found that the level of protection for individuals under US law was not “essentially equivalent to the safeguards required under EU law.” The Court’s decision aims to protect individuals’ fundamental rights. It noted that US law allows US public authorities (including surveillance agencies) to access data relating to EU citizens without a right of redress.

However, the Court also recognized that EU – US data transfers are hugely important to businesses. It therefore allowed transfers to continue so long as the transferring organization could (1) rely on an alternative Article 46 transfer mechanism and (2) implement “supplementary technical measures to make access to the data transferred impossible or ineffective.

The significance of Schrems II

The decision in Schrems II is hugely significant for day-to-day business operations. It affects any business using common US based software-as-a-service (SaaS) platforms. For example, the Bavarian data protection authority concluded that a German business using Mailchimp for newsletters was unlawful. Similar concerns would apply to a European organization using applications hosted with any of the major US cloud providers.

The EDPB draft guidance – what is required?

The EDPB published draft guidance on supplementary measures shortly after the Court’s decision. The consultation closed in December 2020, after collecting more than a hundred responses. These highlighted some of the practical challenges in implementing the guidance, and the impact of a strict approach to data transfers (for example, for organizations relying on SaaS products).

The draft guidance sets out a six-step roadmap to international data transfers. Perhaps the most challenging are:

assessing whether the transfer mechanism is effective in light of “all circumstances of the transfer” and
if possible, adopting supplementary measures.

For many organizations, the US is their most significant destination for international data transfers. The Schrems II ruling requires supplementary measures for transfers to the US, as the Court already considers that the circumstances of transfers to the US mean that other transfer mechanisms will not be effective on their own.

Organizations will need to assess whether supplementary measures exist which, when combined with safeguards already contained in the Article 46 transfer mechanism, can “ensure that the transferred data is afforded in the third country a level of protection essentially equivalent to that guaranteed within the EU.” This includes considering the purpose of the transfer and the nature of the data.

The EDPB explicitly states that in some scenarios no effective supplementary measures exist. For example, a transfer to a service provider requiring access to data in the clear or where the service provider manages encryption keys. This is common for SaaS applications.

How can organizations comply?

The EDPB allows pseudonymous data to be transferred, provided that four conditions are met:

Direct identifiers are removed, meaning that the data is pseudonymous in line with the definition in Article 4(5) GDPR. In other words, the data can no longer be attributed to a specific data subject without the use of additional information.
The additional information necessary to re-identify a data subject is stored in the EU, or a jurisdiction deemed adequate under Article 45.
The additional information is protected by technical and organizational measures.
Any quasi identifiers remaining in the data to be transferred have been managed appropriately to ensure that the data subjects cannot be re-identified by linkage.

How can Privitar help?

Privitar’s Data Privacy Platform can produce data meeting the above outlined criteria. Used alongside an organization’s robust approach for handing quasi-identifiers and for selecting use cases for which de-identified data is appropriate, Privitar enables compliance. Organizations will need to:

Decide whether a value is a quasi-identifier. This includes considering whether the value is unique in combination with other values in the data. For example, many individuals share a date of birth, gender or city, but very few will have the same date of birth, gender and city.
Consider linkage risk. If the data contains quasi-identifiers, the organization will need to consider whether those quasi-identifiers might be available to a third party. For example, date of birth, gender and city may be available in public records, on social media or in other datasets. A third party with access to those other sources of data could re-identify an individual by linkage.
Select an appropriate control to protect against linkage attacks (for example, generalizing data to achieve k-anonymity) and calibrating the control correctly (for example, choosing an appropriate value for k).
Consider sensitive attribute disclosure, applying more advanced controls to l-diversity and t-closeness if necessary.

Although pseudonymization offers an option for transferring data to the US, it is not a general solution and will only be appropriate in some use cases (for example, analytics or research). Some utility loss is unavoidable, and generalization is not suitable for some types of data such as location traces, transaction histories and other datasets recording multiple events over time relating to the same individual.

Finally, organizations should be prepared for the EDPB guidance to evolve. The public consultation highlighted significant concerns, and policy makers are acutely aware of the challenges.