Technical measures for Schrems II
How to use encryption to create appropriate safeguards for EU personal data
The complexity of holding EU personal data
The data of EU citizens can only flow to nations that have adequate privacy protections. The U.S. does not gurantee privacy to any non-U.S. citizens, which conflicts with EU constitutional privacy guranatees and GDPR.
As a consequence, agreements between the U.S. and EU have repeatedly been struck down. Most recently, the EU-U.S. Privacy Shield Framework was struck down in a case called Schrems II.
In 2020, when the Court of Justice of the European Union ruled that the framework was invalid, they cited U.S. intelligence overreach and the lack of redress options for EU citizens. That left U.S. companies once again without a legal basis for holding EU personal data.
The rollercoaster ride of data protection agreements and policies has led to uncertainty, lost business, and numerous lawsuits seeking to halt U.S. software companies from doing business in Europe.
All eyes on Meta
Not long after the EU-U.S. Privacy Shield was struck down in 2020, the Data Protection Commission (DCP) sent Facebook, now Meta, a preliminary order telling Facebook to suspend data transfers.
Two years later and Meta’s best lawyers are still dragging things out to avoid facing a ruling that could force the company to stop operations in the EU.
Meta’s best hope was for a new framework to appear that would create a legal basis for operating in Europe and make the case against them moot.
The recent Trans-Atlantic Data Privacy Framework announcement
On March 25, 2022, the U.S. and EU agreed “in principle” on a new legal framework for GDPR-compliant data transfers, with extra emphasis on “in principle.” Very little is known at this time about what this framework might entail or how it would work. All we have are bullet points:
A new executive order will instruct U.S. intelligence agencies to only access the data on EU citizens if that access is “necessary and proportionate to protect national security.”
Under the order, U.S. agencies will adopt new unspecified procedures to ensure effective oversight of privacy.
The order will also create a redress system by which Europeans can make privacy complaints that will be investigated and resolved by a new undefined “Data Protection Review Court” that will be staffed by people who are not a part of the U.S. government.
This is yet to be solidified and will certainly be challengened.
Experts remain skeptical of new framework
It’s no surprise that, after all the many ups and downs over the years, the software industry and legal experts are skeptical of the Trans-Atlantic Data Privacy Framework getting approval and surviving a challenge.
Max Schrems, lead litigant in the “Schrems I” and “Schrems II” cases before the CJEU, released his initial reaction to the Trans-Atlantic Data Privacy Framework announcement and had this to say:
”We already had a purely political deal in 2015 that had no legal basis. From what you hear we could play the same game a third time now. The deal was apparently a symbol that von der Leyen wanted, but does not have support among experts in Brussels, as the U.S. did not move. It is especially appalling that the U.S. has allegedly used the war on Ukraine to push the EU on this economic matter.”
“It is regrettable that the EU and U.S. have not used this situation to come to a ‘no spy’ agreement, with baseline guarantees among like-minded democracies. Customers and businesses face more years of legal uncertainty.”
Avoid gray areas with technical solutions
If you’re like us, you might be frustrated with the uncertainty that politics and court cases have inflicted on everyday business. So let’s get to the core of the issue. What can U.S. software companies do to comply with the EU expectations of privacy and data protection? Standard contractual clauses are certainly recommended, but to really satisfy the core issue, U.S. software companies need to protect data from U.S. government overreach.
Encryption, when used appropriately, safeguards access to EU personal data by ensuring due process that meets EU privacy standards. One way to achieve this is to make U.S. government agencies work with their counterparts in the EU to get access to EU personal data.
There are two encryption patterns that accomplish these goals.
Schrems II encryption patterns
Data is encrypted and decrypted on user devices, and the software companies holding the data don’t have access to the keys needed to decrypt it. Their servers never see anything but meaningless bytes.
A government agency wanting access to the data will either need to compel it from the data owner, gain access to an authorized device that holds the key, or otherwise break or undermine the system.
Bring your own key (BYOK)
Data is encrypted before being sent to the database or disk and the software company does not hold the keys needed to decrypt sensitive customer data.
For this to be effective, BYOK must be implemented in such a way that a U.S. agency would have to compel the software company to write code that undermines their access controls and security measures to get access to the unencrypted data.