Schrems 2, Brexit and the US Cloud Act: their impact on data transfers and the solution to maintain data liquidity

In the “Schrems II” ruling passed in July 2020, the EU Court of Justice invalidated the “Privacy Shield” self-certification mechanism that allowed the transfer of data from the European Union to the United States. 

The cancellation of the privacy shield will, therefore, impact all companies that transfer personal data from EU countries to the US. That includes thousands of companies that have their headquarters or subsidiaries in the US, as well as the GAFAM and all major US cloud providers.  

However, the transfer may still take place if the personal data exporter can prove that the company has the appropriate safeguards in place. These protections are usually documented using Standard Contractual Data Protection clauses and other organizational measures. Nevertheless, if the law of the third country allows the local government access to the data that they deem disproportionate, EU regulatory authorities can still suspend or forbid the data transfer. 

Regarding Brexit, the Commission launched the process towards the adoption of adequacy decisions for transfers of EU personal data to the United Kingdom. – meaning that the UK will not be obliged to take specific measures to allow the transfer. 

Considering the US Cloud Act of 2018, granting US court the right to issue a warrant demanding that companies subject to US law must hand over data they store for customers – even when that data is stored in the EU. It is increasingly difficult, and henceforth, increasingly expensive for companies to operate and comply with US data regulations all the while, keeping a high level of data liquidity (data usability combined with data protection). 

Furthermore, all data transfer outside the EU can be banished unless the country it is transferred to is considered having a sufficient data protection adequacy level. Keeping in mind that simple access to a database is considered a data transfer, it is complex to cope with third-party application developers located in countries like India, China, etc…

A solution to the above-mentioned problems is for companies to protect the data before ever transferring it to the US or any non-compliant country. 

With RegData Protection Suite (RPS) software, companies can apply over 100 REGDATA (Swiss-European) proprietary protection techniques of Anonymization, Tokenization, Encryption or Pseudonymization. The appropriate protection techniques can be chosen according to the business context to maintain performance and data usability in line with the data controller’s role matrix while safely and lawfully transferring data. 

RPS is a highly configurable tool that allows to: 

• Protect each data transfer according to a specifically defined context in the RPS configuration console.
  
  
• Protect both the operational environment and the data transfer by configuring the right protection sequences in the operational environments and for the data transfer. For example, from an encrypted state in the operational database to an anonymized form for the transfer. 
  
  
• Define the protection of the data transfer according to the processing purpose of the user. When a specific user must access the data in clear (or anonymized/pseudonymized…) to operate, a specific configuration can be set and logged to provide evidence of processing purpose to regulators.