About the author
Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.
On July 16, 2020, the Court of Justice of the EU (CJEU) rendered what is now considered a landmark decision with respect to the transfer of personal data across national borders. In case C-311/18 Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (“Schrems II”), the CJEU invalidated the US-EU Privacy Shield Program, a data transfer protocol that had been negotiated over the course of two and a half years by the US Department of Commerce and the European Commission (EC). The creation of the Privacy Shield Program itself was the result of an earlier CJEU decision, Schrems I, which held that Privacy Shield’s predecessor, the Safe Harbor Program, was inadequate to protect EU personal data being transferred from the EU to the U.S. Both decisions were the result of the June, 2013 revelations of former NSA contractor Edward Snowden that the NSA was searching all internet traffic coming into the U.S. By invalidating Privacy Shield, the Court threw into doubt the legality of transatlantic personal data transfers for thousands of organizations, while offering a murky path forward. Geo-fencing, a technology that enables the vast majority of data to travel in multinational comer while respecting data protection regimes, holds great promise as a solution to the mandates of the Court.
Moving Personal Data Out of the European Union
The EU promulgated its first comprehensive data protection regime, the Data Protection Directive 95/46/EC, in October of 1995. Under the Directive, personal data could be transferred to organizations outside of the EU if the destination country possesses data protection laws that were considered by the European Commission to be “adequate,” i.e., to be more or less as rigorous as that of the Directive. If personal data was to be transferred to a country lacking adequacy (such as the U.S.), then the transferrer (called the “exporter”) had to sign a separate agreement (called “Standard Contract Clauses” or “SCCs”) with the recipient (called the “importer”) that cited all of the data protection measures the importer was going to take. In the case of transfers to the U.S., exporters had the option to use the Safe Harbor Program, which was essentially a simplified set of SCCs that was agreed to in advance by U.S.-based importers by registering with the U.S. Department of Commerce. The Safe Harbor program was popular with U.S.-based importers because it was relatively simple to use.
The Snowden Revelations and Schrems I
However, in June of 2013, former NSA contractor Edward Snowden revealed that the NSA was searching all data coming into the U.S. through undersea “trunk” lines that carry just about all electronic data from the rest of the world. On the basis of this, Austrian attorney Maximilian Schrems filed a complaint against Facebook’s use of Safe Harbor to transfer EU personal data to the U.S. with Ireland’s data protection agency (Facebook’s EU headquarters is in Ireland). The matter worked its way up to the CJEU, which ruled October 6, 2015, that the program was invalid. The Court did so because (1) at the time it was (and still is) legal for U.S. authorities to access and search, on a generalized basis, electronic communications coming into the U.S. and (2) EU data subjects had no remedy in U.S. courts. That should have ended the matter. However, Ireland’s data protection commissioner informed Schrems that Facebook relied on SCCs, not Safe Harbor, to transfer the data. Schrems then started the entire process over with an amended complaint.
The Road to Schrems II
Soon after the invalidation of the Safe Harbor program, negotiators at the U.S. Department of Commerce and the EC accelerated discussions of a replacement for Safe Harbor. Within 10 months, that replacement, the EU-U.S. Privacy Shield Framework, was deemed adequate by the EC, and U.S.-based enterprises began self-certifying under the new program’s mandates. Meanwhile, Schrems’ amended complaint wound its way through Ireland’s court system and the matter wound up back at the CJEU. On July 16, 2020, the CJEU handed down what would become known as Schrems II. The decision both invalidated Privacy Shield and called into question data transfers using SCCs. The Court used the same reasoning as before: U.S. authorities’ unfettered interception of incoming electronic communications was both legal under U.S. law and did not offer legal recourse to EU data subjects. Moreover, there was no grace period for data exporters to make changes—they would have to resolve any legitimacy questions about data transfers immediately. Since Schrems I, the EU’s General Data Protection Regulation (GDPR) came into force, replacing the Directive. Now, those organizations relying on Privacy Shield to transfer EU personal data to the U.S. had to scramble to either find an exception to the GDPR’s data transfer rules (something difficult to do) or use SCCs, which now possessed significant problems.
The New “Additional Safeguards” Rule for Standard Contract Clauses
In its holding invalidating Privacy Shield, the Court mandated that those exporters and importers relying on SCCs determine, on a case-by-case basis, whether the laws of the nation of the importer (called a “third country”) are adequate to protect the personal data of EU data subjects. The Court stated that
[i]t is therefore, above all, … to verify, on a case-by-case basis and, where appropriate … whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. [my emphasis]
What are those “additional safeguards”? The Court did not say. On November 10, 2020, the European Data Protection Board (EDPB), an EU-based data protection authority and privacy think tank, published a “recommendations” document that cited some scenarios that might meet the “additional safeguards” standard. However, the scenarios were not particularly helpful; in some instances, they bordered on the absurd. Also in November, the EC published updated SCCs, specifically in response to the Court’s decision. However, they rely on the same premise as the EDPB’s document: the additional safeguards must somehow frustrate or even defeat the efforts of the intelligence agencies of a state actor, a very high bar to clear – perhaps impossibly so.
Geo-Fencing as an Additional Safeguard
Geo-fencing is the use of global positioning system (GPS) coordinates, IP addresses, or other telemetry to place a virtual border around a physical area. Prime examples of geo-fencing use cases include:
- Advertisement: targeted Ads based upon a user’s location
- Security: restricting access to information based upon a user’s location
Geo-fencing represents an effective way to granularly protect personal data in multinational commerce. Taking, as an example, the scenarios described in both Schrems cases: a data exporter (Facebook Ireland) wishes to transfer data to an importer located in a nation not deemed adequate by the EC (Facebook U.S.). Much of that data will not qualify as “personal” and even less will qualify as “sensitive personal” under the GDPR or a similar data protection regime. By classifying data according to its sensitivity and then applying geo-fencing, documents, files, or communications can be transferred to (or accessed from) a given nation, with certain ones “screened out” based on whether the destination country is considered adequate. For that matter, the criteria for what data can be transferred to a given nation could be anything, offering a data export located in the EU tremendous flexibility in what data can be transferred. Most importantly, it prevents an “all or nothing” approach that would otherwise be necessary, given the necessity for making a go/no-go decision for every transfer.
Squaring the Schrems Circle With Geo-Fencing
The Schrems II decision is responsible for calling into question the legality of the transfers of personal data from the EU to the U.S. and other nations. It did so by invalidating one data transfer protocol, the Privacy Shield Program, and belaboring another, Standard Contract Clauses (SCCs), with the necessity of “additional measures” to currently employed cybersecurity controls. The CJEU sees the prospect of electronic surveillance by U.S. intelligence agencies of trans-Atlantic data transfers as posing such a threat to the rights of EU persons that measures apparently designed to frustrate such surveillance are merited. Data protection professionals are now tasked with the job of having to determine what controls qualify as meeting this new mandate and to do so largely by themselves, owing to the CJEU’s lack of guidance. Geo-fencing offers a powerful way of limiting access to narrowly-defined types of data housed in one geography (such as the EU) from another (such as the U.S., China, or Russia). In doing so, it allows the transfer of the vast majority of the data need to engage in multinational commerce while still respecting the varied needs of evolving data protection regimes around the world.
The “Power of 2” – Addressing Schrems II
Technologies continue to evolve as well as align in a complementary fashion to address Schrems II, as well as many other use cases.
Spirion and Seclore have combined forces to create a “Best of Breed” offering which discovers, identifies, classifies, and protects your information, in a completely automated manner. Protection which includes: “who” can access information, “what” can they do with the information (view, edit, print, copy/paste, etc.), “when” can they access the information (time-bombing), and from “where” can they access the information (geo-fencing).