About the author
Scott M. Giordano is an attorney with more than 20 years of legal, technology, and risk management consulting experience. An IAPP Fellow of Information Privacy and a Certified Information Security Systems Professional (CISSP), Scott serves as Spirion’s subject matter expert on multinational data protection and its intersection with technology, export compliance, internal investigations, information governance, and risk management.
IDC estimates that by next year 65% of global GDP will be digitalized. Yet, the World Economic Forum contends that “only 45% of people trust that technology will improve their lives,” leaving “every sector beginning to face deep questions about what the implications of this transformation will be.”
But it’s not just industry sectors that are questioning the full impact of digital transformation. States, countries, and entire geographical regions are struggling to balance citizen privacy, human rights, consumer protection, and cybersecurity in a world of increasing global digital data flows.
In particular, last summer, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield program, a transatlantic data transfer mechanism developed in parallel with the EU General Data Protection Regulation (GDPR). With the invalidation of this framework, businesses may be unable to transfer personal data across the Atlantic if they cannot ensure it is protected from public authorities, increasing risk for organizations that rely on cross-border transfers of personal data.
In today’s post, we’ll review the seven technical and organizational mandates of GDPR and summarize what the recent Schrems II decision means for your transatlantic data flows. We’ll also share technical guidance to help you stay compliant with rapidly evolving cybersecurity and privacy mandates through the winning combination of persistent data classification and modern Digital Rights Management (DRM) to precisely define the “who,” “what,” “when,” and “where” of sensitive data access.
The Transatlantic Digital Data Economic Engine
The aforementioned IDC report forecasts that digitalization initiatives will “drive over $6.8 trillion of direct DX investments from 2020 to 2023”― a six-fold increase from the $1.2 trillion spent in 2018. IDC also suggests that by 2025, “75% of business leaders will leverage digital platforms and ecosystem capabilities to adapt their value chains to new markets, industries, and ecosystems.”
There’s no more significant consumer or creator of digital data than the United States and European Union. Together, the territories account for three-fourths of the world’s digital content produced. The U.S. is the largest market for EU digital services and its largest supplier of digitally enabled services, including social networks and cloud computing and financial management, entertainment, manufacturing, engineering, etc.
At the heart of the EU-U.S. $5.5 trillion economic relationship are transatlantic data flows and transfers. A McKinsey study found that as early as 2015, the value of cross-border data flows had exceeded the value of cross-border physical merchandise trade; furthermore, the data flows between the U.S. and EU “were by far the most intense in the world.” Today it is estimated that approximately “half of all data flows in both the U.S. and EU are transatlantic transfers.”
According to the Organization for Economic Cooperation and Development (OECD), “cross-border transfers of data underpin virtually all business relations in international trade, international investment, and global supply chains. Data transfers are also fundamental in enabling business operations of multinational companies.” The World Bank emphasizes that personal data is “expected to represent a significant share of the total volume of data being transferred cross- border.”
The Fundamental Right of Personal Data Protection
In our digitally transforming universe, consumers’ data privacy is under increasing assault; cyber breaches now occur every 39 seconds. A study by Ponemon Institute and IBM indicates that consumer personally identifiable information (PII) is the most frequently compromised type of record with 80% of breached organizations stating that customer PII was compromised during the breach, far more than any other type of record.
Recognizing the emerging tension between the economic value of big data and personal data privacy, the United Nation’s 2013 seminal resolution, “Right to Privacy in the Digital Age,” declared data privacy as a fundamental human right. The resolution stressed that “the same rights people have offline must also be protected online” and called on countries to “respect and protect the right to privacy, including in the context of digital communication.”
Even before the United Nation’s declaration, the European Union was advocating for both personal data privacy and data protection. The Charter of Fundamental Rights of the European Union, which went into force in 2009, stipulates that “everyone has the right to the protection of personal data concerning him or her” and that data “must be processed fairly for specified purposes and based on the consent of the person concerned or some other legitimate basis laid down by law.”
The 7 Mandates of GDPR
In 2016, the EU went a step further and introduced the most progressive data protection legislation globally, the General Data Protection Regulation (EU) 2016/679 (GDPR). The GDPR went into effect in May of 2018 and has since become the de facto standard in comprehensive data privacy protection regulation.
The GDPR requires “technical and organizational” security controls regulating the “who,” “what,” and “when” of personal data processing and handling by both data controllers and processors that (1) reside in the EU; (2) offer goods and services into the EU; or (3) monitor consumer behavior in the region. It also seeks to extend all the associated rights and obligations to any country receiving EU personal data to protect the confidentiality, integrity, access, and resilience of such data.
The seven technical and organizational mandates of GDPR require that personal data be:
- Processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
- Adequate, relevant, and limited to what is necessary in relation to the purposes for which the data is processed (‘data minimization’).
- Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which it is processed, is erased, or rectified without delay (‘accuracy’).
- Kept in a form which permits identification of data subjects for no longer than is necessary (‘storage limitation’).
- Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
- The controller shall be responsible for and must be able to demonstrate compliance (‘accountability’).
Enactment of the Privacy Shield to Facilitate Cross-Border Data Transfers
The U.S. and EU developed the Privacy Shield framework to facilitate the cross-border transfer of personal data for commercial purposes in accordance with EU law. Approved in 2017, the Privacy Shield provided organizations with a list of principles governing their compliance with data protection requirements when transferring personal data from the EU (and Switzerland) to the U.S., including the need to:
- Have a legal basis to process the personal data in the first place (e.g., through consent or a contract).
- Utilize a data transfer mechanism, which may include:
- • Privacy shield (for data transfers to the U.S.)
- • Standard Contractual Clauses (for data transfers to anywhere), which are approved by the EU and bind organizations to baseline data protection standards.
- • Binding Corporate Rules (for data transfers to anywhere), which comply with GDPR standards.
As of last summer, more than 5,300 organizations relied on the Privacy Shield program for transatlantic data flows and data transfers.
The Schrems II Ruling Introduces a Transatlantic Digital Divide
Last summer’s decision in Data Protection Commission v. Facebook, more commonly known
as Schrems II, put the spotlight on data transfers between the U.S. and EU. The Court of Justice of the European Union (CJEU) invalidated the U.S.-EU Privacy Shield framework on the basis of “adequacy” of protection by the United States. The CJEU handed down the ruling primarily because of common electronic surveillance practices by U.S. intelligence agencies. Foreign intelligence surveillance does not provide adequate protection under EU law for the transfer of personal data from the EU to the U.S. Specifically, the Court found that the U.S. violated the principle of proportionality with intelligence agencies commonly collecting more information than necessary. In addition, the Privacy Shield lacked individual redress for EU data subjects in case of personal data privacy infringements by U.S. authorities.
The Brookings Institute suggests that the “CJEU decision makes clear that all the key GDPR mechanisms for transferring personal data from the EU to third countries are unstable, namely adequacy decisions, Standard Contractual Clauses (SCCs) and binding corporate rules (BCRs). In this respect, the CJEU decision will have ramifications beyond its immediate impact on data flows between the EU and the U.S.”
While Schrems II invalidated the Privacy Shield, it still allows for data transfers based on Standard Contractual Clauses. However, the CJEU explicitly mandates that controllers adopt “supplementary measures” to ensure compliance. Organizations conducting transatlantic data transfers must “ensure adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards.”
All personal data transfers from the EU to non-adequate nations must be reviewed immediately to determine if “additional safeguards” or “supplementary measures” are necessary. Transfers to the U.S. almost certainly will have to stop until those measures are in place. Unfortunately, there is no grace period for these actions.
What should organizations do to stay compliant?
Leveraging Data Classification and Digital Rights Management to Ensure Legal Compliance
In the wake of Schrems II, the “where” of data access has become especially relevant for complying with the GDPR. Today, once data leaves the perimeter, security, visibility, and compliance are lost in cross-border data flows. Regaining control of that journey requires the data itself to inform the infrastructure as to what destinations are acceptable. By doing so, the fulfillment of CJEU mandates (or that of some other tribunal) as they develop can be accomplished by re-calibrating the data’s go/no go instructions.
The combination of data classification and digital rights management advances compliance with multiple policies and contractual obligations throughout the information lifecycle, effectively building an Information Governance “electric fence.” Data is secured, visible, and compliant, providing a forensic audit trail of how data is being used―including the destination or “last mile” where unauthorized attempts to breach security and privacy are fully auditable.
Here’s how the powerful combination works:
Data classification applies a level of confidentiality and defined handling instructions to each piece of information under one’s domain―such as who can access it, how it should be protected, how long it should be retained, how it should be disposed of, etc.
When data is classified, organizations can more easily develop frameworks that simplify security procedures and deliver compliance with corporate policies. Businesses define data classification schemes to determine the levels of confidentiality required for each piece of information maintained by the organization, thereby creating consistency in how controls are applied to protect information.
Classification, in and of itself, provides very little in the way of true protection. The combination of classification with allied technologies is where the process truly shines. One increasingly popular example of this is the employment of Digital Rights Management. DRM applies additional controls for identity, cryptography, and access that are persistent, based on the classification of documents, such as those identified by Spirion, to protect and track sensitive data, both within the enterprise and in the cloud.
Digital Rights Management
In situations where organizations don’t want to delete, quarantine, or encrypt data with broad strokes, digital rights management, as delivered by companies like Seclore, can provide the granular, file-level security required without stripping the valuable business utility out of files containing sensitive data.
Digital rights management goes well beyond basic encryption to restrict data access to only the specific individuals that require it. DRM’s strong suits include:
- Flexibility: Levels of rights can be applied to restrict recipients from editing the data, printing it, or copying anything from it to an insecure location.
- Auditing: It is possible to track who is accessing it, what they are doing with it, when they are doing it, and so on.
- Access Expiry: DRM can either distribute with a predefined expiry date or expire the access remotely from a central console.
- Adjustability: It is possible to revoke or adjust access for certain users even after sharing the file.
Follow the Data and Stay GDPR Compliant
The Schrems II decision has had a profound impact on personal data transfers out of the European Union. To keep sensitive digital data flowing across the Atlantic, organizations must now adopt additional safeguards to comply with EU law.
Data classification and DRM can provide a robust and automated way to discover, classify and protect safe data flow. Together they can be used to form an impermeable electronic fence around the last data mile to prevent entities in “inadequate” nations from viewing personal data. Such geo-fencing substantially meets the CJEU’s mandate of supplemental measures. The result is that data is protected against exfiltration with controls that maintain the business value by facilitating the safe flow of data within and outside the enterprise, including