Today Privacy1 released software that solves the technology challenges brought by the Schrems II ruling. The solution brings capabilities to suspend and halt data sharing in total or selectively by category, service or data subject with processors and puts this control right in the hands of the privacy team to enforce contractual clauses with immediate effect.
The Schrems II ruling by the Court of Justice of the European Union essentially invalidated the Privacy Shield agreement that was widely used to lawfully transfer personal data to US entities. This brings difficult challenges for all EU data controllers using Privacy Shield for lawful US data transfer.
There has been a lot of talking about business impacts and how international law must change. Some privacy vendors propose that their documentation solutions can help, but there has been very little in the way of an operational solution that actually helps you stop, suspend and delete data on demand. Privacy1, however, is different and has been focusing on a practical technology solution that solves the day to day privacy operational issues that allow you to actually control data and enforce agreements in real time.
Data controllers must ensure they have given clear instructions to US data processors how to process personal data in accordance with EU data protection law and have solid assurances from any US data importers that they provide sufficient protections and have/will report any conflicts as it’s the responsibility of the data controller to warrant these protections.
Controllers must also have appropriate contracts (SCC’s or BCR’s) in place, and in addition provide mechanisms to mitigate any non-compliance by a US data processor. Examples of these are :
Transatlantic data must remain safe and have appropriate data security to guard against breach, sabotage and backdoor surveillance.
Must have the ability to suspend or terminate the transfer of personal data by the Data exporter in the event that it is impossible to honour the SCC or terminate the SCC.
How do you then apply protections to all personal data that is controllable by the privacy team to protect against unlawful surveillance, breaches or even internal misuse?, how do you trigger a stop action for the data transfer? If your business is notified by a data processor when there is surveillance registered activity, can you afford to stop the whole transfer if the activity violates your users’ privacy rights? If not, can your business stop the data transfer for only the requested user and still keep the data flow for non-violated users and how do you put this control in the hands of the data protection team and data subjects?
Privacy1’s technology provides at its core a strong pseudonymisation engine to protect all personal data from internal misuse, breach or electronic surveillance. On top of this core is a control layer that uses selective encryption to control access to personal data at the data subject, data controller and data service level. It can also grant time limited access. The easy to use interface allows the non technical compliance team to have full and immediate control to be able to :
Secure, protect and pseudonymise all personal data internally and externally
Selectively Grant/ Reject requested access to any personal data and enforce legal judgements and associated time limits
Stop or suspend the data processing activity completely, for a given service, processor or data subject
Allow a data subject to exercise all actionable rights such as data restriction/objection/deletion
These capabilities and business level controls make it much easier to operationalise the mechanisms that must be in place to enforce your SCC and operate your new privacy processes. They allow you to implement risk mitigation measures immediately should you suspect any kind of issue, rather than having to mobilise a technical team. As it’s selective, your business can stop the processing of personal data on a very granular level i.e a certain type of data that belongs to a specific data subject.
This means you would not have to terminate the whole SCC if a single user’s data is violated, instead you can choose to suspend the data processing activities for that specific user to remedy the data violation.
Obviously, data controllers must take the assurance, legal and contractual steps in addition to implementing technologies like Privacy1 to solve the Schrems II challenges. However, privacy aware technology like this allows organisations to operate with speed and control, rather than relying only on legal and contractual protections. This is particularly important when dealing with hard to warrant processors or untrusted countries.
The ability to exert control granularly and selectively will also give you more influence over agreements with your processors and allow you to negotiate better terms. The fact that you can even allow the data subjects to take action themselves builds trust with your consumers, and gives you a demonstrable way to prove you are ensuring data subject rights.
Privacy1 believes a business can meet the legal situation after Schrems II by using a combination of SCCs, technologies and procedures and that a business’s personal data can survive without having to be forced to migrate out of US based services.
See details of our Schrems II technology that avoids have to repatriate you data back to the EU here or to see more blog posts like this its here. If you would like more information on Privacy1 technology or need help with the legal or contractual issues above please contact us at www.privacyone.co, or see more blog posts here
Privacy1 is a software company in Stockholm and London that develops technologies for practical management of personal data. With a vision to empower the consumers and citizens to manage their own personal data, and provide tech to help companies and governments encrypt, secure and automate to ensure they fulfil their privacy promises and meet all level of data regulatory requirements, Privacy1 is about building trust to reset the data privacy balance to the advantage of all.