The webinar, hosted by Brian Runciman MBCS, Head of Content and Insight at BCS introduced a panel of experts to explore what the ruling means, who it affects and why it’s an issue for all of us.
- Dr W Kuan Hon: Director in the Privacy, Security and Information Law team of leading technology law firm Fieldfisher and author of Data localization laws and policy - the EU data protection international transfers restriction through a cloud computing lens. She is also an English solicitor and a New York attorney.
- Adam Leon Smith FBCS: Chief Technology Officer and Data Protection Officer at Dragonfly, a UK/European consultancy, as well as being chair of BCS SIGIST.
- Chiara Rustici is an independent academic and data regulation analyst. Formerly a research fellow with Italy's CNR, teaching fellow in Jurisprudence at the University of Genoa, and research scholar at the Universities of Milan and Edinburgh. She chairs the BCS Law Specialist Group and is part of the BCS governance team with the PPP committee.
Part One: The Schrems II ruling
Dr W Kuan Hon took us through a presentation of the legal implications about what the Schrems II ruling actually means.
Dr Hon said: ‘The GDPR (general data protection regulation) of course regulates the processing of personal data by controllers and processors who are used by controllers to help them process personal data, controlling how personal data of people in the EU is processed, which applies to both controllers and processes.
‘Processing is much wider than people think. It includes merely storing transmitting or accessing or viewing data, not just doing something with it. And the definition of the concept of personal data is, again, much broader than most people think it is. Almost everything is going to be personal data under the GDPR. Transfer, the key concept we're talking about here, is not defined in the GDPR but it does include pull as well as push transfer.
‘If you're sending personal data outside the EEA that's a transfer. You're sending it - so that it's hosted outside the EEA, that's a transfer. But also, if you allow somebody who's outside the EEA remote access to view not just take a copy of, but just view personal data that is stored physically in the EEA - that is a transfer.
‘Under the GDPR, transfers outside the European economic area, to so-called third countries are banned and similarly transfers to International organisations are banned, unless one of three main conditions applies. The first is that the recipient country has been declared to have adequate protection under a Commission decision - and examples include Israel and Japan - and of course, the now-defunct Privacy Shield for transfers to the US.
‘Now onto the Schrems II decision itself. Max Schrems was responsible for putting an end to the EU/US Safe Harbour a few years ago, which is the predecessor to the Privacy Shield. And now of course recently, the Court of Justice of the EU has ruled that the Privacy Shield which replaced Safe Harbour is also no longer valid.
‘[What this really] means is a kind of risk assessment, what I would like to call APA or adequate protection assessment, because you're looking at the adequate protection of personal data in the country in question. Of course with SMEs, how on Earth are SMEs going to look at the laws of every single country to which they might want to transfer personal data? It's a pretty much impossible task. So, in practice it is becoming not uncommon to just forget about looking at the laws and think instead, about what additional safeguards can be provided if the laws might not be good enough.’
Dr Kuan explained the implications of different transfers across different nations states, how the ruling affects what we are doing now, the legalities of continuing to do what we do now and how the future might look.
Part Two: The panel discussion
Following on from Dr Hon’s talk, Adam Leon Smith FBCS and Chiara Rustici elaborated on the implications of Schrems II to the UK business community. Here are six headline thoughts from the discussion.
1. Companies are routinely breaching data rules…
Adam Leon Smith said: ‘Every business in the UK that deals with computing is probably using some form of US control cloud service and ninety percent of small businesses won't be aware of this issue. They won't be aware that a decision has been made - with no grace period - and they are already in breach essentially of this decision, without having all these safeguarding steps (that we can't quite identify). So, businesses and most people that work in small businesses and have responsibility for things like this, just aren't aware of it.
‘I think BCS has a large place to play here in making sure its membership is aware of these issues.’
2. Politicising the issue is hiding the reality…
Chiara Rustici said: ‘There is almost a perception that this is a niche legal issue, and this is very damaging. This should be front page on the business press, in the FT and The Economist. And it’s not there. We’re not there yet. You cannot have trade unless you have data flowing so you mess up data flows, you mess up trade flows. It's a simple as that. But there is almost a decision not to discuss anything that is tainted by politics.’
3. Overcoming the data location fixation…
Dr Hon said: ‘The example I always use in terms of location is, “what would you rather have? Would you like to have your personal data in the EU, on an open server? Or would you rather have it in the US encrypted?” You know, location is not everything, it's security and access that matters, not physical location. The law is very 20th century in this regard.’
4. What about data sharing, Schrems and NATO…
Chiara Rustici said: ‘The court is pushing to the fore the national security issue. We should all know more about what national security agencies are accessing, including European countries. And I think the court has form in that: to the extent that they can, they're creating a higher threshold, they’re creating barriers to what the security agencies can access. But also bringing to the fore how very paradoxical the situation is.
Chiara Rustici said: ‘Part of European member countries are NATO members and so is the US. So as NATO members US and its allies have to share personal data and have to cooperate in foiling terrorist attacks and in foiling threats to National Security. NATO has the power to trigger article five: a cyberattack on one member is a cyberattack on the alliance. So the Allies have to step in and help. There is a NATO understanding that member states are asked to offer their cyber weapons or cyber attack capabilities. So, can we get real, please? Can we please have a conversation between the European Union Member States on EU defence competencies and let’s include our NATO allies in the conversation.’
5. This isn’t just a legal issue, it’s a business issue
Chiara Rustici said: ‘You should always look at the guidance of the destination country. So, if you send boxes of tea to Berlin you should always look at the data protection authorities of Berlin. So look beyond the ICO to the extent that your trade requires you to do so, that your data flow requires you to do so.‘
‘First of all mapping your business. Where do you get most of your business? How much data underpins that trade with that country? BCS referred to the CNIL map in its little advisory note for BCS and prominent in that was using the map that the French data protection authorities have produced. It's a brilliant interactive map. You know, instantly, visually which countries are considered third countries. So which countries have restricted data transfers. Map your business flows against that map of data flows and restrictions. If you don't do that, you don't know where you stand.
‘Then make a business call, if the money that you have to pay to people like Kuan to prepare your Standard Contractual Clauses, is worth the money you get from that country… You have to escalate this to the business and the board because it's not just a technical decision or a legal issue.’
6. Brexit is coming, so let’s just host everything here…
Dr Hon said: ‘Should we just bring everything back? Of course, the problem is that even if you keep data in the EU, there might have to be remote access from outside for support or for other reasons.
‘If you are a service provider, you can tell your customers. “Yeah, everything's hosted just in the EU and yeah, there might be some remote access for support, but you know, it's minimal and we're gonna make sure that that's as little as possible. But hey, it's physically hosted here.”
‘Now that comforts people, [but] it doesn't mean that it's necessarily the right approach legally or technically. I just don't think that that is the ultimate answer.’