PETs to the Rescue in the Wake of the Privacy Shield Verdict
Due to contemporary surveillance laws in the United States, on July 16th the European Union’s Court of Justice ruled that E.U. data was not adequately protected under the existing Privacy Shield agreement with the U.S.[i] As a result, Privacy Shield was struck down and businesses relying on the agreement for cross-border data transfers are now left in limbo. E.U. representatives have indicated that they will work with the U.S. to create a new agreement[ii]; however, while negotiations are underway, which could potentially require reformation of U.S. surveillance law, businesses relying on transfers of data between the E.U. and U.S. must find other mechanisms to ensure compliance with the E.U.’s General Data Protection Regulation (GDPR). In a recent Forbes article, Jason Crabtree identifies a greater need for Privacy Enhancing Technologies (PETs), such as data synthesis, to help companies meet their data protection obligations in the wake of this verdict.[iii]
PETs can ensure compliance with GDPR by, for example, rendering data non-personal in nature and therefore exempt from the regulations’ requirements. Technologies like data synthesis render data non-personal by removing the link between the data and the data subjects. Modern data synthesis methods, such as those developed by Replica Analytics, can create completely synthetic data sets that replicate the patterns and structure of real data while removing any one-to-one correlation between the data and data subjects. The synthetic data generated is not data about real individuals, but is structurally similar enough to produce comparable results when analyzed.
The July 16th decision has been coined “Schrems II” as it follows an earlier case initiated by Max Schrems, an E.U. citizen, in 2013.[iv] The original Schrems case ended in 2015 with the previous Safe Harbor agreement between the E.U. and U.S. being struck down due to intrusive American surveillance laws which the court felt put E.U. citizens’ data at risk. The more recent case was also prompted by a complaint by Schrems in regards to Facebook’s use of standard contractual clauses (SCCs). Ireland’s DPC chose to take the matter to court raising broader concerns about the legality of EU-US data transfer agreements. Although the court upheld the legality of SCCs, the decision against the Privacy Shield agreement means the U.S. is now considered a “third country” with no adequacy mechanism to enable transfer of E.U. citizens’ data.[v] It has also left companies that can no longer use Privacy Shield as a basis for data transfer open to complaints and possible legal action. In fact, an E.U. privacy advocacy group started by Schrems, noyb, has now filed complaints against 101 websites for continuing to use Google Analytics and/or Facebook Connect after Privacy Shield was struck down.[vi] The complaint states that as of July 16th neither Facebook nor Google have had a legal basis for continued data transfers, with both companies subject to problematic U.S. surveillance laws.[vii]
On the other hand, with more and more companies ascribing to a data-driven business model, Jason Crabtree believes that the verdict will not “weaken the embrace of data-driven business transformation or the growth of increasingly important data marketplaces.”[viii] Why? Because data and data marketplaces have become central to the success of modern business.
The COVID-19 pandemic has made clear just how critical data is to obtaining an accurate and timely picture of things – in this case, the spread of a life-threatening virus. Unprecedented situations such as this damper the effectiveness of models based on historical data. Up-to-the-minute data is needed to get a clear picture of where things stand and to be able to more accurately project potential future trends and outcomes. And the same principles hold for modern, data-driven business.
So what is the alternative for businesses transferring data of E.U. citizens to the U.S.? Without a current agreement, and with the hope of a replacement still months or years ahead of us, businesses must ensure they have strong data protections in place. Crabtree points to data synthesis as one of the privacy enhancing technologies that can help companies meet GDPR obligations. He recommends “deeper investments in technologies — like robust data provenance and lineage management systems, synthetic data techniques, and homomorphic encryption — that offer better control strategies for managing critical data”[ix]. As one of these technologies, data synthesis can be used to facilitate cross-border data transfers because synthetic data is not personal information. However, it is structurally similar enough to real data as to produce comparable results when analyzed. Therefore, synthetic data could stand in as a proxy for real data about E.U. citizens, allowing timely access to this kind of data without violating data protection regulations.
For more information about how data synthesis could help your business comply with evolving data protection requirements, please contact firstname.lastname@example.org.
[viii] Crabtree (n 3).