How to Use Cloud Technologies to Stay Compliant Post-Schrems II
The European Union has recently released a new set of Standard Contractual Clauses (SCCs) that apply to international data transfers between EU entities (including the UK) and the rest of the world.
The role of these revised clauses is limited to ensuring appropriate data protection safeguards for international data transfers. These revised provisions include several requirements that need to be implemented by both the data exporter and importer.
In this blog post, we’re going to analyse the technical side of the new requirements, primarily for data exporters, and see how some cloud-based technical solutions can help satisfy them quickly.
The Schrems II Timeline: Important Dates
In July 2020, Court pronouncement C-311/18 “SCHREMS II” of the Court of Justice of the European Union (CJEU) declared invalid the EU-U.S. Privacy Shield—the framework that companies relied upon to comply with data protection requirements when transferring personal data from the European Union (including the UK and Switzerland) to the United States in support of transatlantic commerce.
On the other hand, the Court has also upheld the validity of the usual Standard Contractual Clauses (SCCs), albeit reiterating the need for the protection granted to personal data in the European Economic Area (EEA) to travel with the data wherever it goes. Accordingly, transfers to third countries cannot be a means to undermine the level of protection afforded in the EEA.
This led to new EU Decisions 2021/914 and 2021/915 issued in June 2021, with a revised set of SCCs that have become mandatory between data importers and exporters. This new guidance came into effect in September 2021, with a 15 month grace period to implement the changes required in old contracts.
At Contino, we’re engineering and digital transformation specialists; for this blog, we’re going to steer away from the legal components of these agreements. They have been very well covered elsewhere, and we’re going to focus this blog on the technical, cloud-based implementations necessary to satisfy the standard.
What Does it Mean for Me?
The new regulation that came into effect in September has changed some of the requirements of international data transfers from the EU (including UK & Switzerland) to the rest of the world.
As Heads of Compliance or Enterprise Architecture, you are called to action. Your departments should now review these changes and adapt your existing controls as well as technical processes before the end of the 15 month grace period.
In this document, we are suggesting some technical best practices to satisfy the new provisions.
6-Step Compliance Process
Ensuring compliance with new regulations is typically a significant operational burden. To simplify this process, Contino agrees with the EDPB’s recommendation of following a six-step approach to help exporters with the complex task of assessing the compliance of third countries with the regulations and identifying appropriate supplementary measures where needed.
The six steps are as follows:
- Know your transfers: Map all the transfers of personal data to third-party countries, identifying that it is adequate, relevant and limited.
- Verify the tool your transfer relies on: Identify which contractual instrument has been used to regulate the transfer and whether the EU has declared the region where you’re sending the data as “adequate”, which could further simplify the process
- Assess the law or practice of the third country: To see if there’s anything that may influence the effectiveness of the tool or some of the additional safeguards you may have put in place with the data importer.
- Identify and adopt supplementary measures: To bring the level of protection up to the EU standard of essential equivalence.
- Take a formal procedural step: that may be required by adopting supplementary measures.
- Re-evaluate at appropriate intervals: the level of protection afforded to the data transfer
As some of you may have noticed, these steps follow the usual process for the now-standard GDPR - 95/46/EC compliance.
The most common contractual instrument: the revised SCCs map so closely to the General Data Privacy Regulation that ensuring and documenting compliance for these clauses can be significantly simplified repurposing some of the work already done in companies for the Data Protection Impact Assessment (DPIA).
The Future of the Payments Industry: How to Liberate the Data in Your Mainframe and Become Competitive Again!
We're seeing an ever-evolving set of new products and services in the payments ecosystem. How can the incumbents keep up?
The key: you are sitting on a gold mine of data in your mainframe!
In this eBook, discover how you can use the power of the cloud to unlock your mainframe and become competitive again.
Top 5 Technical Requirements
In this section, we’re going to review some of the technical and organisational measures that specifically apply to the Standard Contractual Clauses (SCCs)—these are (arguably) the most common contractual instruments to ensure the security of international data transfers. As mentioned, a revised set of SCCs has become mandatory in September 2021.
In the Schrems II judgment, the Court emphasises the responsibilities of exporters and importers to ensure that the level of processing of personal data is and will continue to be carried out in compliance with the level of protection set by EU data protection law.
In other words, GDPR’s Principle of Accountability stands, and the controller or processor acting as exporter must ensure that the importers collaborate with the exporter himself on these activities.
1. Accuracy and Data Minimisation
The SCC requirement 8.3, ensuring the accuracy of the dataset and data minimisation, can be implemented in many ways—but it’s not a new problem.
At Contino, we’ve used a variety of tools to achieve this. In particular, we see the role of the Data Catalog as key: an index to your data’s location, schema, and runtime metrics. With a Data Catalog, any user in the organisation can discover and explore data sources. All the cloud providers offer a version of Catalog, mostly Hive-compatible: AWS Glue Data Catalog, Azure Data Catalog and GCP Data Catalog. In this sense, AWS distinguishes itself because of the completeness of the offering and the linkage with Lake Formation.
2. Storage Limitation
The SCC clause 8.4 aims to ensure that the data importer retains the personal data for no longer than necessary. It’s relatively easy to address utilising automatic expiration policies for data objects, such as the AWS S3 Bucket Lifecycle policy or more complicated “Deletion Pipelines. These ones can execute complex or simple deletion activities. They can either remove every instance of customer data across multiple databases or perform a simple deletion, erasing just a single row in a single database.
This latter case is used to remove the map between a customer_id and the PII of a specific user, de facto anonymising the datasets (in line with the particular recital of the Regulation (EU) 2016/679). These pipelines can be executed on most ETL job schedulers such as Airflow - Cloud Composer on GCP
4. Security of processing
An effective security strategy that can satisfy the SCC clause 8.5 begins with stringent access control and continuous work to define the least privilege necessary for persons or systems accessing data.
All cloud providers require that you manage your own access control policies, and also support defence in depth components that can mitigate weaknesses in your primary access control mechanism.
Encryption is a key component of these activities. All cloud providers support various types of encryption, including both at rest and in transit, with keys that can be managed by the customer (you) or by the cloud provider. Refer to the CSP’s documentation to find out more about this e.g. AWS.
5. Documentation and Compliance
Compliance with SCC clause 8.9 can be achieved in multiple ways. Infrastructure as code or compliance as code can be key to this. Compliance as code means defining your compliance requirements in a human- and machine-readable language. Configurations can then be automatically deployed, tested, monitored and reported on across your entire IT estate. You don’t need to manually keep up to date complex Word documents and can offload this burden to the automation.
To ensure appropriate documentation of the processing and the datasets’ evolution, “data lineage” is typically achieved via homegrown solutions or leveraging open-source tools such as Apache Atlas.
Appropriate documentation on the processing activities carried out can also be obtained from advanced Cloud Logging mechanisms such as Azure Activity Logging that logs events to services, buckets and object-level requests in Azure and similar services from other CSPs.
6. Onward Transfers
Clause 8.8 of the SCCs can be organisationally challenging to satisfy. It refers to data supply chain or onwards transfers, in which data is disclosed to a third party and instructs the need for third parties to now sign the same SCCs. However, CSPs are mature in this as they make available a list of suppliers they use straight away, typically directly from their website.
What About the UK and Brexit?
Through its adequacy decisions, the European Union recognises a list of countries that offer adequate protection for personal data, comparable to the standards set in the EU. After Brexit, the UK was included in the list of “adequate countries”; data transfers between EU and UK based entities follow the standard “in EEA” rules and require only minimal specific notification duties, and there is no need to follow the entire 6-step compliance process.
What Next? Detailed Technical Measures
In the end, part of the regulation process includes the need to describe in specific terms the technical and organisation measures used to ensure the security of the data.
There’s a long list of particular activities that are unsuitable for a short blog. They include: Measures of pseudonymisation and encryption of personal data, measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services and others.
At Contino, we’ve worked with clients on these topics, creating accelerators and compliance frameworks. Feel free to reach out to us directly if you want to know more.