Thread on possible implications of #SchremsII for end-to-end crypto approaches to protecting personal data. Background: last week the (CJEU) issued its judgment in Case C-311/18, “Schrems II”. Amongst other things, it invalidates Privacy Shield, one of the mechanisms
enabling transfers from EU-US. This was in part because US law lacks sufficient limitations on law enforcement access to data, so the protection of data in US not 'essentially equivalent' to that in the EU. Similar arguments could apply elsewhere (e.g. UK).
The main alternative mechanism enabling transfers outside the EEA is the use of 'standard contractual clauses' (SCCs) under Article 46(2)(c) GDPR. But the Court affirmed that SCCs also need to ensure 'essentially equivalent' protection.
Just as the lack of sufficient protection from surveillance invalidated Privacy Shield, so may it invalidate SCCs. Lawful requests for access by law enforcement will trump any contractual terms forbidding it. How else could controllers ensure equivalent protection?
The Court hints (somewhat cryptically :-P) they could apply 'supplementary measures' (p133). Presumably these couldn't be contractual: as Chris Kuner argues (europeanlawblog.eu/2020/07/17/the…), if contractual clauses cannot provide protection, then more contractual clauses won't help.
What if those 'supplementary measures' were technical ones preventing law enforcement access? E.g. if EU data is end-to-end encrypted prior to transfer to US (or other third country), recipient controllers would be unable to decrypt it if compelled to share with law enforcement.
Would this be enough to ensure equivalent protection? That may end up a question for EU data protection authorities; the Court affirmed that they will be required to assess whether protection can be ensured in particular cases and suspend / prohibit transfers accordingly (p106).
The bigger question is the practicality of technically limiting law enforcement access in this way beyond simple services like e2e encrypted cloud storage. Computing on encrypted data is possible with homomorphic encryption but still very limited. There would still be metadata.
It's difficult to imagine many services which could operate outside the EU without leaving at least some user data technically open to requests from national governments (unless we radically rethink incumbent data and computational approaches (yes please))
Another headache for this approach is that you'd still have to figure out how to facilitate data subject's other rights in order to ensure equivalent protection - which may be made much harder after you've encrypted everything (for more, see academic.oup.com/idpl/article/8…)
TLDR; supplementary technical measures could perhaps prop up SCCs for limited services. This might lead to some new weird legal/technical architectures, which could be good/ok/ terrible. But most third country controllers won't be able to numberwang their way to compliance. /end
