My Authors
Read all threads
Thread on possible implications of #SchremsII for end-to-end crypto approaches to protecting personal data. Background: last week the (CJEU) issued its judgment in Case C-311/18, “Schrems II”. Amongst other things, it invalidates Privacy Shield, one of the mechanisms
enabling transfers from EU-US. This was in part because US law lacks sufficient limitations on law enforcement access to data, so the protection of data in US not 'essentially equivalent' to that in the EU. Similar arguments could apply elsewhere (e.g. UK).
The main alternative mechanism enabling transfers outside the EEA is the use of 'standard contractual clauses' (SCCs) under Article 46(2)(c) GDPR. But the Court affirmed that SCCs also need to ensure 'essentially equivalent' protection.
Just as the lack of sufficient protection from surveillance invalidated Privacy Shield, so may it invalidate SCCs. Lawful requests for access by law enforcement will trump any contractual terms forbidding it. How else could controllers ensure equivalent protection?
The Court hints (somewhat cryptically :-P) they could apply 'supplementary measures' (p133). Presumably these couldn't be contractual: as Chris Kuner argues (europeanlawblog.eu/2020/07/17/the…), if contractual clauses cannot provide protection, then more contractual clauses won't help.
What if those 'supplementary measures' were technical ones preventing law enforcement access? E.g. if EU data is end-to-end encrypted prior to transfer to US (or other third country), recipient controllers would be unable to decrypt it if compelled to share with law enforcement.
Would this be enough to ensure equivalent protection? That may end up a question for EU data protection authorities; the Court affirmed that they will be required to assess whether protection can be ensured in particular cases and suspend / prohibit transfers accordingly (p106).
The bigger question is the practicality of technically limiting law enforcement access in this way beyond simple services like e2e encrypted cloud storage. Computing on encrypted data is possible with homomorphic encryption but still very limited. There would still be metadata.
It's difficult to imagine many services which could operate outside the EU without leaving at least some user data technically open to requests from national governments (unless we radically rethink incumbent data and computational approaches (yes please))
Another headache for this approach is that you'd still have to figure out how to facilitate data subject's other rights in order to ensure equivalent protection - which may be made much harder after you've encrypted everything (for more, see academic.oup.com/idpl/article/8…)
TLDR; supplementary technical measures could perhaps prop up SCCs for limited services. This might lead to some new weird legal/technical architectures, which could be good/ok/ terrible. But most third country controllers won't be able to numberwang their way to compliance. /end
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Reuben Binns

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!