Understanding the European Data Protection Board's Recommendations

When it comes to handling private data, there are many things that organizations need to keep in mind, and one very important consideration is the European Union’s General Data Protection Regulation (GDPR)

The Schrems II court decision triggered a major rethink for many companies looking to adhere to the GDPR, particularly when it comes to cross-border privacy compliance. Subsequently, comprehensive guidance on GDPR was issued by the European Commission, the European Data Protection Supervisor (EDPS), and the European Data Protection Board (EDPB).

EDPB guidance on data portability was fairly comprehensive on how companies should move forward with international data transfers outside the European Union, including data in the cloud and interbusiness transfers. In advice laid out by the EDPB, data sharing compliance was illustrated through several different use cases. Notably, multi-party computation — involving private data being divided and then processed in multiple jurisdictions — is permissible if organizations in each jurisdiction have controls in place that prevent the re-identification of individuals based on the shared data.

Guidance Issued Following the Schrems II Case

To understand the most recent guidance, you need to know about Schrems II.

In the case, activist Maximilian Schrems argued that Facebook’s transfer of personal data from Ireland to the United States was in violation of the GDPR. Facebook had been transferring information to its U.S. operations legitimately, the company argued, through the use of Standard Contractual Clauses — data transfer contracts approved by the European Commission.

One of the decisions to come out of the case determined that companies must make sure the recipient entity can provide privacy protection that meets GDPR guidelines. Companies can no longer take the “sign and done” approach with SCCs, which had been very prevalent before Schrems II.

The court case also laid out new terms related to enforcement and compliance. Rather than issue fines and penalties to non-compliant entities, the court shifted the focus to issuing injunctions designed to stop the flow of private data. This shift means companies can no longer see non-compliance fines as a cost of doing business. Instead, they must do all they can to remain compliant or else risk a devastating stop of data flow.

Furthermore, the European court found policy and contractual measures are no longer enough to keep companies from running afoul of GDPR. These measures must be backed up with technical measures designed to protect privacy along the entire data cycle, including during storage, processing, and sharing.

The regulatory need for robust data protection measures comes as analytics and artificial intelligence systems need more data than ever. Multiparty computation and other tools designed for private data sharing are becoming more essential to support these advanced Big Data systems. Organizations driven by large volumes of data need to understand the sea change unleashed by Schrems II, or else struggle to remain compliant, keep data flowing, and remain competitive with their compliant competition.

Additionally, privacy-related collective legal action is becoming frequent across Europe. Considering the potential problems related to class action and compliance, data-heavy companies need to take deliberate steps and a proactive posture.

Compliance in the Post-Schrems II Era

Organizations looking to be proactive should be aware of two major emerging trends established by Schrems II.

Companies are increasingly taking technical steps to protect private data. According to the EDPB, data-sharing agreements now have little value concerning compliance. Also, according to the EDPB, international data transfers should have protective measures at both ends of the arrangement.

With enforcement shifting towards injunctions and away from fines, companies that use large amounts of sensitive data must prioritize complaints to sustain operations. According to the EDPB, data processing at work and data at rest should both be actively protected by robust privacy technology. Also, according to the EDPB, processor-controller organizations can be devastated by a stoppage of data flow if they are found to be non-compliant.

Using TripleBlind’s EDPB-Endorsed Approach to Compliant Data Sharing

By preserving privacy and ensuring compliance with GDPR, the TripleBlind Solution unlocks the intellectual property value of sensitive data. Our software-only solution solves a broad range of use cases, particularly those in the healthcare and financial services industries.

Specifically, our technology is based on multi-party compute, which is an approach endorsed by the EDPB. Companies that use our solution not only take a proactive approach to compliance, but also positioned themselves for the future by adding true scalability, with support for all data and algorithm types.

If you would like to learn more about how our technology can help your company get the most from its sensitive data while remaining compliant with GDPR and other regulations, contact us today.