Where does your data live? It’s a simple question with an incredibly complex answer. In fact, it’s an answer that is increasingly testing new privacy laws on either side of the Atlantic and forcing device manufacturers and software creators to question what data, if any, they can use in their products.

Last year, the Court of Justice of the European Union (CJEU) issued a verdict for a court case known as ‘Schrems II’ that cut off key mechanisms for transferring personal data from the European Union to the United States. International data transfers are necessary for furthering innovation, strengthening trade relationships, and widening consumer access to digital products and services.

This ruling directly impacted companies that engage in this type of data transfer, including big tech giants such as Facebook and other SMEs. But the decision also had knock-on consequences for the trade and development of tech industries such as cloud computing, AI, and IoT. Let’s consider how companies and tech creators can approach this new era of data rights.

What is Schrems II?

Named after activist, lawyer, and author Maximilian Schrems, Schrems II is a legal case. After finding out Facebook was transferring personal data from Europe to its U.S. headquarters, Schrems realized the data could be used by U.S. intelligence agencies and therefore violate GDPR, which prohibits data transfers from the EU to the U.S.

In 2013, Schrems called for the Irish Data Protection Commissioner to invalidate the European Commission’s Standard Contractual Clauses (SCCs) for data transfers between EU and non-EU countries. Despite being rejected by the Irish Data Protection Commissioner at the time, the later-labeled Schrems II case eventually escalated to the judicial branch of the European Union, known as the CJEU, seven years later.

In July 2020, the CJEU issued its final verdict, ruling the EU-U.S. Privacy Shield is an invalid mechanism to comply with EU data protection requirements. Despite upholding the validity of SCCs, the court ruled that SCCs must be verified on a case-by-case basis to assess whether the law in the recipient country provides adequate data protection.  

This prompted the EU to issue modernized SCCs to ensure safer exchanges of personal data.

What Does This Mean for Cross Border Data Transfers?

The Schrems II decision did not only affect Facebook. It has also caused problems for other tech companies whose services involve sending data internationally.

Following the ruling, companies that transfer data from the EU to the U.S. must consider:

Data in General: It may sound simple, but the most important action companies can take following the verdict is to be aware of as much information as possible about their data transfers. Know what type of data is being processed and where it’s going. For EU companies, alarm bells should start ringing as soon as data moves out of EU territory.

Reasons for Data Transfer A seemingly simple task, but companies that move data internationally should also be aware of the grounds upon which the data is being transferred in the first place.  

Data Protection: Another element to be aware of is exactly what measures your IoT company has in place to adequately protect personal data. As suggested by the EU, technical measures to protect data include appropriate actions to address online security, risk of data loss, and data alteration or unauthorized access. Organizational measures, on the other hand, include restricting access to personal data only to authorised persons. 

Third Countries: Finally, it’s important to have a good understanding of the laws and regulations in the third countries that data passes through and the level of protection they provide. This also involves implementing additional controls where necessary.  

Regional and Continental Rules

Meanwhile, it’s worth mentioning that differing regional and continental data rights present further legal curveballs. While the EU receives blanket protection from its GDPR, the U.S. is a patchwork of state laws. The most prominent IoT security bill to date is the California Consumer Privacy Act, which clarifies that people can opt-out of both the sale and sharing of their personal information to third parties.

Therefore, U.S. cloud companies need to consider the data rights of European customers and those of Californians. Interestingly, the same consideration does not yet apply to Texans or Floridians. As with many decisions in the U.S., state legislatures decide data rights. Patchwork rulings mean that companies must stay up to date as further states pass data privacy mandates. For example,  New York, Maryland and Hawaii have upcoming, varied rules on the horizon.

This ongoing discrepancy between blanket continental regulations and regional rulings requires further vigilance.

What Does This Mean for IoT Companies?

The good news is that companies can stay in line with the laws. For example, encryption offers a simultaneous solution to perform U.S. transfers under EU rules. Strong encryption can provide an effective measure for data transfers so long as the keys are reliably managed. If state-of-the-art protocols are followed, encryption can provide adequate protection against any data interception and manipulation by a third party. Likewise, multiparty computing protocols that split data into parts to process independently can prevent the reconstitution of personal data.

Another way to comply with the data rulings is to stay clear of the cloud whenever possible. In IoT, for example, device vendors can tailor the connection type to ensure direct communication between the end-user and device. This type of connection bypasses the cloud to enable private communication, and thereby bypasses the risk of storing personal data.

Of course, the best practice is to stick to the rules. The new SCCs provide clarification on what is and is not acceptable. But, at the same time, the revised clauses continue to put the onus on individual companies to meet IoT GDPR standards.

Right Now, The Onus Is On Companies

Companies looking to leverage the SCCs should identify the cross-border transfers under their responsibility. This includes performing perform a nuanced analysis of the recipient country’s level of data protection compliance with the GDPR. Moreover, if any of the countries are part of the Five Eyes Alliance, then an in-depth analysis will be required. The alliance countries include Australia, Canada, New Zealand, the United Kingdom and the United States.

Regardless of the method, companies on either side of the Atlantic must think deeply about the way they handle data. The various jurisdictions and legislations result in a tricky situation for tech companies today. Going forward, my advice is to encrypt all data and follow the letter of the law as best as possible. It is no mean feat, but it is necessary to avoid the inside of a courtroom.

Closing Thoughts 

In addition to the verdict, the impact of the pandemic has made data security and cybersecurity prime concerns. In order to ensure your IoT solutions remain compliant, it’s simply a matter of prioritizing security and privacy.

However, as the Information Technology and Innovation Foundation points out, this challenge is not one for the private sector to assume alone. International governments must also reconcile their data surveillance systems through cooperation and work to implement new data transfer mechanisms.

Carsten Rhod Gregersen

Carsten Rhod Gregersen is the CEO and founder of Nabto, a peer-to-peer (P2P) based platform to IoT devices. Carsten counts almost two decades of experience leading software and innovation companies with an aim to create technology that continuously improves and makes the world a better place - one line of code at a time.