101 Problems and Schrems Ain’t One

By and September 25, 2020Insights

Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.

The main questions facing companies at this point are:

  • Do my websites and mobile apps, when used in the EU, transmit data to the US, or other “unsafe” jurisdictions?
  • Is there reason to believe that the transmitted data is caught by the NSA’s “Upstream” or “Downstream” surveillance programs?
  • How should I handle the data transmission for purposes of Schrems II?

What does the scanner do?

  • Identifies high risk data endpoints (in the US and elsewhere)
  • Geolocates the server collecting the data
  • Classifies data endpoints as caught (or not) by FISA 702 (Downstream/PRISM)
  • Identifies whether data is suitably encrypted to protect against NSA “Upstream” capture
  • Ranks sensitivity based on further jurisdictional information about the remote host
  • Risk rates the data endpoint
  • Sorts the data endpoints for further action relative to legal protections

The scanner was developed using technical insights from both US and European members of Norton Rose Fulbright’s Data Protection, Privacy, and Cybersecurity group. It is an additional feature added to the NT Analyzer tool suite.

Not only has the European Court of Justice invalidated the US-EU Privacy Shield as a result of his efforts, but Herr Schrems has now lodged “101 Complaints” against various EU-based website publishers based on their use of common website technologies like Google Analytics and Facebook Connect.  The foundation of these complaints is that the network connections to Google Analytics and Facebook Connect resolve to US-based IP addresses and that these network transmissions allegedly constitute unlawful transfers of personal data from the EU.  One could easily see the scope of such complaints expanding both in terms of company targets as well as targeted technology providers.

Our new scanner covers off that waterfront, and aims to be the first and best option for identifying, at a technical level, the type of risk subject to Schrems’s complaints—which is appropriate, since almost every complaint by Schrems is based on network traffic analysis.

It is time to head him off at the pass.

Steven Roosa

Author Steven Roosa

Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security. Steve serves as partner in Norton Rose Fulbright's New York office and oversees the firm's privacy compliance tool suite, NT Analyzer.

More posts by Steven Roosa
Steven Roosa

Author Daniel Rosenzweig

Daniel B. Rosenzweig is a lawyer in Norton Rose Fulbright's Data Protection, Privacy and Cybersecurity practice group in the New York office. Daniel is part of the core team that oversees NT Analyzer to help clients navigate the complex data protection and privacy landscape.

More posts by Daniel Rosenzweig