After more than a year of negotiations, on March 25, 2022, the European Commission and the United States announced an agreement for a new Trans-Atlantic Data Privacy Framework. The new Framework will replace EU-U.S. Privacy Shield, which was invalided by the Court of Justice of the European Union (“CJEU”)’s Schrems II decision in July 2020. Since the Schrems II decision, businesses generally relied on Standard Contractual Clauses (“SCCs”) for trans-Atlantic data transfers.
Under the new Framework, it is expected that participating companies will be able to have data flow both “freely and safely” between them. See Nascent EU/US Trans-Atlantic Data Privacy Framework: some points to note for additional details on the implications.
How NT Analyzer Can Help Now
While there is still uncertainty on the horizon for the yet-to-be-released Framework, we have developed an add-on feature for the NT Analyzer tool suite that enables businesses to assess the risks associated with cross border data transfers. The main questions facing companies at this point are:
- Do my websites and mobile apps, when used in the EU, transmit data to the US, or other “unsafe” jurisdictions?
- Is there reason to believe that the transmitted data is caught by the NSA’s “Upstream” or “Downstream” surveillance programs?
- How should I handle the data transmission for purposes of Schrems II?
Our automated Data Transfer Scanner identifies and sorts Schrems II risk of data flows for further legal handling, including the use of Google Analytics and similar vendors.
What does the scanner do?
- Identifies high risk data endpoints (in the US and elsewhere)
- Geolocates the server collecting the data
- Classifies data endpoints as likely caught (or not) by FISA 702 (Downstream/PRISM)
- Identifies whether data is suitably encrypted to reasonably protect against NSA “Upstream” capture
- Ranks sensitivity based on further jurisdictional information about the remote host
- Risk rates the data endpoint
- Sorts the data endpoints for further action relative to legal protections
Our scanner covers off at a technical level the type of risk subject to Schrems’s complaints—which is appropriate, since almost every complaint by Schrems is based on network traffic analysis. We anticipate refining this scanner as details of the EU/US Trans-Atlantic Data Privacy Framework come to light.
Stop by the NT Analyzer booth at IAPP Global Privacy Summit 2022 and learn how NT Analyzer can help with your data privacy needs at a technical level.
Special thanks to law clerk Nicole Sakin for her assistance in the preparation of this content.