Eureka! After burning the midnight oil, we’ve built an automated scanner to identify and sort the Schrems II risk of data flows for further legal handling. The scanner uses more than 20 different data points derived from network metadata to scan and classify data flows based on mass surveillance risk under the NSA’s so-called “Upstream” and “Downstream” data collection programs. This is important to do because not all endpoints are created equal in this regard.
The main questions facing companies at this point are:
- Do my websites and mobile apps, when used in the EU, transmit data to the US, or other “unsafe” jurisdictions?
- Is there reason to believe that the transmitted data is caught by the NSA’s “Upstream” or “Downstream” surveillance programs?
- How should I handle the data transmission for purposes of Schrems II?
What does the scanner do?
- Identifies high risk data endpoints (in the US and elsewhere)
- Geolocates the server collecting the data
- Classifies data endpoints as caught (or not) by FISA 702 (Downstream/PRISM)
- Identifies whether data is suitably encrypted to protect against NSA “Upstream” capture
- Ranks sensitivity based on further jurisdictional information about the remote host
- Risk rates the data endpoint
- Sorts the data endpoints for further action relative to legal protections
The scanner was developed using technical insights from both US and European members of Norton Rose Fulbright’s Data Protection, Privacy, and Cybersecurity group. It is an additional feature added to the NT Analyzer tool suite.
Not only has the European Court of Justice invalidated the US-EU Privacy Shield as a result of his efforts, but Herr Schrems has now lodged “101 Complaints” against various EU-based website publishers based on their use of common website technologies like Google Analytics and Facebook Connect. The foundation of these complaints is that the network connections to Google Analytics and Facebook Connect resolve to US-based IP addresses and that these network transmissions allegedly constitute unlawful transfers of personal data from the EU. One could easily see the scope of such complaints expanding both in terms of company targets as well as targeted technology providers.
Our new scanner covers off that waterfront, and aims to be the first and best option for identifying, at a technical level, the type of risk subject to Schrems’s complaints—which is appropriate, since almost every complaint by Schrems is based on network traffic analysis.
It is time to head him off at the pass.