Workshop Replay
Schrems II: Implementation Roadmap & Legal Benefits

[00:00] Thank you very much for joining us for this briefing - Schrems II: Implementation Roadmap & Legal Benefits. I want to first let you know that within five business days, we had 2000 registrants for this session, mainly from the General Counsel's office from 1700 - yes, 1700 different organisations and governmental organisations, not just commercial - from more than 50 countries. So, this is obviously something of very timely and topical interest and we appreciate the opportunity to have this conversation with you. My name is Gary LaFever, and I'm the CEO and General Counsel of Anonos. And I'm here with my colleague Magali Feys. Maggie, if you’d like to introduce yourself.

[00:51] Hello everybody. I’m Magali “Maggie” Feys and I’m the Chief Strategist - Ethical Data Use at Anonos. Next to that, I also have my own firm and I specialise in data protection at AContrario.

[01:08] A little more background on myself, I have both a technology background. I was with Accenture where I used my computer science background before going into law, and I practiced for a decade with Hogan Lovells. This session today is about practical means of complying with Schrems II. And yes, it is possible. In fact, that's one of the most important things we want you to take away is that it is possible because there are a lot of misconceptions about this, and we hope that we can walk you through that.

[01:40] So, here are some of the things that we want to be able to take you through. Again, the common concern is 98% of you have the same primary concerns, and it relates to Schrems II impact on public cloud and business transfers. We are going to go into the EDPB recommendation for GDPR Pseudonymisation and spend quite a bit of time on Pseudonymisation because it has a new heightened meaning and requirements under the GDPR. That is why the EDPB recommends it. We are then going to talk about the concept of Lawful Borderless Data. And what Lawful Borderless Data means are the two things - that you can have international data transfers without risk, which makes the lawyers happy, but data utility without compromise to make the business people happy. And then lastly, we are going to touch upon the Anonos Quick Start Program. And so, this is important. The EDPB has actually provided a means to continue processing. We'll go into detail on this. But it's their Use Case 2 Pseudonymisation of data. And so, that's what we will be spending quite a bit of time on.

[02:55] Okay. This is the results of the questions that you guys answered when registering - 98% of you are primarily concerned about the two use cases that the EDPB had said are unlawful. One, cloud-based processing of EU data in cleartext or in the clear. And two, the sharing of EU data for business purposes. Or both of those. And so, this is obviously top of mind for very many people and that's what we will be addressing.

[03:28] I want to tell you about a number of different resources that we have available for you, and we recommend and invite you to take advantage of these. The first is there is a LinkedIn Group. You can see it there - www.SchremsII.com/LinkedInGroup. Or you can go to LinkedIn and simply search for Schrems II. We invite you to join the group. And if you do and you haven’t been there before, please scroll down. There are a lot of Q&As and interactions between the audience as well as FAQs from some of our earlier webinars. So, that’s the first opportunity for you to get exposed to this community. And this community is a community that is interested in how you implement supplementary measures to make SCCs and BCRs lawful. It’s a curated LinkedIn Group. We do not post discussions about whether or not there is going to be a Schrems II or shouldn’t there be more political intervention. Those are all incredibly worthwhile topics, but you can find them covered very well elsewhere. So, again, the focus of this LinkedIn Group is very much on SCCs, BCRs, and supplementary measures because it’s a topic that we find not covered anywhere else and that’s why we have this focus. And for the most part, I mean I don’t want to say it’s limited to that but the LinkedIn Group is almost more of an introductory session and you’ll see the graphic here. The person has a bandaged head. Painful, right? But you have to evaluate which of your data processing activities may in fact be unlawful now under Schrems and whether or not Schrems II is applicable to your organisation. So, it's very important ground-level information.

[05:07] The second is we have a portal. And both of these are available without charge. The portal, as you can see, is available at www.SchremsII.com/Briefing. And I really encourage you to go there. It has video highlights of a number of different webinars that we’ve done in the past as well as information provided by some of our colleagues and other outside experts. But I want to bring your attention to four videos in particular that are available on the Briefing Portal. The first one is a video of Anna Buchta. Anna Buchta is the Head of Policy at the European Data Protection Supervisor (EDPS) and she provides a very compelling story. It was prescient because it was after Schrems II but before the official announcement of the EDPB Guidelines. And as many of you know, the EDPS serves as the Secretariat of the EDPB and is also a member of the EDPB. So, Anna was well aware of the activities and discussions that were ongoing at the EDPB but could not be too specific about since they had not yet been announced. But in her video, what she focused on is do not expect to be able to do everything you did before Schrems II the same way you did it. You must do it differently after Schrems II and after the EDBP Guidelines. Why? Because there are constitutional rights - fundamental rights of data subjects. And so, you can’t just keep processing the way you did. New safeguards or new supplementary measures would be required. But she also highlighted it doesn’t mean and will not mean that you cannot achieve your business goals and objectives. You just have to do it a little differently. So, that video from Anna Buchta from EDPS is highly recommended.

[06:52] The second video that I recommend from the portal is one by Romain Robert. Romain is with the NOYB - Max Schrems’ organisation, and his focus was actually quite fascinating. That it’s not data transfers that cause the issue. What causes the issue as a primary point is that most data controllers are not complying with their existing obligations for Data Protection by Design and by Default for both primary and secondary processing whether in the EU or outside of the EU. And he highlights that you are supposed to be doing encryption. If you are changing the purpose, you should be doing Pseudonymisation because consent and contract likely don’t support your further processing. So, again, a fascinating video from Romain Robert from Max Schrems’ organisation, NOYB, in which he highlights before you even get to international data transfer analysis, you have to make sure that what you are doing is legal.

[07:49] The third video of four that I’m going to highlight is one in which Mark Webber from Fieldfisher, Patrick Van Eecke from Cooley, and Gabriela Zanfir-Fortuna from the Future of Privacy Forum highlight that Schrems II is a Board-level issue. This is not something that you can talk about among mid-level executives. Why? Because the ruling under Schrems II is that the remedy is termination of processing. Not a penalty. A penalty could in fact be fought in the courts for years and financed. But if your company has no access to its data and its processing and its capabilities on an international basis, that could actually literally shut you down. And so, it is a Board-level issue. And there's discussion about the fact that in Europe, Board Members can even be held personally liable. And there's also discussion regarding certain obligations of auditors - the specific obligations of auditors to look for and confirm compliance with data protection obligations and if they're not there to advise the Board and even regulators. So, again, the fact of the matter is and the reason I think we have so many people on this webinar - by the way, most of you are in the General Counsel's office - is because this is a Board-level issue.

[09:04] And the fourth and last video that I want to highlight is one from a PrivSec session in December where the fact that the primary enforcement mechanism under Schrems is termination of access to data actually could be argued to be equivalent to a 100% penalty. So, again, over 60 videos. You can view them at your own pace. So, the Briefing is very, very helpful. And we think that caters to more of an intermediate understanding where people start to realise that SCCs and BCRs by themselves no matter who you have helping you write them, they are not enough. You must have technical controls that ensure compliance. And by that, what we really mean is to ensure that a foreign government cannot surveil the identity of EU data subjects. But the focus of today is this webinar, and I have a URL there. But you already know how to get here because you are here, and thank you for being here. And here, we're talking about taking action, right? Where you now know and you've advised your C-Suite and your Board that something must be done, and you realise you have fiduciary duties. And so, how do you in fact go about making this happen? And that's what we're here about today.

[10:21] So, with that, we'll start with to me one of the three most important slides of this webinar, and I'll try to remember to do my best to highlight when we get to each of those. On the left hand side, you have a tug of war that's been going on for decades. Tug of war between business - those wanting to achieve innovation with data - and data protection, those that are tasked with limiting the liability of the company and trying to ensure compliance with a variety of laws. And we are not going to be focusing on the GDPR because this is a Schrems II webinar. But obviously, these issues transcend jurisdictional boundaries. And the reason for that tug of war has been because of the limited tool sets that have been available. For the most part, people have relied on anonymisation and encryption. Here's the nasty truth. Anonymisation does not work for global big data, and we'll get into more details on this. And yet anonymisation is typically the first advice that you get from outside counsel.

[11:27] Why does anonymisation not work? It's not that anonymisation is impossible. It is possible. But if you talk to the business people who are trying to drive innovation and value from the data, it is impossible to do so with properly anonymised data. But it is impossible to extract value out of anonymised data for the vast majority of business applications. And the other tool of encryption is great to protect data, but you can't even use it. And so, this tug of war had been going on for years, really because of a lack of tool sets that were available. And both parties, the business team and the legal team, are doing their best to achieve their goals but it's been a tug of war. That tug of war has just stopped under Schrems II. And I'm going to pass it over to Maggie to help explain how and why things are different now.

[12:25] Well, thank you, Gary. But as you all know, it's a European Court decision so there is no reason or means to appeal it any more. And also, there was no grace period. As we will all remember the date of 25th May of 2018, I think also we will remember the date of 16 July of 2020 when the Schrems II decision became there. But if you count now, it has been there for six months. And so, action should have been taken. And as Gary already pointed out, as a General Counsel, you have that obligation - that fiduciary obligation to inform your C-Suite and to inform the Board. And so, it is really imminent to take action and to do something.

[13:18] Now, if we go back first to just the principles of the decision. So, the Court of Justice of the European Union ruled that first of all when it goes into international transfer of data that the Privacy Shield treaty has become invalid. So, a number of EU-US data flows were actually under the Privacy Shield, but you will see that that’s no longer possible and thus invalid. Now, on the other hand, the Court ruled that there needs to be effective technology controls in place to prevent US or other non-EU governments, which don’t have an adequacy finding from surveilling the identities of EU data subjects. And this is also when using the public cloud that we have AWS, Azure, and Google. And also, that’s very important and we will come back to that but regardless of where those services are located. Because as the EDPB or the European Data Protection Board explained in their recommendation that the mere access of data by a US company to, for example, a server located in the EU is also to be seen as transfer. You can thus imagine that even if your servers are located in the EU but for example Microsoft employees have access to that server location that there is international transfer and thus that would fall under the Schrems II decision.

[15:03] So, first all, you have to prevent US or non-EU governments to surveil on the identify of EU subjects but also that was taken into consideration and definitely with regard to the US because that was the case at hand because there was also no judicial redress and that therefore supplementary measures and supplementary safeguards next to the judicial obligations and legal obligations we have like the standard contractual clauses or the binding corporate rules that supplementary technological measures or safeguards need to be taken in order to prevent such surveillance when there is no adequate level of protection as guaranteed under the GDPR. And very important to note, there was no grace period. So, sometimes or at least we have seen in other decisions, a grace period is allowed. Here, it was as of the 16th of July that actually those kinds of international transfers under the Privacy Shield or where no supplementary measures were taken had to be stopped so leading to immediate termination of processing. And also up until this ruling, the majority of data protection was managed by contracts, policies, and consent and we have always seen that in practice. If you talk to people and ask what the GDPR exercise consists of, well it was of implementing the ethical rules, but moreover the legal requirements under the GDPR. But we never or very limited saw the translation of those legal requirements in effective technical or appropriate technical and organisational measures in order to protect also the data in use. So, that is the three key points to take away from the Schrems II decision.

[17:07] Meaning that if you see the data controllers processing personal data from any of the EU and EEA countries are now prohibited from using cloud, SaaS, or other data in the clear even if those servers are in EU countries or located in the EU countries. If there is a transfer of data, for example, the fact that there could be mere access from, for example, Microsoft or AWS. So, very important to know that actually and if you come to think of it that it’s because a lot of companies also say we don’t have international transfer of data. Well, first of all, do not underestimate the use of cookies and marketing tools you have in place in order to have user experience and we can all salute that, but a lot of them will be US-located marketing tools and therefore you will have international transfer. Secondly, when we look to the server and the use of Microsoft or AWS, well a lot of them or the majority actually will fall under international transfer of data.

[18:32] And so, what we saw are the effects of Schrems II and that was especially underlined by the European Data Protection Board that cloud based processing of cleartext data is no longer allowed, and that the sharing of EU data for business purposes has also become unlawful. And maybe, Gary, it would be useful if you could give some business examples on this?

[18:57] Absolutely. Thank you, Maggie. So, I first want to be clear. The companies and the product offerings that are in quotes we have no relationship with them, we're not endorsing them, they're not endorsing us, but it helps to give real-world examples. So, this slide shows six different industries, right? Banks, healthcare, media, pharmaceutical, global advisory firms, and insurance firms. And highlights the things that are taken for granted that are relied upon to deliver value are now unlawful without a change. Again, I want to echo Anna Buchta’s words from one of our earlier webinars. It doesn't mean you can't achieve your business goals and objectives. It means you may have to change how they're done, but that change is possible and is happening today. So, again, whether you're in one of these six vertical industries, whether you're using these particular vendors and these offerings, or whether you're just getting 24/7 support, the idea of “follow the sun” by definition, the sun is setting and rising around the globe. And so, part of the assessment as to whether or not Schrems II impacts you is very, very important. But again, we are going to focus now on the incredibly important but narrow topic of: “How do I do this?”

[20:15] And so, within the EDPB Guidance, they identify these two use cases - the same ones from the prior slide, but I'm going to be using Use Case 6 and Use Case 7 to refer to them. Use Case 6 - you're processing EU data in the clear. Now, we've already had a couple of questions from the audience. What about homomorphic encryption? Anyone who's interested, please send me an email at gary.lafever@anonos.com. Homomorphic encryption is making incredible strides, but I will share with you the math that will show for a process that takes one second using cleartext or pseudonymised data, a sophisticated process such as you will find in analytics, AI, and machine learning, it would take 3000 years. So, find me a business person who's happy with results of homomorphic encryption because I've never found one. There's a reason homomorphic encryption is not identified by the EDPB as a means of processing data. However, encryption is not only identified, but recommended for multiple use cases when you're storing data or transferring data. So, if you're looking for an effective practical solution for your organisation or for your client’s organisations, encryption works great for data at rest and data in transit. And someday in the far distant future, homomorphic encryption may well work for data when actively processed. But the reality is today, the only use case that's identified by the EDPB for data in use is Use Case 2 - Transfer of pseudonymised data.

[22:05] And this brings us to a chasm. This is the reason you could almost take one of the first slides when I said it was one of the most important slides of the tug of war, and you could put the business person on one of these canyons and the lawyer on the other, and they're tugging back and forth because attorneys are not aware for the most part of the limitations of technologies nor are they aware of the fact that technologies actually exist that can satisfy Schrems II. But the main reason over 2000 of you signed up within five days is because technology does exist and it is specifically recommended by the EDPB. It's called Pseudonymisation. The other reason this chasm exists is because technologists aren't aware of the Schrems II requirements. “We encrypt data, why can't we just keep using encryption? Or we could use synthetic data.” Synthetic data is a great solution unless you want to re-link to identity. And most of the processing we're talking about is all about processing to get certain results and then later re-linking. So, we will have a chart later and I will walk through why different technologies are different. But this slide is important because in our interactions and work with companies, 90% now are aware they have to have a solution. As Maggie said, they should have had a solution six months ago. And this is a Board-level issue. This is a C-Suite level. What's in your file to show what you've done to cross this chasm? That's the reason for this webinar.

[23:36] So, the approach that we're here to talk about we call Lawful Borderless Data, and it has two components to it. And you'll see these two components reconcile the two different sides of the tug of war. International data transfer without risk to make the data protection lawyers happy. But just as important, data utility without compromise because without that the business people aren't getting the value that they need. So, it's this combination of international data transfer without risk and data utility without compromise that we call Lawful Borderless Data.

[24:12] So, let's start with international data transfer without risk. What does that entail? So, this is the second most important graphic. The first one was a tug of war with the General Counsel on the one saying: “Halt! No more tug of war. I must have a solution.”

[24:32] The second one is this. And I think this timeline helps to explain why there is so much confusion in the industry. Most people when they think of Pseudonymisation and anonymisation are actually thinking with a 2014 brain because there was a pivotal opinion that came out from the Article 29 Working Party - Opinion 05/2014 on that anonymisation techniques and they in essence said anonymisation is difficult but possible and they deride Pseudonymisation. They identify it as a means of security protection that isn't that effective and certainly does not give you anonymisation. What people don't realise is they do realise that 2014 is now seven years ago. But what they don't realise is what changed with technology and the law in the intervening time. And what I think is really prescient was a report that came out in 2015 from the EDPS where they said functional separation - and by the way, the Article 29 Working Party also oftentimes cites functional separation - as an aspiration. If you could separate information value of processing from identity in a way that technologically the two cannot be reconnected without access to information that's controllably limited, that could be the solution going forward. And I actually contend that's what Schrems II requires. But again, 2015 functional separation is identified both by the EDPS and the Article 29 Working Party as perhaps an answer. Now, let's then fast forward after the adoption of the GDPR in 2019, a joint guidance from the Spanish DPA and the EDPS and it's talking about using the hash function as a main means of Pseudonymisation. But the focus that I'm going to have is the statement they make in that, that anonymised data must mean that no one, not even the data controller can re-link to identity. This is why when you want a practical solution to use your data inclusive of international data transfers, it will not be anonymisation and it will not be encryption except for at rest and in transit. And so with that, Maggie, if you could please pick up obviously why we're here, the Schrems II decision.

[27:04] And then, there was the Schrems II decision as already explained that to use the standard contractual clauses and in addition to the standard contractual clauses, you must have technical controls and additional safeguards in place in order to prevent that surveillance because of the fact that there was no judicial redress along with that. And then, the remedy is actually the termination of the processing as it is not as such a penalty that was ordered but it’s just that, well, the processing would then become invalid or unlawful. And once again, it is very important to note that there was no grace period allowed so it is actually a very imminent decision.

[27:54] So, we're going to take a step back, and we're going to talk about functional separation. Maggie, if you could please start this.

[28:01] Well, functional separation meaning separating as Gary already explained the data value of the information value from the identity if you see that it's actually translated or defined in the GDPR as Pseudonymisation and we we'll come back to what Pseudonymisation now really means because it is really a heightened standard under the GDPR.

[28:27] And for companies that do business on a global scale and all of you do or you wouldn't be signed up for this webinar, this concept actually provides a means for you to comply with all the various laws. And when I say that, I don't just mean data protection laws. I also mean vertical industry laws, data sovereignty, and data localisation laws. And this concept of functional separation, while you don't see it used by name that often, it is there. So, for example, de-identification is the term that is used in Californian law and Indian law. Anonymisation is used in the Brazilian law. Now, we have to be careful and I think this is one of the reasons this is so confusing. Each of these words can mean very different things in each of the different laws, which is why I like to refer to functional separation as the process of separating information value from identity, so that both can do what they're supposed to do in accordance with the law without limiting the other and then restricting the ability and when and where and why the two are brought back together. I'd also like to identify and complement some work currently underway by the Information Accountability Foundation. You may have read it in the IAPP Bulletin of last week. Marty Abrams, the Head of the IAF, is working with Canada because Canada is almost there with functional separation as a new proposed law, but he's proposing yet a different term of dynamic data obscurity as a means to accomplish functional separation. So, the bottom line is for companies doing business on a global scale, what we're talking about not only enables you to satisfy obligations under the GDPR, but under different statutes, again, even vertical industry statutes, data localisation, and data sovereignty laws to enable you to do business. So, with that, we are going to go back and embrace the GDPR’s concept of functional separation, and Maggie is going to help explain to us what it requires.

[33:56] Now, there are a lot of misconceptions around Pseudonymisation because, first of all, people think that you have anonymisation and then that's like the highest step and if you cannot reach anonymisation well tough luck, then we call it Pseudonymisation. Well, we already established that just by masking direct identifiers or masking or replacing them by a certain token could in some cases work and could be pseudonymised data. But in the majority given a lot of data that we have, it could actually come back to the fact that it is not pseudonymised data. Secondly, because we cannot always imagine what is pseudonymised data then we have here an example, and pseudonymised data doesn't mean that there is only from your master index only one way to pseudonymise the data and then that is the data you have to work with because then you will come back and say: “Well, our business we have, for example, a use case and we pseudonymise the data in a certain way and we cannot use the data.” Well, going back and really looking at it, you can have use-case specific Pseudonymisation by using dynamic pseudonyms in order then to - for example with Pseudonym A you can use it in a very specific use case where you can create certain rules specific things for this person where for example, in order to train an algorithm and you need much more data, much more specialised data, then Pseudonym B will be much more appropriate because it will have all the relevant data, but it is used by dynamic de-identifiers. And although it does not say a lot to us if we would see that data, but for a computer for an algorithm to train it whether it has John Jeffries written or it has the sort of de-identifier or pseudonym for a computer who puts it down in bits and pieces is the same. And there, you can really reuse the utility of the data.

[36:14] And the first one to start with, because everyone asks once they have the epiphany of Pseudonymisation under the GDPR. And so, we always try to talk about GDPR Pseudonymisation or GDPR-compliant Pseudonymisation because it is so different from what was in the report in 05/2014 as to what Pseudonymisation was. And by the way, if you talk with people who were in the Article 4(5) drafting committee of the GDPR and/or the EDPB technical subgroup, they're the first to tell you. And by the way, I believe they are intending to have a new guidance on Pseudonymisation later this year, particularly given its significance and critical importance for international data transfer that this is in fact the case. The good news is there's guidance out there. The European Cybersecurity Agency (ENISA) came out with two fantastic reports. First in November 2018 and second in November 2019. You can access both of them at www.ENISAguidelines.com. And they have incredibly specific suggestions and evaluation of different ways to accomplish GDPR Pseudonymisation. And that's really what we're talking about here.

[37:26] So, again, I think it's very important to understand that what we're talking about here is not a theoretical solution. What we're talking about here is not something that just works when data is at rest or in transit, or that can work for relatively simple computations. We are talking about solutions that can handle all of your AI, analytics, and machine learning needs as fast as cleartext if you take a slightly different approach, and that approach is actually called Data Protection by Design and by Default, which is an affirmative obligation as Romain Robert from NOYB pointed out in one of our webinars whether you're transferring data or not. So, this chart shows how the different approaches differ, and this is where I think the tension and the tug of war between legal and business started because lawyers tend to focus on the top one. Does it defeat re-identification? And the reality is I'm the first to say every single one of these approaches does that. But now, you have to ask your business team, are you getting the value that you want and need from your data? Because protection without utilisation is nothing.

[38:41] So, now, let's start working down this, which of these enable functional separation as we've identified, separating information value from identity, allowing both to be processed separately, getting maximum value and only reconnected under controlled conditions? Well, GDPR Pseudonymisation definitely does. And we call our product, the output of which is pseudonymised data, Anonos Variant Twins. So, you will see that when GDPR Pseudonymisation does something, so do we. Now, which of these are actually identified by the EDPB as an authorised lawful means of processing data? Pseudonymisation. The other thing - and by the way, I should have mentioned this earlier, all registrants for this webinar we will provide a very in-depth Legal Guidebook that touches upon the underpinnings of everything we've said here that is for you to confirm either internally or with your outside counsel so the fundamentals that we're touching upon here are going to be addressed in great detail in that Guidebook that you will receive.

[39:42] And this is a very important one. There are 15 places where Pseudonymisation is specifically enumerated in the GDPR from which you get expressed statutory benefits. We're not talking about workarounds. We're not talking about loopholes. We're talking expressed statutory benefits. Fifteen times it's noted. Compare that to anonymisation, which is noted twice in Recital 26. We've already mentioned that for global big data, it's impossible to accomplish in a means that satisfies the business requirements. And encryption is mentioned three times. So, just do a weighing there, right? Pseudonymisation is 15. Encryption is three. Anonymisation is two. So, take a look at the Legal Guidebook and see all the benefits that you get - statutory benefits of greater use and flexibility if you have Pseudonymisation. The next one is embedded controls that flow with the data that can support multiple use cases. Again, Pseudonymisation. And this is where the business people start to get excited, the third from the bottom. “Can I re-link back to identity for authorised processing?” Because that's really the Holy Grail, and that's the whole thing about Pseudonymisation. Yes, you can re-link under controlled conditions, only for authorised processing and that's the benefit. And then, there are two additional ones that because of our additional approach to Pseudonymisation, we do with Variant Twins that generally are not the case. But the most important thing here is that you can, in fact, deliver data so that you can have international data transfer without risk.

[41:23] So, now let's look at the other side. Hopefully, we can make the lawyers happy. I know we can. But you have to read the legal book and confirm for yourself. “Can you make the business people happy?” Because that's the big part. Protected data without use is nothing. So, we're going to look at the data utility without compromise.

[41:42] This is the first example. How many companies on this webinar are making use of the public cloud, and at the time of processing that data is processed in the clear? That's unlawful. That was unlawful six months ago. What's in your file for the actions you've taken? The good news is the EDPB gave you the answer - transfer pseudonymised data. If the data that you send to the cloud and processed in the cloud is pseudonymised - again, according to the GDPR requirements, it's lawful.

[42:21] So, let's look at what that use case would look like. Here, you have a data controller that's in the EU. They pseudonymised the data and they send the pseudonymised data into the cloud. As Maggie said, pseudonymised data can support context-specific use cases, it can provide gradated levels of identification, it can be use case controlled. You can get a pseudonymised version of the data set to do any of those processes that are on the right in the cloud and more. And the important thing, the results that you get back will be 100% accurate and comparable to if you use cleartext. So, let me say that again. The data controller at point one can pseudonymise data in the EU and separate information value from identity, send the pseudonymised data, which embeds and reflects the information value for that use case to two, in a public cloud. The system there, as Maggie said, it doesn't know how to read English anyways. So, the fact that it's in a different format as long as it's accurate and could be re-linked under only controlled conditions, you get 100% accuracy when it comes back to three. And then, the data controller and only the data controller is in a position to re-link to identity.

[43:42] So, what happens if a foreign government seizes the data at two and surveills it? They will see the information value. They cannot re-identify. This is the power of functional separation as reflected within the GDPR and Pseudonymisation. So, again, you can have the same value stream here. What's different? You don't just send cleartext to the cloud. What you send to the cloud is pseudonymised and the results you get back are not in cleartext, but they're very easily and only for permitted purposes re-linked to identity. So, that is how Use Case 6, which is unlawful under the EDPB Guidelines becomes a lawful Use Case 2.

[44:29] So, now let's look at the other one - Remote Access. Here you have data in the EU, but someone from outside of the EU can access the data, and I also use this Use Case 7 to refer to situations that aren't cloud based where I'm sending data to someone outside of the EEA or equivalency country to make use of it. If that data is processed in the clear, that is now unlawful. How do you correct the situation? You do it by transferring pseudonymised data. Again, Use Case 2. So, let's go through a more detailed example of this.

[45:06] This is what happened before Schrems II. Now, I know I have the US here, but it could be India, it could be Jakarta, or it could be anywhere that's a non-EEA or equivalency country. And what you're doing before Schrems II is you're looking to get expertise and capabilities that you don't have within the EU from one of these. Now, it could be an affiliate of yours. This doesn't have to mean it's a separate company. So, whether it's an affiliate or a separate company, you're sending data outside of the EU to get benefits that you can't derive yourself by yourself.

[45:39] And so, that's what occurred and was very popular and prevalent before Schrems II. The problem is with Schrems II? Stop. And the real problem is most of you haven't stopped, right? Most of you are still doing this. And if a Data Protection Authority comes knocking on your door? Or if a Non-Governmental Organisation like NOYB or Privacy International comes knocking on your door? Or what if a stockholder representative comes knocking on your door and says: “But the law changed. What have you done?”

[46:14] Here's what you can do. Within the EU, you can apply supplemental measures that actually protect the data that make it unlikable to identity without access to the additional information that you've kept in the EU in the green firewall, right?

[46:34] So, now that data can be provided anywhere - anywhere regardless of equivalency status, because those supplementary measures enable the processing. So, Maggie, if you could please further elaborate on what this could mean for companies?

[46:53] Yes. Let's talk now really with some examples. Because if you do that, and for example, you would only use anonymised data, then you will say: “But yeah, we need that for some of the HR functions or we need it for customer data and our marketing strategy.” So, this strategy really allows that data could be used, let's say, for talent analytics. Now, data of EU employees could then be sent to the US. And we are now talking about the US, but it could also be a non-EEA country that doesn't have an adequacy finding. And that data could then be sent to that third country for really talent analytics, for example, to figure out who are the kind of people that deserve a promotion or who are the kind of people who could, for example, be relocated within the EU or somewhere else or are eligible for a career switch. And you do it not based on individual specific data but by small group specific data. And then, when you have those results from the talent analytics, you go and communicate them back to the EU, and there they can really then be re-identified to know. “Okay. So apparently, it is John and Peter who deserve the promotion and Jeff needs to be or can be relocated. And so, what you see is, I’d like to call it lookalike groups, but I don't like too much the term lookalike groups but microsegments. You create really segments that are small enough to really have the interest or the characteristics of certain people or the utility of your data, but that are big enough not to really have the identity of the person within the group because that stays within the EU. And you can really make this content specific because there's no such thing as only one pseudonymised data set from your master index.

[49:03] Another example for example is the fact that you could use customer data to figure out what is the next best action you want to take. For example, with who should you share a certain offer, and with some customers you preferably have another sort of offer. And once again, you could do this based on the small lookalike group, but I call them microsegments that are small enough to really have the interest and the characteristics of the individuals within that microsegment or within that lookalike group but that are not individual specific. And so, that data you create within the EU. You transfer it to, for example, the US. You have it reviewed. You can even then train an algorithm as we said. It doesn't read English, and it actually has and I think that is for me one of the great things about it is additional benefits because not only did you seek the external expertise, for example, with a marketing tool or from an algorithm to train that algorithm, but the same controls that you put there in order to comply with your Schrems II decision and to transfer, therefore, lawfully the data outside EU can also provide you the supplementary measures or additional safeguards to satisfy the balancing interest test of legitimate interest processing. Because let's be honest, a lot of those secondary purposing and a lot of those processing that we are talking about now, for example, in only those two examples are not or most of the time not based on consent or on a contractual obligation but on legitimate interest. And so, you can really have the benefits of lawful international data transfer, and also have that same thing in order to comply with your balancing of interests tests.

[51:09] Absolutely, Maggie, and what's key and what we've proven with our clients and with outside experts is without any degradation or loss of accuracy or value. So, what happens is the results are brought back to the EU and only within the EU is it re-linked.

[51:27] We've had such an outpouring of questions. We are actually going to end this session at 05:30 CET, so that we have more time to answer some of the questions we've had. So, I'm just making all of you aware of that.

[51:39] So, what's key here is the fact that Anonos didn't just stumble across the approach that we've taken. Anonos has been working for eight years, literally as in multiple tens of thousands of hours in both legal and R&D technology on how you balance and how you stop the tug of war between business and utility. And Maggie, if you could just provide some color perhaps on some of the research and publications and the types of things that we've done.

[52:13] Yeah, thank you, Gary. Yeah, the thing is, for me, I'm doing a PhD on the secondary use of medical data and we all know that that is quite difficult because of what you do with the data and how can we then use it for secondary purposes. And actually, working with Anonos and by working with the tech guys because as a lawyer you partner up with the company and your clients you work for, and we really see and really working together, I saw the technology and really seeing that you can translate those ethical and legal requirements into technical safeguards, that actually can then be used as what I call communicating vessels in order to achieve GDPR-compliant processing.

[53:05] And it is possible. We’re going to have to start moving because I can tell we are losing people here. But the bottom line is it is possible to reconcile them. Anonos is very transparent. If you go to www.anonos.com/patents, you will see what we have been doing since 2012 and you will see what we aspired to do and the reason we focus on the patents is because we ensure our clients and our partners that there will be no interruption to their access to this critical technology.

[53:32] So. data utility without compromise. These are some of the projections and forecasts of Gartner in order to be successful - cloud first, sharing of data, enriching of data - you cannot do that without being able to process protected data with Pseudonymisation. And we all want to avoid what they are predicting for 2024 and 2025, which is increasing personal liability and expenses from insurance related to cyber security.

[54:00] So, we had the challenge of what do we bring to the table to help our clientele? How do we have an offering that's for the most part riskless? So, what we have come up with is something that we call the Quick Start Program where you can make use of our software in the cloud using synthetic data to show what it can do.

[54:21] And I will just very quickly show you that the three modules involved the first one, you'll see how it enables you to enforce Data Protection by Design and by Default, which is an obligation of both primary and secondary processing both inside and outside of the EU. And then lawful processing using safeguards to control and balance the interests of the data controller and the data subject so that you can have lawful processing legitimate interest. You then find that that same technology helps you to comply with Schrems.

[54:48] You work through this over a two-month period. And no matter what happens you win because either you decide Anonos is not for you, but now you have something in your file as to actions you've taken to ensure compliance or you decided it does work for you. And our clients have found that it helps them significantly achieve their business goals.

[55:08] So I, again, refer you to the three different resources we have - the LinkedIn Group, the Briefing, as well as this Webinar.

[55:16] And as I mentioned, we'll be providing you with a roadmap - this Legal Guidebook that goes into significant detail as to how it can help you.

[55:24] But this is what our clients say. It's not about Schrems II. It's about innovation. It's about insights. That's what Anonos is driven by.

[55:33] So with that, we will be sending you all the Guidebook, but we have a couple of survey questions to ask and then we'll go into the questions that have been submitted by the audience. So, if you look at your screen, we'd love to know if you want and need access to the portal. We can also send you a special invite, so you can share it with your colleagues and facilitate group awareness and knowledge very quickly. And then, if you scroll down to the second question here - and I want to repeat and emphasise the portal has videos, very telling videos from the EDPS and NOYB. And then if you scroll down, the question two is: “Are you interested in a 30-minute personal briefing? Or maybe a 60-minute personal briefing where we can go into detail on the types of things that are covered in the Guidebook and help you understand the legal principles that undergird what we're talking about?” Again, this is a Board-level issue. What have you looked at? We would welcome the opportunity to expose you to the benefits of GDPR-compliant Pseudonymisation. You will get the Guidebook because you've already registered for the event. And whether you want to call us after you've read the Guidebook or before, if you're interested please vote and let us know because that enables us to figure out the best ways to meet the needs of our audience. Also, the Guidebook has a checklist. It has a checklist that you should use in evaluating any vendor that is talking about providing Pseudonymisation.

[57:15] Let's take a step back. Pseudonymisation embodies, reflects, and enforces functional separation. You need to ensure that the approach that's taken allows the separation of identity from information value enabling information value to be processed lawfully and then rejoined or re-linked under controlled conditions, so that in fact, the business people get what they want and yet the lawyers get what they need. And what they need is a defensible position as to why the actions they've taken show a good faith compliance effort to their obligations. Maggie pointed out Schrems II is a ruling by the Supreme Court of the Land - the Court of Justice of the European Union - six months ago, unappealable, no grace period. We help you to have a defensible position.

[58:15] So, with that, we will move on to some of the questions that we got from the audience. So, let's look at the first one. And this one is for you, Maggie. Someone asked you to provide more detail on Pseudonymisation versus anonymisation, and they've heard about your famous toothbrush analogy, if you could please share that. So, again, the question is: “Can you please go back and describe the benefits of Pseudonymisation over anonymisation with a quick rendition of your toothbrush analogy?”

[58:48] Yeah. So, what happened actually in the past is if you put the analogy, we were brushing our teeth and we let the water run. Well, the problem was that we had no controls on how much water, where the water was going, and what to do with it. Now, if we would apply on that analogy anonymisation, that means that therefore you must be not able to anymore re-link the information value with the identity, and you really have to throw it away meaning that you would open up the tap. So, first of all, you would close the tap while brushing your teeth, and then open it up. But anonymisation on a lot of data sets would mean that you only get three drops of water. Now the problem is, as you all already stated in some of the questions in certain use cases, what if you use a bad toothpaste and you need at least a glass of water to get the taste out of your mouth? Or you're there with four people and you need four glasses of water? Anonymisation will really restrict you in the data utility and in the utility to use your data. What is the benefits of Pseudonymisation is that same as anonymisation, you turn off the water whilst brushing your teeth. But when you need the water, you have the controls in place to actually say: “Well, let's open the tap and anonymisation would only give you the tree drops.” But with Pseudonymisation, you could say: “Well, in this use case specific, I really need one glass of water.” And it's controlled but this is contained in that glass and you use it because you used the bad toothpaste. In some cases, it's a good toothpaste and the three drops would get you where you need. But sometimes you even need the four glasses. So, that is really the benefit of use case specific Pseudonymisation is that you still can have the data utility, but you do it in a controlled way. And if you think of it, that is exactly the spirit of Article 25 within the GDPR.

[01:00:57] Thank you very much, Maggie. It's nice that your toothbrush analogy has become famous. But I do think it's a great way of identifying the difference in value. The second question here and I'm going to have to go back in slides. I had a request to go back to slide 19. So, just a minute, I'm not sure what that one is. Let me bring it up. Okay. Happy to do so. So, someone asked if I could go back to slide 19 and spend a little more time on this. So, I will. Give me one second, please. Okay. All right. So, this is slide 19. And I know I went over this very quickly. That's not slide 19. One moment, please. User error. Okay. Slide 19. So, the thing I would like to really point out here is we're not denigrating the capabilities of synthetic data, homomorphic encryption, differential privacy, or encryption. They were all designed to do certain things, and they do them well. It's when you get both the business people and the lawyers to the table at the same time that you realise that oftentimes they were created at a simpler time.

[01:02:26] Differential privacy, let's just take that as an example. Differential privacy is premised on the existence of a privacy budget. And people can ask questions, but as they start to use up that privacy budget, as they start to get closer and closer to identifying data, they're either not allowed to ask those questions or there is noise or perturbation or other things done to the data so that the results are less accurate. Differential privacy works very well for certain use cases. But it has to be remaining within a perimeter, you must know all the data uses, you must know the data users, you must have control over the data because those three elements must be known and fixed in order for the privacy budget to apply. You will see differential privacy vendors talk about how they watermark the data, and they say it's great because when they watermark the data, you'll know who took it outside of the perimeter. Well, that's fine, except it's like the proverbial cattle out of the barn or the horses out of the barn. It's too late. And so, differential privacy and most anonymisation techniques are built to be constrained within a perimeter and they work within that perimeter. But when you go to share and combine data and when you go to transfer it internationally, it's no longer within a perimeter.

[01:03:49] And one of the real significant holdings of Schrems II was the fact that contracts, treaties, and I like to say words alone are simply not enough anymore. And the reason they're not enough is because foreign governments aren't parties to those contracts. And so, a foreign government, let's say the US government goes to a public cloud provider. And it says: “Under FISA, I demand that you give me the data that you have access to. And I know that when the data is being processed by you, it's in the clear. I want that data.” The government is not in violation of a contract. They're not party to a contract. And the public cloud provider will be in violation of its obligations under that national statute if they don't provide the data. That's why Schrems II says any jurisdiction, which does not have an equivalent protection, you must have technologically enforced controls that ensure that when and if that foreign government says: “Give me that data,” that cloud provider can comply with their obligation to give them the data. But the data, when provided, doesn't reveal identity. And this is the power of functional separation, if I can separate the information value from identity, allow the information value to be processed, in the event that that information value was surveilled, there's no violation of the rights of the individuals because the data necessary to re-link and re-identify is back in the EU. And if you followed the ENISA suggestions for Pseudonymisation, it will not be subject to re-identification by the foreign government.

[01:05:37] So, I really want to highlight, you have to ensure that pseudonymised data is GDPR-pseudonymised data. So, again, the fact that these different technologies may in fact defeat unauthorised re-identification is not the end of the analysis because you need to satisfy your business teams requirements. And so, as you go through these, and I very much do encourage you when you get the Legal Guidebook to take a look at some of the statutory benefits of GDPR-compliant Pseudonymisation. Maggie touched upon some of those. And Maggie, now that we've allocated ourselves a little more time, could you touch upon the statutory benefits that exist under the GDPR? The one you just touched upon before I so rudely rushed you was the one about secondary processing and further processing. Could you touch a little bit more upon that?

[01:06:30] Well, yeah, because as we’ve seen, in order, for example, we have seen that in hospitals and also with research institutions and I saw one of the questions also. One of the things if you want to publish a scientific article and you use data, you also must then save your data in a data repository in order to re-link the data and in order too for other scientists to verify whether your conclusions are indeed accurate and just. And so, we see that really by secondary use of data that it comes to legitimate interest. And then with medical data, you have, of course, also another grounds under Article 9. But by really using the technology, by implementing those technical safeguards, by using Pseudonymisation and having those controls that, for example, can then easily be exercised by a data access committee, we actually saw within the research that we were able to actually have more potential and more opportunities to use the data for the secondary use. So, although, there were and there are other aspects, I'm not saying, and I think neither is Gary that only applying Pseudonymisation is the Holy Grail and solves all of the problems. Indeed, there is still transparency to be looked at and other stuff. There are the other cornerstones of the GDPR, and we're not saying just toss them away. And if you have Pseudonymisation, then everything is done. But you will see that really implementing that and by really thinking about it from a Data Protection by Design factor that it really opens the fact to the opportunities to use the data and I'm really for innovation and I honestly think that we shouldn't make a binary choice between innovation and privacy, that actually both can be hand in hand together. It's not an equal balance all the time. I'm not saying that. But I think by applying and by really using the cornerstones, the ethical principles, the legal principles, and the technical safeguards as communicating vessels, that is the way forward. And actually, we see that coming back in the EDPB's Guidelines where they say that is exactly the sort of risk analysis you have to make. And a good example, if you don't believe me on that, but a good example is data minimisation. If you ask people of data minimisation, they will say: “Oh, it is only about the quantity of data.” Well, no, the GDPR specifically states that you can actually have a lot of quantity of data. But another way to achieve data minimisation is by actually implementing access rights. So, you see, a technical safeguards being used to actually comply with that legal requirement and you still have all your data, and that is exactly what Pseudonymisation is also doing for you.

[01:09:47] I really want to underscore something that Maggie just said. Pseudonymisation is not a silver bullet. Pseudonymisation is not a golden shield. Pseudonymisation is not a magic wand. But what it is, is a technical and operational measure that is specifically enumerated and rewarded under the GDPR if it's complying with the types of requirements and suggestions made by experts such as ENISA. And the Legal Guidebook that everyone who registered will get and a lot of the questions are: “Can we get copies of the slides?” Everyone who registered will get a link to a video replay, a summary, as well as the Legal Guidebook. And again, even if you didn't respond to the question, I would welcome the opportunity to have a one-on-one briefing. Maggie and I learn as much from these briefings as you do. So, do not think that you're imposing on us. We learn from hearing different perspectives from clients and prospects and that enables us to do a better job of what we do. So, I encourage you, if you're interested, reach out to me at gary.lafever@anonos.com because we would welcome the opportunity to talk to you about these things.

[01:10:59] So, the next one is a question I get asked quite often: “Do you think there will be a Schrems III?” And so, I'll answer this first, and then I look forward to Maggie's. I do not think they will be a Schrems III. And here's why, in my view, there won't be. It goes unnoticed by a lot of people. But just several months after Schrems II, the Court of Justice of the European Union came out with a number of rulings that impacted the UK and this was before Brexit, Brussels, or Belgium and France and they basically said: “You cannot be collecting data in mass forms under telco for potential use in the future.” So, the CJEU has made it very clear that the ruling of Schrems is not just restricted to the US. It applies to any country that does not have an equivalency ruling. And even within the EU, the principles could apply. So, I do not believe there will be a Schrems III because I believe any attempt to solve this tension and this tug of war that was on the one slide - and by the way, I wanted to point to this slide because this is the third most important slide. I told you I would tell you. The first most important slide from my perspective is the one that actually was the tug of war with the General Counsel saying no more. The second most important slide was the timeline that showed that from 2014 when there was Opinion 05/2014 on anonymisation up through Schrems, there was a huge shift and that Pseudonymisation is now a very powerful tool and not something to be derided as it was in 2014. And also that anonymisation, as made clear by the joint Spanish DPA and EDPS ruling is something that has such a high standard that not even the data controller can speak to it.

[01:12:49] So, from all of this, if I was to summarise why I don't think there's going to be a Schrems III is because what Schrems II says. Again, this is my view. You must have a defensible technologically enforced position. You cannot rely on words alone, whether those words exist in terms of use, in a contract, or a treaty, the rights of our data subjects - and this is fundamental rights and these are constitutional rights - cannot be abrogated away or negotiated away in contracts to which they're not parties. So, I do not believe that there will be a Schrems III. I do not believe that there will be a Privacy Shield 2. I do believe and hope that the US and EU government can come up with a trade deal, perhaps similar to what they've done with the UK that will acknowledge the need and importance for information. But don't forget, the UK-EU trade deal does not have an equivalency ruling. So, Maggie, if you would please share your perspective on whether or not you think there will be a Schrems III.

[01:13:59] Well, I always say that depends on Max Schrems’ appetite for judicial procedures and knowing that there is WhatsApp I think he could go another round. Now, all kidding aside, I agree that we won’t probably see a Schrems III given the fact that if there would be a new proposition hopefully under the Biden administration for the EU-US transfers and an adequacy finding that with everything in mind the EU and the Commission will look at it with that perspective. And I agree that it probably will then not be as easy as having a Privacy Shield 2.0. So, I am inclined to agree with you, Gary, that probably there's not a Schrems III on the horizon.

[01:14:56] So, in the time that we have left, I’m going to hit some of these questions that we’ve had asked. First off, when we say that Pseudonymisation is not a magic wand, a silver bullet, and a golden shield, I want to call back in Anna Buchta’s comments. And again, this video is on the portal. Anna Buchta made it very clear that when the EDPB Guidance came out, it would still be possible to achieve the goals but they may have to be done differently. And what I mean by that is we are oftentimes asked: “Can Pseudonymisation fix Office 365? How do you do certain things?”

[01:15:37] The reality is change in business practices will be required. You will have to identify which practices have to occur within the EU and in which business practices can actually be transferred outside of the EU. And so, could Pseudonymisation “fix” Office 365? That would have to be a conversation with Microsoft. But the reality is what we're talking about - the kinds of processing we're talking about are where you're looking to capture the expertise from third parties. And that's why the two use cases that are identified as being unlawful - processing data in the public cloud in the clear and also transfer of data - are the two that we focused on because that actually is repurposing of data and further processing.

[01:16:24] And as Maggie mentioned, the capabilities and technical and organisational measures can actually help you to support winning as it were showing that the balancing of interest test actually does come out so that the rights of the data subjects are adequately protected, so that the data controller can move forward. And so, we do not purport that Pseudonymisation fixes everything, and I'm sure each of you have either internal advisors or external advisors that you work with. The reality is, you have to figure out what minimal changes will be necessary to your business practices and what can be outsourced as it were or transferred outside of the EU, or EEA, or equivalency countries. But changes will have to be made. And I believe this is where Romain Robert would say: “But those changes should have already occurred regardless of international data transfer when you look at your obligations under Article 25 - Data Protection by Design and by Default.” And this goes to another point that Maggie made. Data Protection by Design and by Default specifically cites data minimisation and specifically cites Pseudonymisation. And when they use data minimisation, they're not talking about restricting and limiting the amount of data that you have. They're talking about providing just the minimal level of identifying data necessary to accomplish a desired business result. That use case specific, context specific application of technology, that's Data Protection by Design and by Default. That's data minimisation, not in volume, but in use case and Pseudonymisation is a means to address that.

[01:18:08] So, whether you're working with internal groups or external groups - and by the way, we work with a number of external groups. We, Anonos, are a software vendor. But if you need access to groups who can help you understand part of the broader issues that we're talking about, happy to work with your existing groups, internal or external, or can refer you to those that we work with external. Our focus is on our subject matter expertise, which is the ability to deliver software that separates identity from information value, so you get the benefit of both.

[01:18:37] The next question I'd like to touch upon is Brexit. And I'd love to get Maggie's perspective on this as well. The reality is to me, Brexit is very telling and why I say that is because the trade arrangement between the EU and the UK, many people - I have to tell you. I saw a lot of discussions in social media. “Oh, thank God, we got adequacy. Oh, we don't have to worry about this.” The reality is the trade deal identified the legitimate needs of both jurisdictions, the United Kingdom and the EU. And it provided for a period of time, during which transfers will not be held to be international data transfers. But if you notice, the UK Data Protection Authority issued an announcement and a recommendation that UK companies facilitate and cooperate with their EU customers to put alternative transfer mechanisms in place. I personally believe there will not be an adequacy decision between the EU and the UK, and the reason I say that is because I believe the days of adequacy decisions, while they will still exist, are less important than the days of having to have defensible technologically enforced measures that can protect the rights of EU data subjects while achieving the business goals. And those same capabilities will serve you well with cross border transfers outside of the EU and trying to achieve your business goals and objectives. Maggie, do you have any particular perspective on Brexit?

[01:20:15] Well, yes, just that the treaty now signs, actually, from a legal point of view, and I don't want to bore you too much with that, but there were quite some academics working on that that actually the documents or the sort of legal texts as it is, is not adequate indeed to actually state or govern the aspect of international data transfer and data protection. So, just thinking that that solves the problem and that we are out of the woods now, I think is actually quite dangerous. Because from a legal perspective in the hierarchy of legal norms, it’s definitely not the right document and I tend to believe that. And secondly, will there be an adequacy finding? I could not say that as such but we can all agree because it was also indicated that the UK also has the surveillance laws. So, actually, the same problem would occur there. And once again, I think with Schrems II, we know now that we have to have the standard contractual clauses or the binding corporate rules. And next to that, the supplementary measures. And as Gary pointed out and Romain Robert did it but I also tend to agree with that. What I said in the beginning, there is not so much new under the sun with Schrems II. It’s the fact that actually, the mere fact that Data Protection by Design by having the supplementary measures as a process as a procedure within your company should already be there is something that follows from the GDPR, and I think it’s very understandable and we all have been there. We have implemented GDPR and definitely within the big companies there is a lot of work and you focus of course on that data register and on all the legal requirements, and I think the translation was not always made to really work as a sort of process procedure. But if it would have been done that, which brings significant difference in the way not in what you could do as a business but sometimes in the way how you have to do your business. But if that would have been done from the start or more taken into consideration, I think Schrems II would not have been the hassle or the earthquake it now was.

[01:23:02] So, time for one last question. It’s a very specific question. A registrant asks: “I use GCP - Google Cloud Platform. I send it to them. It's encrypted. They save it. It's encrypted. But when they process it, they decrypt it. How can I continue to avail myself of the many benefits of Google Cloud?” And I really want to emphasise that cloud is not about storage. Google Cloud, Azure, AWS - they have amazing capabilities, either that they offer themselves or through their partners through their cloud platform. And that is why people like to use the cloud because they get the benefit of those capabilities. So, this question is really identifying why it mentions GCP, you can fill in the blank, you know, and add IBM cloud to the mix. These are US-owned public clouds that provide real value and an EU data controller wants the benefit of that value. But at the time of processing, the data is in the clear, which means it's now unlawful.

[01:24:05] How do I fix that situation? And again, what you can do is you can pseudonymise the data in the EU so what you’re submitting up to the cloud is pseudonymised and protected. We can show you. I will guarantee it. That's what the slide that's here. We guarantee that our software delivers 100% of the same accuracy as cleartext data for AI, analytics, machine learning, secondary processing, etc. And if it doesn't or a Data Protection Authority or a Court holds that our software does not comply, we give you the money back for our Quick Start Program. We really struggled to figure out how can we come up with something that says riskless as possible because this is a tough time and companies have to act. Six months have passed. What’s in your file to show the actions you've taken? What's your briefing been to the C-Suite and to the Board of Directors? And the bottomline is the answer to this person's question is if you pseudonymise the data and you send pseudonymised data to GCP, you will still get the same results back that you got before. And in fact, you may find that you have more opportunities. So, the reality is the opportunity to share and combine data lawfully to do cross border transfer, to use external capabilities like cloud processing, are actually enhanced and increased using Pseudonymisation.

[01:25:31] So, our time is up now. But I would like to encourage anyone that's interested to please contact me directly at gary.lafever (at) anonos.com and I'd be happy to do so. We have had several 100 people ask. We will schedule. And if you're really lucky, you'll get to talk to Maggie and not me. Seriously, though, it has been a pleasure for the two of us to speak with you and interact with you today. We hope this was worthwhile. You will all receive a copy of the Legal Solutions Guidebook, and we encourage you to reach out to us. This is something that must be addressed in a way that achieves the objectives of data use while honoring, respecting, and enforcing the fundamental rights of data subjects. Thank you very much. We hope you all have a good evening or day.

[01:26:22] And one thing I think, Gary, you can say we saw a lot of Q&As coming in, so we also will see how we tackle them.

[01:26:29] Yes. Thank you very much, everybody. We appreciate the interaction. Thank you. Have a great day.

[01:26:36] Thank you.