RC RANDOM CHAOS

Schrems II broke US data transfers, July 2020

Schrems II (CJEU C-311/18) makes US-hosted EDR telemetry on EU endpoints a restricted transfer. Why data residency now degrades detection fidelity.

· 7 min read
Schrems II broke US data transfers, July 2020

No US Supreme Court ruling governs EU-US data flows. Precision first, because the persona of this job is that facts hold. The instrument is a Court of Justice of the European Union judgment - C-311/18, Data Protection Commissioner v Facebook Ireland and Schrems, handed down 16 July 2020. Schrems II. It invalidated the EU-US Privacy Shield, Commission Decision 2016/1250, with immediate effect and no transition period. Standard Contractual Clauses under Decision 2010/87/EU survived - conditionally. Every SCC-based transfer now carries a Transfer Impact Assessment obligation. That TIA is where US-based security tooling fails, and it fails at the mechanism level, not the compliance-checkbox level.

The controlling concept is essential equivalence. GDPR Article 44 bars transfer of personal data to a third country unless that country affords protection essentially equivalent to EU law. The Court examined US signals-intelligence authority directly. FISA Section 702 compels US electronic communication service providers to surrender data on non-US persons on the basis of a downstream directive. Executive Order 12333 authorizes bulk collection of data in transit, outside any warrant regime a data subject can contest. Neither grants an EU data subject an actionable judicial remedy against a US intelligence agency. That absence of remedy is the defect the Court named. It is not a form that was filled out wrong. It is a structural property of US statute that no bilateral contract clause between two private companies can neutralize. An SCC is a promise between a data exporter and an importer. FISA 702 operates above that promise. The importer can be compelled and gagged. The contract is silent at exactly the point it would need to speak.

This has no CVE. It is a legal primitive, not a memory-corruption primitive. The exploit surface is the transfer itself. And the transfer is happening constantly inside every US-headquartered detection stack pointed at an EU endpoint.

EDR telemetry is personal data. That is the sentence most detection teams skip, and skipping it is the whole failure. A Sysmon Event ID 1 record carries the full process command line, the account name, the integrity level, and the hostname. Event ID 3 carries source and destination IP and the initiating user. Event ID 11 carries file-create paths that routinely embed employee names and mailbox identifiers. Event ID 10 carries the LSASS access pattern used to catch credential theft - and the accessing user context with it. Under Breyer, C-582/14, a dynamic IP address is personal data whenever the holder has lawful means to identify the subject. Usernames, UPNs, sender addresses in phishing telemetry, Kerberos principals - all personal data under GDPR Article 4(1). An EDR agent on an EU-resident endpoint streaming this to a US-region SaaS tenant is executing a restricted transfer. Not once. Thousands of times per host per day, per event channel.

Access equals transfer. This is the part region-pinning does not solve. EDPB guidance is explicit that remote access from a third country to data physically held in the EU is itself a transfer under Chapter V. A SOC analyst in Austin running a threat hunt against telemetry stored in Frankfurt has triggered the same restriction as replicating that telemetry to Virginia. So has the vendor’s US-based support engineer who opens a session on the EU tenant to debug an agent. So has the US cloud provider’s own privileged operator with standing access to the control plane. Storing the data in an eu-central region is necessary and nowhere near sufficient. If the console, the analyst, the on-call responder, and the vendor’s tier-3 engineering all sit under US jurisdiction, the FISA 702 reachability the Court objected to is reconstituted at the access layer.

This is not theoretical enforcement. In May 2023 the Irish Data Protection Commission fined Meta €1.2 billion for continuing to transfer European user data to the US on SCCs that failed the Schrems II test. That is the largest GDPR penalty issued to date and it was issued for the exact pattern described here - a US company moving EU personal data across the boundary under contractual clauses that could not survive FISA 702. The EU-US Data Privacy Framework adequacy decision followed in July 2023 and is what most US vendors now self-certify under. Treat it as provisional. It is under direct challenge in Latombe v Commission before the General Court, and it rests on the same US surveillance statutes the CJEU has already struck down twice - Safe Harbor in Schrems I, Privacy Shield in Schrems II. The Redress Mechanism the DPF introduced is an executive-branch construct, not an Article III court. A third invalidation is a live scenario, not a tail risk, and any residency architecture that assumes the DPF is permanent is building on a patch that may be recalled.

The operational damage lands on detection fidelity, and this is where compliance and security stop being separable. GDPR Article 5(1)(c) demands data minimization. Effective detection demands the opposite. The command line is the field. MITRE T1059 - command and scripting interpreter abuse - is caught by the arguments in that string: the encoded PowerShell, the LOLBin invocation, the suspicious parent-child chain. Strip or redact the command line to satisfy minimization and the rule that fires on it goes dark. Pseudonymize the username at the agent and cross-host correlation collapses, because T1078 valid-account abuse and T1021 lateral movement are detected precisely by identity reuse across machines. Tokenize the IP and network-based pivoting between the endpoint and firewall telemetry breaks at the join key. The fields that are personal data are the fields detection engineering depends on. There is no clean redaction that preserves both. Every control that satisfies the transfer restriction subtracts from what the SIEM correlation logic can see.

The telemetry reality is a forced split. Keeping the pipeline whole and US-hosted keeps detection intact and puts the transfer in legal jeopardy. Splitting an EU pipeline that pseudonymizes at the agent, holds keys under EU control, and restricts analyst access to EU-based staff satisfies Chapter V and degrades detection - cross-boundary incident response, global threat correlation, and unified hunting all lose signal. A breach that pivots from a US host to an EU host now spans two telemetry stores that cannot be freely joined by a single analyst without generating a transfer at the moment of the join. The correlation that would reconstruct the attack chain is the same act the ruling restricts. That is the tension in plain terms, and it does not resolve with a vendor feature toggle.

Australian entities do not get to watch this from the outside. The Privacy Act 1988 APP 8 imposes its own cross-border accountability, and the Security of Critical Infrastructure Act carries data-holding, control, and incident-reporting obligations for responsible entities. An Australian operator running US-headquartered EDR over EU subsidiaries inherits the Schrems II problem and a SOCI reporting duty at the same time. APRA-regulated entities carry CPS 234 information-security obligations on top. The stack is one vendor. The regulatory exposure is three jurisdictions.

The patch boundary here is not a version number. Even if the DPF survives Latombe, FISA Section 702 is unchanged. Executive Order 12333 is unchanged. The structural defect the CJEU identified - no judicial remedy for an EU data subject against US bulk collection - persists under the current framework. Adequacy is a political finding layered over a legal defect that has not been fixed. The residual exposure after any residency project is the access layer, the vendor’s privileged operators, and the standing possibility that a self-certification under the DPF is worth exactly as much as a self-certification under Privacy Shield was on 15 July 2020.

This is a legal and architectural decision with security consequences, and it belongs in front of privacy counsel, the DPO, and the security architecture owner together - not with the detection team alone, and not resolved by an agent configuration change made quietly to keep a dashboard green. Map where EU personal data enters every telemetry pipeline. Identify every point of US-jurisdiction access, including the vendor’s. Then decide, with legal, what detection fidelity is being traded for what transfer posture. The mechanism is known. The trade is real. The comfortable position - full US-hosted telemetry, unrestricted global analyst access, and a DPF certificate treated as durable - is the one the CJEU has already dismantled once and is positioned to dismantle again.

See also: NordVPN for tunneled traffic when operating outside controlled networks.


#ad Contains an affiliate link.

Share

Keep Reading

Stay in the loop

New writing delivered when it's ready. No schedule, no spam.