Since the Schrems II case ruling, there has been a concerning lack of understanding across the board among C-level executives who have misconceptions about the penalties of non-compliance, and what is required of their organisation to move forward without breaching data protection regulations.
As a result, many businesses are now facing a challenge on two fronts; typically they do not have technologists on their board that are aware of the Schrems II requirements, and they are also likely to have legal advisors who are unaware that the technology to comply with Schrems II actually exists.
So, who does Schrems II apply to?
- Organisations that are a non-EEA or equivalency country advisory firm that processes EU personal data on behalf of clients;
- Organisations that use the “public cloud” to benefit from third-party analytics, AI or ML processing capabilities; and
- Organisations that provide remote access to EU personal data for “follow the sun” support or analytics
Why is Schrems II so significant?
The Schrems II ruling by the Court of Justice of the European Union (CJEU) was catapulted into the mainstream in 2020 for its role in creating major challenges for large companies that commission cross-border data transfers, most notably Facebook and Microsoft.
The CJEU’s decision to invalidate the EU-US Privacy Shield agreement was largely based around a failure in guaranteeing the level of protection and privacy required under the GDPR regulations for sharing EU citizen’s data outside the union. Many large companies have already been caught unaware because the obligation to comply with Schrems II, contrary to what many believe, was immediate upon the ruling on 16 July 2020.
Due to the significant publicity regarding the potential negative effects of Schrems II, lack of corporate change may constitute “wilful blindness to a course of action.” This opens board members and senior executives to potential personal and criminal liability. What’s more, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA) and Non-compliance with Laws and Regulations (NOCLAR).
To avoid these critical personal and criminal liability risks, and avoid potential termination of access to data, companies must implement technical controls that protect data when in use. Here are answers to some of the most commonly asked questions about Schrems II to help businesses understand what they need to do in order to achieve compliance:
Will Updating Standard Contractual Clauses (SCCs) be enough to comply?
No. SCCs “are not capable of binding the authorities of that third country, since they are not party to the contract. Schrems II requires the implementation of technically-enforced Supplementary Measures for transfers to non-EEA / equivalent countries in order to be lawful.
Must I stop all processing involving EU personal data that fails to comply with Schrems II?
Yes. Unless you implement Supplementary Measures that ensure an essentially equivalent level of protection, “you must avoid, suspend or terminate” all international data transfers based on SCCs.
What is the penalty for failing to comply with Schrems II?
Under the CJEU ruling, Supervisory Authorities have an affirmative obligation to stop transfers that do not comply with Schrems II requirements. In addition to business operation disruptions from termination of data flows, companies face penalties of up to €20m or 4% of their global turnover, whichever is greater.
Can I use Encryption or Anonymisation as Supplementary Measures to protect data when in use to comply with Schrems II?
No. Encryption only protects data in transit and in storage. Anonymisation is not recognised as a suitable Schrems II Supplementary Measure by the European Data Protection Board (EDPB). Schrems II requires organisations to protect data when in use by using technically-enforced Supplementary Measures that protect data from unauthorised access.
These technical controls must ensure that EU personal data does not reveal the identities of data subjects when processed outside of EEA / equivalent countries. Processing of personal data in the clear outside of the EEA / equivalent countries is unlawful under Schrems II.
Which processing can I no longer do?
The EDPB highlights two use cases of data transfers that are unlawful under Schrems II: Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear (EDPB Unlawful Use Case 6); and Remote Access to Data for Business Purposes (EDPB Unlawful Use Case 7).
What are my options to comply?
The EDPB has highlighted the transfer of GDPR Pseudonymised data (EDPB Lawful Use Case 2) as lawful. This means that Cloud Processing and Remote Access for Business Purposes (EDPB Unlawful Use Cases 6 and 7) can be made lawful by using GDPR Pseudonymised data (Lawful Use Case 2).
The appetite for information and guidance about Schrems II is growing, and the time for doing something different is now. It is critical that organisations get into a defensible position to comply with Schrems II.
By Gary LaFever, CEO & General Counsel at Anonos