The general cineaste might get excited when hearing the name Schrems II. Is this a movie about another big green ogre? Or a sequel about a new super-hero? Well, I think Schrems II might have a chance of outnumbering Rocky before we are done here, but in a totally different area. This is something much more exciting – data privacy, and it will most likely impact you and your company.
As the concern of individuals and their privacy has increased and governments are paying more attention to personal integrity threats, a number of laws and regulation have been put in place. GDPR is probably the most widely known, and applicable since 2018.
The latest in the list, but probably not the last, is Schrems II. On 16 July 2020, the Court of Justice of the European Union (ECJ) came to the verdict in its case C-311/18, which invalidated the EU-US privacy Shield and casted doubt over the legitimacy of the EU Standard Contractual Clauses (SCC) for transfer of personal data to the US and globally outside EU/ESS.
What makes Schrems II so important for organizations mainly boils down to growing use of cloud services. Before Schrems II, numerous companies relied on the EU-US privacy Shield to transfer data in compliance with GDPR, to utilize public cloud services. Now, Schrems II require European companies to conduct individual assessments for each data transfer to a non-EU country.
Does this mean it is no longer possible to use American cloud services to comply? Yes and No. If you are able to implement adequate safeguards you can still use American cloud services, but, if not, you have to find a similar EU based service. Additionally, despite the recent data protection regulations’ aim at harmonizing the legislation across EU, national data protection authorities, can rule and fine based on local legal principles.
As an example, it was recently ruled by French authorities, that a platform used to book COVID-19 vaccinations, and hosted by Amazon Web Services, had taken sufficient protection of the personal data both legal and technical, while other solutions and providers have not been as lucky.
It is also worth pointing out, that services affected by Schrems II is not only the obvious public cloud companies. The online marketing tool for newsletters, Mailchimp, is just one example, that many organizations do not think of in terms of data protection. The Bavarian Data Protection Authorities in Germany recently ruled that a German company’s use of MailChimp was illegal because the company had not previously assessed whether adequate additional measures had been taken to ensure that personal data was protected from access by U.S. regulatory agencies.
Do not get alarmed. My purpose with highlighting Schrems II is not for you to panic or make drastic measures, but merely to inform you about this highly important ruling, that you have to take into consideration.
In my next post I will give you some guidance on how to address the Schrems II implications for your company.