Many organisations that deal with large or sensitive quantities of data are continually running into a problem surrounding a court ruling known as Schrems II. Understanding around data requirements has never been more clouded, with businesses struggling to comprehend the ever-changing goalposts surrounding data protection.
What Actually is Schrems II?
After the introduction of GDPR in 2018, international data transference was restricted. In order to make international data transfers GDPR-compliant, any organisations looking to transfer data to a non-EU country had to ensure that they used a specified legal mechanism.
Prior to the Schrems II ruling, organisations were able to use the EU-US Privacy Shield as a primary data transfer mechanism that was GDPR-compliant, allowing the secure and free flow of data between EU and US organisations. However, the Schrems II ruling declared this method invalid.
The ruling was made on the basis that the European Court of Justice found that the EU-US Privacy Shield framework failed to adequately enforce the EU’s GDPR regulations to protect personal data in its transference between the EU and the US.
The Court did however recognise that data transfers between the EU and US were extremely important to the everyday running of businesses. As a result, transfers can continue, providing that they:
- Utilise an alternative transfer mechanism under Article 46 of the GDPR.
- Implement supplementary technical measures that ensure that access to data transferred is impossible or ineffective.
The Schrems II ruling also now requires European countries to conduct individual assessments for each data transfer to non-EU countries to remain compliant, assessing on a case-by-case basis. Should the data importer be assessed to be subject to intrusive US surveillance laws, the organisations must put in place additional data protection measures that prevent surveillance agencies from gaining access to personal data.
What are the Consequences of Schrems II?
For many modern-day businesses, international data transfer is a core process. As a result, the Schrems II ruling cast doubts on many day-to-day operations. Whilst Schrems II affects businesses from all walks of life, those that deal in particularly sensitive data, such as the legal and financial sectors, must ensure that meeting regulations a top priority. Failure to do so could see organisations unintentionally breaching GDPR regulations, which could result in a hefty fine and prove damaging to corporate reputation.
Any business using US-based Software-as-a-Service (SaaS) platforms are affected by the ruling. With individual countries now assessing data transfers, some organisations have already fallen victim to the Schrems II ruling.
The Bavarian Data Protection Authority, BayLDA, has already made one such decision. In March 2021, they came to the decision that the use of the US-based email marketing platform, MailChimp, by a German publishing company was unlawful. The use of MailChimp requires information on subscribers to be transferred to the US, which the Bavarian DPA believed to violate GDPR. Whilst the German organisation avoided a fine, it did agree to cease using MailChimp altogether.
No grace period was provided from the Schrems II court ruling, meaning that businesses were immediately required to change any data transfers affected to valid mechanisms immediately.
The European Data Protection Board (EDPB) has recently provided recommendations for supplementary measures in response to Schrems II. These recommendations are intended to allow organisations to build a trusted privacy framework that enables and enhances data flow between the EU and the US.
Whilst failing to follow the Schrems II ruling can land organisations in hot water, the propensity of cloud computing makes it difficult to avoid. Businesses that use public cloud platforms every day should have already made security and data protection a top priority. However, the introduction of Schrems II adds another layer of complexity to the task.
How Can We Help?
Mobliciti can work with your organisation to maintain GDPR compliance whilst allowing international data transference. We can assist you in understanding the complex processes required to meet the Schrems II ruling, such as implementing strict Cloud Key Management for US-based SaaS providers and adopting a trusted privacy framework that will protect your transatlantic data flows. With the majority of businesses heavily utilising US-based SaaS, ensuring that your data remains compliant throughout is essential to avoid hefty fines.
Understanding Schrems II can be a complex task to overcome, however, Mobliciti’s managed services make adopting the Schrems II ruling simple and trouble-free to run and manage. Get in touch to find out more.