Contact us: +45 32 67 26 26
English

How To Adapt To The Schrems II Ruling In 2021

Joanna Kwong
By: Joanna Kwong GDPR | 30 November

Recommendations from the European Data Protection Board

Last year in July 2020, The European Court of Justice invalidated the EU-US Privacy Shield framework and issued the Schrems II judgement. This has made it quite troublesome to use services, that are based outside of the EU and remain GDPR compliant at the same time. In this blogpost I will try to guide you through how to check, if you can use your services and stay GDPR compliant at the same time.

The Schrems II judgment

The EU-US Privacy Shield was a framework for regulating exchanges of personal data between the European Union and the United States. However, Austrian privacy activist Maximillian Schrems believed that US companies could not guarantee compliance with the GDPR. Among other things, a central issue was laws that enabled the US state to gain insight into personal data if they, for example, suspected terrorism. After advocating for changes, the European Court of Justice ruled in Schrems favour in 2020.

What happened after

This ruling lead to much uncertainty about how organisations in the EU can process personal data, since so many of the cloud services we use nowadays (think Microsoft, Google, Amazon) are based outside of the EEA (European Economic Area). The worst-case scenario of the Schrems II ruling is that organisations in the EU would no longer be able to use software and cloud services from outside the EU, which would include many essential services we use. Now, The European Data Protection Board (EDPB) has issued some recommendations on data protection for GDPR compliance while using third-country services. In this blog post, we will give a summary of these recommendations and discuss how your organisation can adopt these new changes.

Schrems II in a nutshell

The Schrems II judgment emphasizes the responsibilities of data exporters and importers – to ensure that the processing of personal data will continue to be carried out in compliance to the GDPR. As data exporters, we are to suspend the transfer or terminate the contract where the importer of the data is not complying with the level of data protection set by EU law. That sounds daunting, but luckily, the EDPB emphasizes that this is more of a process, and they have laid out 6 steps to adapt to.

Recommendations for Adapting to the Schrems II Ruling

1. Know your transfers

The first step is to ensure that you are fully aware of where the personal data your organisation is handling may possibly go, because of the services you use. This includes cloud services where the server is physically located – e.g., in the USA. Your organisation may possibly also have remote access to a third country for support. By practicing data minimisation – verifying that the data you transfer is adequate, relevant, and limited to what is necessary, you lower the risk of having a data breach in a third country.


If you already have IT asset management in your organisation, you will already have a list of services used in your organisation, and this is a good starting point to knowing your transfers.

2. Identify the transfer tools you are relying on

In Chapter V of the GDPR, there is a list of approved services. If The European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR, or under the previous Directive 95/46, as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid.

The European Commission has only recognised Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection so far. As most of the services we use are based in the USA, then it is likely that there is no adequacy decision, and you will need to rely on one of the transfer tools listed under Articles 46 of the GDPR. Transfer tools include binding corporate rules, codes of conduct, certification mechanisms, and ad hoc contractual clauses.

Luckily, some big service providers are committed to being GDPR compliant and you won’t be suspending use to some essential services. For example Microsoft’s products can still be used, and bigger companies will have specific data protection agreements with them. However, we still recommend talking to a GDPR expert to understand exactly what your organisation can or cannot use.

3. Assess the third country

The third step is to assess if there is anything in the law and/or practices in place of the third country that may infringe the effectiveness of the safeguards of the transfer tools you are relying on, in the context of the transfer. For example, if a third country’s laws dictate that they have full ownership of personal data that enters their country’s servers, if they suspect terrorism, then this service is not an appropriate one – this was the example used to support the Schrems II case. 

4. Identify and adopt supplementary measures

This step is only necessary if your assessment of the third step reveals that the third country infringes on the effectiveness of your safeguards – unfortunately, you will most likely have to if you use US-based services. We recommend looking at Annex 2 (page 28 of the EDPB’s recommendations ) for examples of possible scenarios, and how they can be handled. The needs of your organisation may require that you combine supplementary measures. 

5. Take any formal procedural steps

The fifth step is to take any formal procedural steps to adopt your supplementary tools, based on your findings from the previous steps.

6. Re-evaluate

The sixth step is to regularly evaluate if there have been any changes (e.g., in the third country’s laws or safeguards) that may affect the protection of personal data. This task obviously becomes hard if you have chosen to use services from several different third-party countries as you would have to stay updated on their laws. This could be a reason try to only use EU-services or the ones approved by the EU. According to these guidelines, supervisory authorities will be monitoring the application and enforcement of the GDPR. Based on the Schrems II judgement, the authorities will suspend or prohibit data transfers where they do not see an adequate level of protection being met. 

Conclusion

The Schrems II judgement makes it very clear that even though personal data may be transferred out of the EU, transfers must adhere to the required level of data protection under the GDPR. Their recommendations outline how we can ensure the protection of personal data, even if we use services from outside the EU. If we apply supplementary measures to ensure data protection, but the correct level of protection is still not achieved, then we must terminate or suspend the use of third-country services.

Risk

CyberPilot’s Recommendations

Just like how organisations have adapted to the GDPR, all organisations have different uses of personal data and required levels of protection. Below, we provide three concrete recommendations that all organisations can follow to go towards adopting the Schrems II Judgement. 

Data minimisation

One measure that can only benefit your organisation is to use data minimisation, verifying that the data you transfer is adequate, relevant, and limited to what is necessary. By practicing data minimisation, you lower the risk of having a data breach in a third country.

Apply the Plan-Do-Check-Act Cycle

In a previous blog post, we discussed how the Plan-Do-Check-Act (PDCA) cycle can help maintain your organisation’s information security. Based on the Step 6 of the recommendations, we must regularly re-evaluate our supplementary measures to ensure data protection, and this aligns well with the Check part of the PDCA cycle. The frequency of your re-evaluations and checks will depend on the needs or your organisation

Due diligence

One common theme found in the recommendations from the EDPB is that organisations should document their findings and the measures they take to ensure data protection. Since organisations may face changes in what personal data they need to operate, how they process the personal data, and the rules they must follow, having due diligence will only benefit your organisation for compliance or in the case of getting certified or audited.

We hope that this blog has helped you better understand what the Schrems II ruling can mean for how you maintain the GDPR compliance in your organisation. If you would like to get informational blog posts mailed directly to your inbox, subscribe to our newsletter below!