You’ve put GDPR to bed, then you wake up with Schrems II...

October 7, 2020
Communication

Picture this: the CJEU (Court of Justice of the European Union) has invalidated the EU-US Privacy Shield with immediate effect, meaning companies can no longer transfer personal data to the US on the basis of Privacy Shield. Not only that, American owned companies operating on European soil and hosting data in Europe, are also considered non-compliant under the GDPR. From one day to another, it may no longer be legally possible to use cloud services or hosting facilities that are affiliated with American companies, if you store personal data covered by the GDPR. If you are operating in the European market and handling personal data on behalf of your customers, you may be in the wrong here. 


It’s a pretty powerful opening of a film and the beginning of a story that will change the world we live in. It has all the parts that constitute a real blockbuster.


The name of the film? Schrems II - it’s the sequel you never heard of. Let’s circle back to that later...


So what are you watching? It’s the new reality for companies operating within the EU and it all started with one person, Maximilian Schrems, an Austrian lawyer and arguably the number one disruptor when it comes to the interpretation and protection of how personal data is handled. 


In what can only be described as the David and Goliath of modern times, Schrems campaigned against Facebook for privacy violation and the alleged transfer of personal data to the US National Security Agency as part of the NSA PRISM program. And won.


The ruling basically obliterated Privacy Shield, allowing for the dovetailing of European and American legislation, now leaving a black hole in its place, with a lot of questions that remain unanswered. The EDPB (European Data Protection Board) and DPC (Data Protection Commission) have stated that they intend to provide further clarification for stakeholders and  practical guidance on the mechanisms of transfer of personal data, according to the judgment. But it may take some time.


In the meantime, we lean on the fundamental principles of GDPR and its purpose to protect and serve the individuals within the EU. Two years down the line with GDPR, it is sinking in as something benign, and it has brought focus to one hot topic; what do companies do with our personal data? And more importantly, what shouldn’t they do? 


With Schrems II hot off the press, it is abundantly clear that transferring personal data to a third party, which in this case can’t guarantee the safety of said data, is in direct violation of the GDPR.


There are currently over a hundred complaints filed against companies based in the EU because they continue to use Google Analytics and Facebook Connect on their websites - and in doing so, are transferring data to Google and Facebook in the US. According to the ruling from July, such transfers are illegal as both Facebook and Google are subject to US surveillance laws and thereby must disclose data of European users to US intelligence services. The price may turn out to be quite costly, the data protection authorities can impose fines of up to € 20 million or 4% of annual turnover for a violation of the GDPR rules on data transfer. And that’s in addition to possible claims for damages by affected users.


So, will you be affected by this? Well, that question has principally been answered by the CJEU which essentially struck down the very premise of the Privacy Shield, arguing that the US still does not limit surveillance of EU citizens to that which is “strictly necessary”. The ruling is so binary in nature that it’s hard to answer the question with anything but a roaring “yes”.


Will you remain GDPR compliant if you continue to store personal data on a cloud service or platform owned by an American company, albeit hosted within the EU? The answer, in light of this ruling, is no. 


"So far, large US data companies are repeating like a mantra that they are evaluating the situation and ensuring that user data is protected on the basis of SCCs. These empty phrases do not change the fact that US surveillance laws give authorities such as the NSA the right to access vast amounts of data that are transferred to the US. So far, there is nothing but silence on this conflict between contracts with EU customers and US laws".  – Marco Blocher, Data Protection Lawyer at noyb


Doubling back to the beginning and Schrems. If you haven’t seen the first film, Schrems I (spoiler alert; the ruling invalidated Safe Harbour), don’t fret - you have now moved on to the sequel - Schrems II, where the ruling invalidated the Privacy Shield mechanism (that replaced Safe Harbour). The live coverage is quite a cliffhanger. Who knows, a threequel may follow...


Credit roll. The end.



At Symplify, we value the integrity of personal data, and have, based on the ruling from the CJEU made changes to how we store our customers personal data, keeping it safe and out of reach from unauthorized third parties. If you want to know more about how we keep your personal data safe, feel free to reach out.


More blog posts you might like: