What is Schrems II and how you can be prepared for it
Data is King for the Modern Marketer
June 15, 2021
Covid-19 and its impact on cyberfraud
July 1, 2021
What is Schrems II?
The Schrems II Decision is a landmark ruling by the Court of Justice of the European Union (CJEU). In July 2020, the CJEU invalidated the Privacy Shield (framework) which essentially served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the European Union to the United States, prior to the CJEU’s ruling in this case. (curia.europa.eu)
Requirements as per GDPR
In order to be compliant with GDPR, when transferring personal data from an EU country to a country that does not have a confirmed adequacy status for their level of personal data protection (known as a third country), organisations must set in place a transfer mechanism that demonstrates protection to the equivalent. This is what makes the data transfer legal. (gdpr-info.eu)
Effects of Schrems II on services offered by Phonovation
All of our services are operated and managed by a team of experts from our head office and data centre located in Dublin, Ireland. Phonovation does not transfer any personal data outside of the EU which is why this judgement does not have an impact on our services. Where applicable, Phonovation continues to ensure that there are adequate contracts in place with vendors and third parties as well as having effective security controls in place to safeguard data.
How companies can be prepared post Schrems II ruling:
Evaluating data processing requirements
The Schrems II judgement doesn’t necessarily mean you will have to reduce your data transfer practices, but the process will now be more complicated. This means that you will need to be particularly wary of when transfers are deemed necessary. Any data transfers for which you’d previously used the Privacy Shield must now be done using SCCs (standard contractual clauses). This is the mechanism used for data transfers between the EU and the rest of the world, so you may already be familiar with the process.
There are legal contracts that outline the terms and conditions for data transfers and are designed for organisations that participate in two-way data sharing and in straightforward internal personal data transfers. SCCs only apply to the data processing activities set out in the agreement, so whenever the processing activities change, you will need to draft a new contract.
Restricted applicability
For an SCC to be lawful, organisations and regulators must conduct a case-by-case analysis of them to determine whether protections concerning government access to personal data meet EU standards. This again causes problems for EU-based organisations that intend to transfer personal data to and from the US.
Organisations in the US that use SCCs to receive personal data from the EU must inform the data exporter of any inability to ensure equivalent levels of protection. In those cases, the exporter will be required to suspend or terminate the data transfer under the SCCs. These issues mean that, although SCCs can work as a stopgap, organisations shouldn’t view them as a long-term solution. (itgovernance.eu)
Map and asssess all flows of personal data to third countries.
Where personal data is transferred under SCCs: (i) determine the destination countries; and (ii) assess the nature of the transferring personal data, in particular:
- Identify what personal data is being transferred.
- The sensitivity of this personal data.
- Whether some or all of this personal data is already in the public domain.
Determine if the destination country provides a satisfactory level of protection.
Organisations may consider creating a risk questionnaire for completion by data importers to help assess the third country’s surveillance laws. They may also choose to:
- Consider additional measures and safeguards to address any risks identified.
- Document findings and decisions made. (Arthur Cox)
To find out more, contact us through sales@phonovation.com or call us on +353 (1) 284 30 11.
