Recently, Companies have been talking a lot about how the use of Google Analytics (GA) was deemed unlawful. The problem was that GA violates the GDPR due to website visitors' data being sent to the US without the proper security in place. However, the issue does not only relate to Google, as every US vendor that your company uses needs to be assessed.
If you are interested in privacy, you may have heard the name "Schrems" before. Schrems II refers to a European Court of Justice case. The case was brought to the Court based on a complaint from Maximillian Schrems.
Schrem's complaint concerned the transfer of his data from Facebook Ireland to the company's parent company Facebook Inc. Schrems argued that Facebook Inc. did not sufficiently protect his data. He also argued that the transfer was in breach of his European Fundamental rights as the law enforcement authorities in the US could gain access to Facebook users' data.
The EU Court of Justice declared that companies must ensure sufficient protection when transferring personal data outside the EU. For EU companies overall, this means to know who you are sharing data with abroad and take the necessary security steps to ensure that data is well protected.
The Schrems II verdict is therefore essential to all EU companies.
The reason why it's called “Schrems II” is because it's the second time Max Schrems files a law court - so there is both a Schrems I and a Schrems II decision.
The Schrems II decision means that you need to assess if your company is:
The assessment you need to make in regards to these items is called a transfer impact assessment or a "TIA".
Doing a TIA is complicated. It can take time and resources, as you need to do an individual assessment of each vendor you are using. Below, we have made a step-by-step guide to help you on this journey.
If you want to do a TIA, knowing where your data is going and where your vendors are located is essential. It's always a good idea to map the personal data that your company is handling and sharing. You do this by getting an overview of all the services you use (e.g., Slack, Hubspot, Zendesk) and what data you share with those services (e.g., usernames, email addresses, payment information).
Note that data transfers are not only about physically sending or storing data in the US. It could be that you are using a service that access data from the US, e.g., tech support located in Miami accessing your data stored on a European cloud. Read this article if you want to learn more about what makes a data transfer.
If you find that your services are processing data in Europe, you can rest for now, as there is no need to go further with the transfer impact assessment. However, suppose you are using services in Europe that an American company operates. In that case, you need to make sure that you have written confirmation that your data will stay in Europe.
You've done step 1, and you have discovered that your company uses several services that are processing or are located within the US. The next step is to check that there is a legal basis for the transfer between you and the vendors you are using.
The most used legal basis for transfers is the Standard Contract Clauses (SCCs). SCCs are standard contractual terms from the EU that you and your vendor must accept. The SCCs contain obligations on you and your vendor and say that you must both comply with the GDPR. SCCs can be a stand-alone legal contract or incorporated into the existing Data Processing Agreement that you need to have in place when you share personal data.
If you use large vendors like Microsoft or AWS, many of them will most likely have incorporated SCCs into their standard agreements. However, it is always important to know what legal basis you rely on and you need to be able to document that you have the agreement on file.
Here comes the tricky part. Art. 44 of the GDPR states that a transfer of personal data outside the EU can only take place only if the same level of protection is provided. That's why you need a legal basis, like the SCCs, to be sure that your vendor located in the US will handle your data in compliance with the GDPR. Your vendors are obligated under the SCCs to notify you if they receive a request for access to personal data from a government authority. However, the SCCs won't offer effective protection if the US vendor is obligated by law to answer requests from government authorities.
Our best tip is to make your vendor confirm that they are not subject to any national legislation that conflicts with the protection of the transferred personal data.
However, as the Danish Data Protection Agency underlined in their guidance, it is difficult to document that the personal data you transfer to the US will not be subject to any American surveillance programs. That's why you will need to proceed to step 4.
The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring protection for personal data in the US: FISA Section 702 ("FISA 702") and the Executive Order 12333 ("EO 12333").
Great! You've mapped your data, know where you are transferring data, and identified the basis for your transfer.
The point of doing the transfer impact assessment is to assess the security of your data and ensure that the protection of your data is the same as if your data were kept in the EU. This is done by implementing additional technical measures like encryption or pseudonymization before proceeding with the transfer. These additional measures are often referred to as "supplementary measures."
It is not relevant if you or your vendor implements supplementary measures. However, it is your responsibility to ensure that the measures implemented are effective.
The important thing to understand here is that it is not enough to have standard security processes when sending data to the US. You need to assess whether you can implement extra security to protect the data.
The type of extra security that needs to be implemented depends on the data you are transferring, but end-to-end encryption will, in many cases, be the go-to method. We know from the guidance of the Danish Data Protection Agency that there is currently no extra security that can be implemented to ensure the level of protection if your US vendor needs to have access to the transferred data in cleartext.
It is important to review periodically and, if necessary, reconsider the risks involved and the measures implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
To help with your transfer impact assessments, we have created this decision tree for the Openli Privacy Hub. At Openli, we are aware that doing TIAs is complicated. We are therefore asking your vendors to provide the necessary documentation for their efforts regarding TIAs.
The Privacy Hub has the information you need to do the TIAs, such as SCCs, information on relevant national legislation, and the TIAs that your vendors have done themselves.