+44 (0)203 88 020 88

Menu

Search

Cyber Security News & Articles

 

Cyber Security
News & Articles

Trusted Cyber Security Experts
25+ Years Industry Experience
Ethical, Professional & Pragmatic

What is Schrems II and how does it affect UK Data Privacy

In July 2020 the Court of Justice of the European Union passed a judgement that is still sending shockwaves through the privacy and data protection industry in the UK, EU and USA.  In case you have never heard of Max Schrems and the Schrems II judgement, this is what you need to know and how it will impact your business.

 

The Schrems Complaint – GDPR, SCC and the EU-US Privacy Shield

Max Schrems is a privacy advocate from Austria. In 2013 he filed a complaint with the Irish Data Protection Commissioner that Facebook Ireland (Facebook’s Europe-based legal entity) was breaching the then active EU-US Safe Harbour rules because: “Mr Schrems’ personal data should not be sent from Facebook Ireland Ltd (serving Facebook users outside of the US and Canada) to Facebook Inc. (the US parent company), given that Facebook has to grant the US National Security Agency access to such data” due to the US Foreign Intelligence Surveillance Act (FISA) law which provides for wholesale access by US security agencies to data on non-USA citizens held by US organisations.  In October 2015 Europe’s highest court, the CJEU, ruled in favour of Schrems and the EU-US Safe Harbour was declared invalid.

In November 2015 Facebook changed the basis of their defence saying the Safe Harbour ruling is immaterial as in fact they relied on EU Standard Contract Clauses to provide the legal basis and safeguards for data transferred out of the EU.

Standard Contract Clauses are a range of legal document which have been certified by the European Commission as fit for purpose to provide the necessary protections for personal data. In other words, if you need to transfer personal data out of the EU and your contract with the data controller / data processor outside of the EU includes the relevant Standard Contract Clauses – and of course everyone obeys them – then you are compliant. The SCC provide a best practice framework for organisations to follow and prevent everyone from having to re-invent the wheel when drafting contracts relating to data processing.

The legal case before the Irish DPC continued on the basis of the SCC defence, and the DPC took the view that the SCC do not provide a legal mechanism for Facebook Ireland to transfer the data to Facebook USA. This was because Facebook USA would not be able to comply with the EU approved SCC due to the FISA law in the USA requiring them to provide data to third parties in violation of the contractual terms in the SCC.

Facebook did not agree and then invoked the EU-USA Privacy Shield agreement which had since been created between the EU and USA to replace the defunct Safe Harbour rules.

In a new ruling by the CJEU in July 2020 the Privacy Shield was invalidated – it does not exist anymore. The implication is that any business in the EU (and in the pre-Brexit UK) that is transferring personal information to the USA solely on the basis of the Privacy Shield terms is now acting illegally (from website metrics up to customer records being held or processed in cloud CRM systems or databases in the USA).

You might think that a remedy would be to fall back on the SCC and simply amend your contract with the American data processor to include the EU approved contractual terms. However, this is not possible either as the Schrems II CJEU ruling also declared that SCC on their own were not adequate protection for data transferred to the USA as the national laws in the USA (FISA) overrode the protections offered by the Standard Contract Clauses.  The ruling stated that data exporters must confirm that there is an ‘adequate level of protection’ provided by the domestic laws and the SCC in the destination country – and take additional steps to protect the data if this is not the case.

 

What do we do now?

So as of September 2020 the generally accepted answer to the question: ‘how do we legally export data to the USA for processing ‘ is: “um, can I come back to you on that?”  Or as an advisory paper from the BCS (September 2020) puts it: “Our understanding of the implications of the Schrems 2 judgement is still evolving.”  The European Data Protection Board which consolidates the input of the various member states has issued guidance to help on this.

There is no period of grace allowed in the EU ruling which means organisations have to act now – even though there is little clarity on what is the best approach.  In theory, organisations that fail to act are exposed to the full might of the GDPR with fines of up to 4% of global turnover possible.  However a statement from the ICO implies a pragmatic approach from the UK regulator.

What is clear is that organisations that had previously relied on the Privacy Shield or SCC terms alone to safeguard exported personal data to nations not on the Adequacy List will have to take additional steps and conduct further due diligence in order to be able demonstrate compliance with the GDPR – or cease contracts where compliance is not achievable.

The BCS paper provides a list of steps UK firms should take now to prepare their organisation including:

  • Search contracts and agreements with non-EU processors for reliance on ‘Privacy Shield’ or ‘SCC’ terms and prioritise these for review and put in place additional protections if there are domestic laws hostile to data protection in those countries.
  • Consider alternate processing arrangements to avoid moving personal data outside of the EU or to countries not on the Adequacy list (see below)
  • Consider system changes to implement encryption or tokenisation of exported personal data so that it is protected or anonymised

 

What is Data Protection Adequacy?

The European Commission maintains a list of countries whose domestic privacy and data protection laws provide similar protections to GDPR and as a result no additional measures are needed when exporting data to these countries. These are known as countries with ‘adequate levels of data protection’ or the Adequacy List.

The European Commission has so far recognised AndorraArgentinaCanada (commercial organisations), Faroe IslandsGuernseyIsraelIsle of ManJapanJerseyNew ZealandSwitzerland and Uruguay as providing adequate protection.

Notice that the United Kingdom is not on the list nor is the United States of America.  If the Post-Brexit UK is not added to the list by 31st December 2020 then EU firms dealing with UK organisations will have to implement the SCC into their contracts and possibly other measures in order to meet their legal obligation to provide an adequate level of data protection which is equivalent to that provided by GDPR.

 

 

Subscribe to our monthly newsletter today

If you’d like to stay up-to-date with the latest cyber security news and articles from our technical team, you can sign up to our monthly newsletter. 

We hate spam as much as you do, so we promise not to bombard you with emails. We’ll send you a single, curated email each month that contains all of our cyber security news and articles for that month.

Why Choose SecureTeam?

Customer Testimonials

“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”

Aim Ltd Chief Technology Officer (CTO)

"Within a very tight timescale, SecureTeam managed to deliver a highly professional service efficiently. The team helped the process with regular updates and escalation where necessary. Would highly recommend"

IoT Solutions Group Limited Chief Technology Officer (CTO) & Founder

“First class service as ever. We learn something new each year! Thank you to all your team.”

Royal Haskoning DHV Service Delivery Manager

“We’ve worked with SecureTeam for a few years to conduct our testing. The team make it easy to deal with them; they are attentive and explain detailed reports in a jargon-free way that allows the less technical people to understand. I wouldn’t work with anyone else for our cyber security.”

Capital Asset Management Head of Operations

“SecureTeam provided Derbyshire's Education Data Hub with an approachable and professional service to ensure our schools were able to successfully certify for Cyber Essentials. The team provided a smooth end-to-end service and were always on hand to offer advice when necessary.”

Derbyshire County Council Team Manager Education Data Hub

“A very efficient, professional, and friendly delivery of our testing and the results. You delivered exactly what we asked for in the timeframe we needed it, while maintaining quality and integrity. A great job, done well.”

AMX Solutions IT Project Officer

“We were very pleased with the work and report provided. It was easy to translate the provided details into some actionable tasks on our end so that was great. We always appreciate the ongoing support.”

Innovez Ltd Support Officer

Get in touch today

If you’d like to see how SecureTeam can take your cybersecurity posture to the next level, we’d love to hear from you, learn about your requirements and then send you a free quotation for our services.

Our customers love our fast-turnaround, “no-nonsense” quotations – not to mention that we hate high-pressure sales tactics as much as you do.

We know that every organisation is unique, so our detailed scoping process ensures that we provide you with an accurate quotation for our services, which we trust you’ll find highly competitive.

Get in touch with us today and a member of our team will be in touch to provide you with a quotation. 

0

No products in the basket.

No products in the basket.