The Schrems II Ruling (and Privacy Shield invalidation)
Look no further! Here is all you need to know about the Schrems II judgment and the Privacy Shield invalidation—and what we at Demio are doing to manage this.
On July 16 2020 the Court of Justice for the European Union (EUCJ) announced the “Schrems II” ruling, which affects international transfers of personal data from the EU to the US (and other countries outside of the EU/EEA).
We know that some of you have concerns about the impact of this ruling on your business and your relationship with us. And we want to assure you that you don’t need to worry—we got your back!
We aren’t just one of those companies saying that “we take your privacy seriously”. Since we founded Demio back in 2014, we didn’t only focus on an awesome, frictionless webinar experience, but we’ve constantly tried to stay on top of security and privacy features.
Latest updates (as per: November 13, 2020)
The Schrems II saga continues, and until the European regulators and the US find a solution, we’ll continue to monitor all developments closely.
You can return to this article at any time for the latest update from our side, which are:
In short, the EDPB’s documents will help our EEA based customers (do your best, as of today!) to manage the ruling.
The recommendations outline required steps, like reviewing the records of processing activities, identifying safeguards for international transfers of personal data, and conducting risk assessments. You can view a step-by-step description of these action in this blog post, written by our Data Protection Officer.
The EEG document will be helpful in assessing the third country’s national laws that may impinge on the level of data protection of data subjects. Finally, the recommendations offer concrete alternatives to potential supplementary measures that may close any identified gaps in the level of protection.
We recommend that all our customers ensure they at least have a good overview of all personal data processing activities. Unless you already have this in place, definitely review the GDPR Article 30 and do this first.
Second, we have already provided you with information you need for your data processor risk assessment, right here in this article. Feel free to save it as a PDF in your GDPR folder.
How we work with privacy and data protection
We started preparing for the GDPR, the European data protection and privacy law, early, and got our Privacy Shield certification back in 2018. We’re also continuously assessing and implementing functionality which makes it easier for you, as our customer, to stay compliant on your end.
And while the Privacy Shield might be invalid for EU-US transfers of personal data, we’re still going to adhere to its principles, as another way of demonstrating that we continue to value the privacy of our customers.
We’ve also taken several steps to ensure our customers in the EU/EEA can continue to use us as a data processor – at no higher risk than before.
PS: Demio has never received an access request from any US government entity. Not for the 50 USC §1881a (“Section/FISA 702”), not for the Executive Order 12333 (“E.O. 12333”), or any other US law.
What steps has Demio taken to manage the ruling?
First of all, Demio’s management team is fully committed to manage the ruling as per European guidelines and recommendations. And in accordance with the European Data Protection Board (EDPB)’s FAQ, we have taken the following preliminary steps:
- Working with our legal counsel, who has assisted us on privacy and data protection matters since 2018
- Updated our Data Processing Agreement and got Standard Contractual Clauses (SCCs) in place
- Decided to hire a European based GDPR consultant to ensure we manage this situation in the best possible way
- Key employees are briefed and well informed about the ruling, including our customer support champs
- We’re reviewing all our data flows again, including our records of processing activities as per the GDPR Article 30
- We’re doing a dedicated risk assessment on the ruling, its implications for us as a company and on the data processors we use
- We’re also going through other relevant GDPR, privacy and security documentation, to ensure we get fully aligned with the ruling, today, and for any upcoming updates
- We’ll continue to follow closely the European Data Protection Board (EDPB) and the ICO’s (the UK’s data protection authority) recommendations going forward
- We will update this page whenever new information gets available
If you need more information, and perhaps input to your own data processor risk assessment, we’ve provided this for you below. 👇
Who is “Schrems”, anyway?
In 2013, the Austrian (then) law student Max Schrems filed a complaint against Facebook’s transfers of his personal data to the US, as he worried about US authorities accessing these in breach of European law. Today Schrems is a lawyer and privacy activist, and the “brain child” (as they write themselves) behind the privacy organization noyb.
Schrems’ initial complaint led to the invalidation of both the Safe Harbor framework in 2015 (“Schrems I”), and now the Privacy Shield framework in July 2020 (“Schrems II”).
If you’re really curious, you can download a copy of the ruling from the EUCJ website, and read more and stay up to date here.
What are the current European guidelines?
The EUCJ’s ruling was on 16 July and still, several weeks later, there isn’t a common guideline from European data protection authorities or the EDPB.
At least the European Commissioner for Justice and the U.S. Secretary of Commerce have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework.
In the meantime, here are the latest guidelines from the EDPB and the ICO:
The EDPB writes, in their FAQ of 24 July:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
The ICO refers to this FAQ in their (updated) statement on 27 July:
… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.
More on that below.
What does this ruling mean for our European based customers?
There are a few steps you should take now – not only for your relationship with us here at Demio, but for all data processors you use in your business.
Tip: a “data processor” is someone you use in your business to process personal data on your behalf, like Demio does for your webinars
First and foremost, you need to know where your data processors are located. Demio, for example, is in the US, which is now considered as a third country, that is, a country outside of the EU/EEA.
To lawfully transfer personal data to third countries, you need to check and ensure the data processor has necessary safeguards in place (to ensure the same level of data protection as inside of the EU/EEA, cf. the GDPR Recital 101.)
Until 16 July 2020, Privacy Shield was one such safeguard. Other safeguards are the Standard Contractual Clauses (SCC), also called Model Clauses, and Binding Corporate Rules.
However, the Schrems II ruling also laid down further obligations on the use of any other safeguard, to any other third country (so not just the US). Below is a summary* of the action steps we recommend for all EEA based controllers:
- Review your records of processing activities to determine which data processors are, or store personal data they process on your behalf, in a third country
- Identify the safeguard for such international transfer (adequacy decision, Privacy Shield, SCCs, BCRs)
- Where the data processor only relies on Privacy Shield, find out if they have others safeguards in place. If they don’t, they should be working on getting an alternative safeguard in place as soon as possible (get it confirmed)
- Conduct privacy/data protection risk assessments for all international transfers
- You need to determine yourself what risk you’re willing to accept and if you should stop using or change providers
* Reproduced with permission from GDPRstart.com
How to conduct a data processor risk assessment
When conducting your risk assessment as per number 4 above, take into consideration aspects like the data processor’s:
- Privacy, data protection and security track record, and adherence to relevant laws
- Technical and organizational security measures
- Investments in these areas, for example in legal and compliance help
- Response time and action taken on regulatory changes (like the Schrems II ruling)
- Potential requirement to comply with the US laws of concern, as per the Schrems II ruling
- Business standing: has the data processor had any major privacy and/or security breaches? Do they generally have a good reputation in the market?
Your Demio risk assessment
On the 16th of July we were all quite happy and relieved that we had taken the time and investment earlier to get legal help in setting up a GDPR compliant Data Processing Agreement!
And below we’ve provided you with our response to the questions above, so that your risk assessment for Demio is pretty much done! Please feel free to contact us on email@example.com if you have further questions.
PS: We’ve even written it in third person form so you can simply copy and paste the responses.
Privacy, data protection and security track record, and adherence to relevant laws
Demio states that they have had a high focus on privacy, data protection and security since the company was founded, including adhering to the GDPR. They got Privacy Shield certified in 2018, and also worked with their legal team to get in place a GDPR compliant Data Processing Agreement.
Technical and organizational security measures
Demio’s technical and organizational security measures include:
- Using world-class highly secure infrastructure to host the webinar platform
- Hired a DevOps consultant to audit the cloud infrastructure to offer additional security measures
- Quarterly security audits
- Consent management with Demio forms
- Browser data encryption
- Secure storage of personal data - technical, contractual, administrative and physical security steps to protect personal data
- Access control
- Employee training
Investments in these areas, for example in legal and compliance help
Demio engages proper legal and compliance counsel when necessary, for example for getting the Data Processing Agreement and the Standard Contractual Clauses in place.
They have appointed a EU Data Representative as per the GDPR Article 27 and Data Protection Officer as per Article 37. In addition, Demio has hired a European based GDPR consultancy to help manage the Schrems II ruling.
Response time and action taken on regulatory changes (like the Schrems II ruling)
Demio was quickly aware of the Schrems II ruling and took immediate action. They started working with their legal team to get Standard Contractual Clauses in place, and review and update the Data Processing Agreement.
In addition, they hired a European based GDPR consultancy to help truly understand the ruling, its implications for Demio, and for their customers. They will work closely with both the legal team and the GDPR advisor until the situation has been fully resolved.
Potential requirement to comply with the US laws of concern, as per the Schrems II ruling
Numerous US based data processors are affected by the Schrems II ruling. Most, like Demio too, is still determining how and if they must comply with any laws that might come in conflict with European laws, like the 50 USC §1881a (“Section 702”/“FISA 702”) or Executive Order 12333 (“E.O. 12333”).
Demio has, however, not to date received a single access request from any US government entity.
Demio will inform their customers about the final legal review of this question.
Business standing: has the data processor had any major privacy and/or security breaches? Do they generally have a good reputation in the market?
Demio has a good business standing with no known privacy and/or security breaches. (The same cannot be said for some of their competitors!)
And there you have it!
Remember to document all considerations you make, so you’ll be able to demonstrate your compliance to your data protection authority, if necessary.
Finally, when you have conducted your risk assessment, you may also want to update your records of processing activities (cf. the GDPR Article 30).
Please contact us on firstname.lastname@example.org if you have any other questions.