In July of 2020 the Court of Justice of the European Union issued the Schrems II decision, which invalidated the EU-U.S. Privacy Shield Framework. Privacy Shield was the framework used by more than 5,000 registered U.S. companies to conduct transatlantic data flows in compliance with the GDPR.
Recently, Security Advisor Neira Jones moderated a very interesting webinar to discuss the implications of the Schrems II ruling and what organizations can do to prevent unlawful cases of data transfers. The webinar panelists were Rob Elliss, VP EMEA at Thales, Enza Iannopollo, Senior Analyst at Forrester, and Arjen Slim, Managing Director, Security at Accenture.
What are the implications of Schrems II?
Enza Iannopollo presented a brief timeline of the EU Court of Justice decision and clarified that the Schrems II ruling covers both the storage and processing of Personal Identifiable Information (PII) of European citizens. Even though the ruling invalidated the Privacy Shield agreement, the implications are far reaching. All data transfers between EU and other third countries are affected and organizations acting as data controllers need to review their data transfer policies and processes.
This review of data flows should cover both the direct data transfers and all data transfers through engaging partners or the complex supply chains of modern organizations. Business digitalization and cloud migration makes it even more difficult to maintain compliance with the rule, since organizations need to have clear visibility of data transfers, as well as of the laws applicable in the country hosting their data. Are these laws compatible with GDPR?
Many cloud providers advertise that they have data centers within the EU. Unfortunately, this does not solve the compliance problem, because if these servers are accessed from another country, this constitutes a data transfer. With data residency requirements becoming normal all over the world, businesses need to find the right and lawful ways of transferring the PII data of EU citizens.
As Arjen Slim highlighted, businesses actually have two options: either cease all data transfers outside the EU or look for alternatives to prevent unlawful data storage and processing of EU citizens’ personal and sensitive data. This is where the recent recommendations by the European Data Protection Board (EDPB) come in handy, while the Standard Contractual Clauses (SCC) are being currently updated to reflect the current legal status.
What should organizations do?
The EDPB recommendations provide a foundation for what organizations should do to maintain compliance with the Schrems II ruling and to ensure lawful storage and processing of personal data of European citizens. Businesses should do a risk assessment, determine the legal basis of their data transfers, and protect their data in the right way.
According to Rob Elliss, the three pillars of data protection are:
- Discover your data to know your data flows and your risks.
- Protect your data by deploying technology such as encryption and tokenization in accordance with the EDPB recommendations to render your data useless to governments and criminals.
- Control access to your data by controlling and managing the encryption keys.
While there are many approaches to encrypt and manage the corresponding keys – cloud providers’ native encryption, Bring Your Own Key (BYOK), or Hold Your Own Key (HYOK) – the best practice for having full control of data encryption and keys, and demonstrate data ownership compliant with Schrems II is to deploy Bring Your Own Encryption (BYOE) technology.
This webinar offered valuable insights and recommendations for businesses to navigate the evolving data protection regulatory environment. If you were not able to attend live, it is available on-demand for viewing at your convenience. To learn more about the Schrems II decision, please download our white paper, Securing GDPR-Compliant Data Post Schrems II, watch this video or visit our Schrems II resource page.