An update on the Schrems II judgment/ruling (Privacy Shield invalidation)
UPDATE: We have solved for this in v3 (coming soon).
We constantly monitor relevant changes to privacy regulations with a global impact, such as the GDPR and the coming ePrivacy Regulation. We also performed a thorough GDPR review in May-June this year and appointed a Privacy Officer.
We're also following closely the Court of Justice of the European Union’s (EUCJ) ruling on the Privacy Shield certification for US businesses, effectively making it invalid as of July 16, 2020. And of course, this ruling has a significant impact on numerous businesses around the world.
For those who aren’t aware, but have seen the word Schrems, it refers to Max Schrems, an Austrian lawyer and privacy advocate. He initiated the legal process that ultimately led to the invalidation of both the Safe Harbor framework in 2015, and now the Privacy Shield framework in July 2020.
Latest update (13 November, 2020)
For those of you returning to this article, here are the latest news:
- The European Data Protection Board (EDPB) published two key documents related to the Schrems II ruling: 1) Recommendations on supplementary measures, and 2) EU Essential Guarantees (EEG) for surveillance measures.
- Further, the European Commission has published a draft for revised Standard Contractual Clauses for transferring personal data to third countries (non-EEA countries).
- The ICO also published an update on 13 November.
The EEG document is useful for assessing any third country’s national laws that may impinge on the level of data protection of data subjects. The recommendations outline steps you need to take, like reviewing your records of processing activities, identifying safeguards for international transfers of personal data, and conducting privacy risk assessments.
The recommendations also describe alternatives to potential supplementary measures that may close any identified gaps in the level of protection. You can view a step-by-step description of these actions in this blog post, written by our Privacy Officer.
We recommend that you, at a minimum, review and update your overview of all personal data processing activities. Unless you already have this in place, definitely review the GDPR Article 30 and do this first.
What is the Schrems II ruling and what are safeguards?
Data protection and privacy laws are considered the gold standard inside of the EU and EEA countries. The ruling applies to the international transfer of personal data from the EEA to a “third country” (any country outside of the EEA). Such transfers need to be protected by a safeguard under the GDPR Chapter 5, to ensure the same level of protection as inside of the EEA.
The Privacy Shield framework was, until the ruling, an example of such a safeguard. Other safeguards are Standard Contractual Clauses (SCC), also called Model Clauses, or Binding Corporate Rules (BCR)
Furthermore, the European Commission has the power to determine whether a country outside the EU offers an adequate level of data protection.
The adoption of an adequacy decision is a rigorous process that involves:
- a proposal from the European Commission
- an opinion of the European Data Protection Board
- an approval from representatives of EU countries
- the adoption of the decision by the European Commission
Statements from data protection authorities in the EU
As per 17 August, there is still no unified conclusion or advice on how to manage it on a practical level. The latest update is that the European Commissioner for Justice and the U.S. Secretary of Commerce initiated discussions on 10 August to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework.
European Data Protection Board (EDPB)
In their FAQ of 24 July 2020, the EDPB writes:
“Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.”
Information Commissioner's Office (ICO)
The ICO refers to this FAQ in their statement on 27 July 2020:
“… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.”
In other words, in addition to ensuring data processors have necessary safeguards in place, we (all) also need to conduct a risk assessment.
What is Fathom Analytics doing?
As always, privacy is at the core of everything that we do at Fathom Analytics, and you can be certain that we take this ruling seriously. We’ve reached out to our sub-processors to see how the ruling impacts them, if at all, and how they’re managing the situation. We’re also working with our legal counsel to determine if and how this ruling has an impact on us.
Regardless of what comes of this, we have conducted a thorough risk assessment of the situation. We performed this risk assessment within a few weeks of the ruling.
To abide to the GDPR:
- We have ensured that the data processing we do is lawful
- We ensure that personal data transfer to a third country (any country outside of the EEA) is lawful
First, we reviewed our personal data inventory in detail, again. Fortunately, we already had the key information about every data processor, in place, like:
- Name of data processor
- Country of origin
- Country(-ies) where personal data is stored
- Safeguards for international transfers
- Technical and organisational security measures
For the “Schrems II risk assessment” we added the following columns:
- General standing/reputation in the market (based on e.g. known security and/or privacy breaches/scandals)
- Data processor action (on the ruling)
- Risk assessment
The ruling doesn’t just impact US based data processors or the Privacy Shield. It impacts the general use of any safeguards we rely on, for any third country (for example Australia, New Zealand or Russia). (Don’t worry, we don’t store any data in Russia!)
So we assessed risks for every data processor with data servers/centres outside of the EEA. (Bear in mind that we’ve already done both data protection and general risk assessments in our business – this assessment is for the Schrems II ruling in particular.) Luckily, we not only provide our customers with simple analytics, but we keep a simple business. We don’t use many data processors or systems and we have detailed insights to each of these due to our personal data inventory (cf. the GDPR Article 30).
We are still waiting for further updates from a couple of our providers but our conclusion, for now, is that there is minimal to no risk in the processing of personal data we do in our business.
We’ll continue to pay close attention to what the European data protection authorities and the EDPB advise going forward and do any future updates to our work, and this page, if/when necessary.
We have 2 potential technical solutions. Ultimately, the only processing of personal data we do is in our pageview collector. If we have to, we will set-up a system where EU traffic is routed to a EU-based company, so that we can continue operating in the same way we do now, and then the US/rest of world traffic will be routed to our AWS infrastructure.
If you want to read more about the ruling and the background for the “Schrems” cases, you can do so here.
- Court of Justice of the European Union press release site where you can download a copy of the judgment
- Joint Press Statement from the European Commissioner for Justice and the U.S. Secretary of Commerce on discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework (10 August 2020)
- The European Data Protection Board FAQ on the judgment (24 July 2020)
- The European Data Protection Board Statement on the judgment (17 July 2020)
- The ICOs updated statement (27 July 2020)
- The ICOs initial statement (16 July 2020)
- The European Commission rules on international data transfers
- The European Commission Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries
- Bedre Bedrift AS (gdprstart.com)