Providing harmonised data protection rules across the European Union (EU), General Data Protection Regulation (GDPR) gives EU citizens greater control over the accuracy of their personal data, including what data is collected, how it is secured, and the length of time it is stored by organizations that process it.
However, a ruling by the Court Of Justice of the European Union in 2020 created a landmark shift in the way EU organizations using US-based cloud services can process personal data.
So, what are the consequences of this ruling, and why is it important to businesses based in the EU?
Prior to the ruling, the Privacy Shield was an international agreement between the US and EU, which sought to ensure adequate levels of protection on any EU citizen’s personal data exported to the US.
It worked as a self-certification scheme and enabled the European Commission to assert that the US had appropriate safeguards on data transfer. It made the transfer of data smooth and simple – in both directions.
However, as a result of the case of the Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (known as ‘Schrems II’) EU customers of US-based cloud services are now responsible for taking additional steps for verifying the data protection laws of the recipient country by conducting a risk assessment.
The case brought by activist Maximillian Schrems centred on Facebook’s use of transferring personal data from the EU to its headquarters in the US which, it was argued, contravenes GDPR. As an outcome of the case, the court found that data subject rights were not actionable against US authorities and that US security laws do not adequately protect EU data subject rights.
The result?
If your business uses Cloud-hosting from non-EU countries, it’s now your responsibility to verify the privacy protection in the recipient country alongside the pre-existing Standard Contractual Clauses (SCCs). Whilst SCCs can still be used when transferring data to a third country (outside the EU/EEA), it is now the responsibility of EU-based companies to ensure the recipient third country has EU-equivalent data protection in place.
In effect, it’s now down to individual organizations to assess the recipient country’s level of GDPR compliance. But why is it important to ensure parity with EU standards?
The ‘Schrems II’ ruling clearly established that US-based Cloud services are not GDPR-compliant because, in US law, the government is allowed to extract and demand personal details stored in those services. This includes personal data held on EU citizens.
In practical terms, US national security laws have far-reaching consequences for EU citizens because their personal data could potentially become the target of national security investigations and, as already highlighted, data exported from the EU to the US is not subject to the same levels of protection, to the extent that it actually violates GDPR.
One of the recommendations put forward is that businesses look for non-US alternative suppliers to ensure they meet the requirements of GDPR compliance. Businesses will also need to assess and review existing data processing agreements to ensure they comply.
Larger global organizations may wish to evaluate hybrid cloud solutions by reviewing the extent to which they can commit to cloud and infrastructure solutions provided by non-EU and EU-based cloud services suppliers, respectively.
It’s also vital for EU-based organizations to update internal data protection policies and external privacy notices to maintain transparency and trust over their obligations in respect of customers’ data privacy.
To stay compliant with EU law and reassure our EU and global customer base of our data privacy credentials, Findity has invested heavily in ensuring our solutions run independently of US-based software, APIs and cloud-hosting platforms.
In short, we take responsibility for our customers’ data and host everything ourselves to stay in compliance with GDPR.