What Is Schrems II and How Can You Comply?
Learn more about Schrems II and how businesses can ensure full compliance.
How Schrems II Affects GDPR Compliance
The General Data Protection Regulation (GDPR) is a privacy law designed to protect EU citizens’ personal data. In July of 2020, the Court of Justice of the European Union (CJEU) ruled that the U.S.’s Privacy Shield program did not meet GDPR compliance standards. This decision, the Schrems II ruling, meant that all organizations using Privacy Shield for GDPR compliance were no longer considered compliant. Effective immediately, the Schrems II ruling became vitally important for U.S. and EU businesses to understand and comply with.
To understand Schrems II, you first have to understand GDPR. GDPR, an EU privacy law enacted in 2016, regulates data protection and privacy for EU citizens. To take part in any transfers of EU citizen data, organizations must meet GDPR compliance. The U.S.’s lack of national privacy regulation was found to not meet GDPR standards, with the CJEU ruling that the EU-U.S. Data Protection Shield, which many companies used to transfer data between the EU and U.S., did not offer GDPR-level security.
The timing of the Schrems II decision caused significant disruption for many businesses, as the decision was made during the height of remote working conditions due to COVID-19, with many workers using public cloud platforms. Schrems II now requires EU companies to assess each data transfer to any non-EU country to ensure compliance. The ruling has since caused U.S. organizations to figure out how to comply with GDPR while maintaining daily business operations. In today’s landscape, data processing is central to many companies globally, so preventing the flow of transferring data has brought plenty of business to a halt.
It’s now up to each country’s data protection authorities to uphold compliance, and companies must figure out data transfer workarounds despite there being no one-size-fits-all solution. This is a serious challenge for Chief Technology Officers.
Who Is Affected?
The Schrems II decision has global repercussions. While the ruling does increase protection for EU citizens, it does send quite a ripple effect through the 168 countries that aren’t part of the EU, 92 of which have their own international data transfer requirements to evaluate.
The decision affects all organizations that transfer or rely on the transfer of personal data from the EU to the U.S. That goes for many technology companies, including giants like Facebook. Internet of Things (IoT) companies and those that utilize public cloud usage are also heavily impacted and must now determine how to conduct business and continue to further innovate and gain consumers without violating GDPR.
How Businesses Can Ensure Compliance
Businesses must now be proactive and turn to options, including SCCs and/or binding corporate rules (BCRs), to navigate the challenges Schrems II presents. The European Data Protection Board (EDPE) has not, to date, stated what safeguards should be put in place for data transfers. Until then, businesses must take it upon themselves to make assessments and meet requirements. Some routes companies can take are included below.
Schrems II Compliance Suggestions
Businesses should address the following when navigating GDPR compliance:
- Review the EDPB’s data controller/processor guidelines
- Review internal data processing requirements
- Make sure SCCs are filled out and attached wherever relevant
- Update the business’s cyber security and privacy policies
- Start a case-by-case assessment to evaluate which aspects of their data collection and transfer could qualify as non-compliance
- Enlist technology that can automate privacy law assessments
- Create an internal GDPR compliance team trained to spot and prevent breaches and educate the company
Perhaps the most impactful measure businesses can take is encrypting data. Encrypting data ensures that third parties can’t gain access to sensitive information, protecting both citizens and companies.
The Risks of Non-Compliance
What happens for businesses that don’t comply with GDPR and Schrems II? The fines for not complying are significant and depend on the level of breach severity. If found to be in breach of the law, companies may face fines of up to:
- Tier 1: €10 million, or 2% annual global turnover, whichever is higher
- Tier 2: €20 million, or 4% of global turnover, whichever is higher
Citizens also have the right to claim compensation from violators for any damages resulting from a data breach. There are reputational repercussions as well. Not meeting data privacy requirements looks bad for any business, both to authorities and to its customers, not to mention its investors.
Schrems II Compliance Conclusion
The faster and more thorough businesses are about aligning their data practices with GDPR compliance, the smoother the road ahead will be. Okera helps companies continue to be data-driven while protecting enterprise data and operating responsibly. Integrating seamlessly into your existing infrastructure, Okera’s platform audits and authorizes every query to comply with data security and privacy regulations.