Everything you need to know about Schrems II and Rules data management
Schrems II, the verdict that came into force last year means that it is more difficult and riskier to use American cloud services. The GDPR states that transfers of personal data to a country outside the EU / EEA area may only take place if the receiving country can guarantee a high level of data protection. It has proven to be highly complex and difficult to guarantee. After Schrems II, it is not at all certain that in some cases there is a legal way to process personal data in the United States.
Many data controllers in European countries have noted with horror, that data protection authorities have decided that US communication platforms are in conflict with GDPR and have therefore applied for European data management. Rule is a Swedish all-in-one solution data-driven marketing, which stores all data uncompromisingly encrypted within the EU. By storing all personal data in Rule, you make a safe and smart choice regarding your data management. Furthermore, by following Rules’ recommendations, you ensure that you are always up to date on the storage of personal data for your e-mail marketing and digital communication.
What is Schrems II?
Both Schrems I and II are named after the Austrian Maximilian Schrems, who is a lawyer and activist. Schrems considered that Facebook in Ireland did not have the right to transfer his personal data to the United States, citing that that country’s mass surveillance system was in breach of the European Union’s data laws. The European Court of Justice ruled that the agreement – known as Safe Harbor – which companies (not just Facebook) used for transatlantic data transmission, was not valid. The verdict came to be called Schrems I.
Safe Harbor was replaced in 2016 with the trade agreement Privacy Shield (the shield for the protection of privacy in the EU). Digital traffic between the EU and the US could thus proceed relatively unhindered. Companies in the United States were able to report to the U.S. Department of Commerce and announce that they met the privacy shield requirements. On 16 July 2020, the European Court of Justice announced that the EU-US Privacy Shield Agreement does not provide adequate protection for personal data when it is transferred to the US. Maximilian Schrems’ second legal crusade thus won again and the verdict is therefore called Schrems II.
What does this mean for companies?
One thing is clear when it comes to Schrems II: since last year, a company or someone else who is responsible for personal data cannot rely on any Privacy Shield agreement if EU personal data is processed in the USA. This has been declared invalid. Standard contract clauses can be supplemented, but these do not provide a universal guarantee that it is valid in relation to gdpr.
As the European Data Protection Board has not yet adopted final recommendations as a guide in the application of Schrems II, it is particularly complicated and difficult for Swedish and other European companies to relate to the new guidelines. It is therefore up to the person responsible for personal data to ensure that he or her suppliers and any subcontractors comply with gdpr – which has proved to be not entirely simple.
There is no function or solution for your digital communication that you can find with the American players, which you lack in the Rule platform. By choosing Rule as an all-in-one solution for your data management and communication, you do not need to spend time and resources to ensure approved data storage, but feel confident that it is managed according to the regulations, via Rule.
Many Swedish companies use American cloud services
Schrems II applies to all companies that for one reason or another intend to process EU personal data in third countries. For example, you do not have to look long to find a Swedish company that uses an American company’s cloud services. The Schrems II judgment states that supervisory authorities in the Member States must take active action against personal data controllers who transfer legal personal data to third countries without legal support. The Privacy Protection Authority has begun initiating investigations against Swedish companies. According to the complaints, the companies have transferred personal data to the United States even after the Schrems II ruling. As it can have devastating consequences for the companies that “get caught”, it is highly relevant to review the suppliers you work with, which involve data transfers to the US, and ask the question: Is this solution absolutely necessary or is it smarter and safer to choose another provider that keeps data secure within the EU – which then also removes the risks of a potential verdict.