Schrems II: How to Protect Against Liability When Using Non-EEA / Equivalency Country Vendors
Magali Feys
IP, IT and Data Protection Lawyer at AContrario.Law, Quality by default, Innovation by design | Chief Strategist Ethical Data Use at Anonos |
98% of the participants in an Anonos Schrems II webinar held on 13 January, involving 2000+ executives representing 1700+ companies from 50+ countries, expressed concern about the risks associated with cloud-based processing of cleartext EU data and remote access to EU data for business purposes. In follow-up meetings and discussions with representatives from hundreds of companies, grave concerns have been raised regarding the risk of personal and criminal liability for corporate officers and Boards of Directors for ongoing use of non-EEA Cloud, SaaS and outsourcing solutions.
The significant publicity regarding the potential negative impacts of Schrems II means that a lack of corporate action in response may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.”[i] In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).[ii]
When dealing with non-EEA/equivalency country vendors claiming that their services occur entirely within the EU, removing them from the realm of Schrems II issues, corporate officers and Boards of Directors are still be open to risks. This is because while the data may appear to be accessed and processed solely only within the EU, vendors often retain access to the data or to keys or other methods for accessing the data for purposes of performing services or other contractual obligations.
The ability of non-EEA/equivalency country vendors to access EU personal data raise the following two Unlawful Use Cases identified by the EDPB below:[iii]
- Unlawful Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear.
- Unlawful Use Case 7: Remote access to data for business purposes.
The existence of Unlawful Use Cases 6 and 7 mean that common vendor practices leave corporate officers and Boards of Directors open to liability risks from the potential for unlawful data access.
It is also important to note that the CJEU did not include any grace period for the Schrems II decision, meaning that compliance is immediately required. Industry direction may come at a later date, but measures are necessary immediately to ensure risks are mitigated.
To mitigate these risks, Anonos recommends that companies request that the following guarantees be included in contracts with vendors claiming that their services occur entirely within the EU.
Proposed Third-Party Guarantees:
- [Insert Third-Party Vendor Name] guarantees that when using our [software/services], no data is processed, or could be processed, in the memory of our systems or otherwise so that the data is accessible in the clear at any time by us, or through us to authorities in any non-EEA / equivalency country, with respect to which we are under an obligation to share, provide or disclose the data.
- [Insert Third-Party Vendor Name] guarantees that when using our [software/services], we retain no keys, copies of keys, or any other access mechanism (e.g., “break the glass” access in emergency, non-payment or other situations) to provide us with the ability to view or otherwise access your data in the clear at any time.
- [Insert Third-Party Vendor Name] guarantees that our [software/services] protect not only direct identifiers but also indirect identifiers that in combination could reveal the identity of data subjects.
If vendors are unwilling to provide such guarantees, an alternative solution is to transform Unlawful EDPB Use Case 6 and 7 scenarios into lawful processing by Pseudonymising the data before providing for processing by non-EEA providers to satisfy the requirements for Lawful EDPB Use Case 2: Transfer of GDPR Pseudonymised data.[iv]
If organisations are unable to give you these guarantees, or refuse to do so, you must move your data processing and transfers into Use Case 2 to protect the data when in use, or stop data transfers. If you elect not to take this course of action, your decision (and the reasons underlying your decision) should be carefully documented for your records.
To learn more, see the following resources to help organisations comply with Schrems II:
- IDC Report: Anonos - Embedding Privacy and Trust Into Data Analytics Through Pseudonymisation
- Top 8 Misconceptions
- Legal Solutions Guidebook
- Implementation Workshop Replay
- Executive Briefing Portal
- Linkedin Group (Over 4000 members)
- Anonos Supplementary Measures
Read 8 misconceptions at SchremsII.com/8misconceptions
#brexit #adequacy #transfers #Pseudonymisation #EU #privacyshield #privacy #scc #bcr #schremsII #schrems2 #gdpr #edpb #edps #dataprotection #lawfulborderlessdata #supplementarymeasures #edpbguidance #additionalsafeguards #sccs
[i]See https://normcyber.com/advisory-note/data-protection-directors-personal-liability/ and https://www.financierworldwide.com/roundtable-risks-facing-directors-officers-aug17
[ii]See https://www.ifac.org/system/files/publications/files/IESBA-NOCLAR-Fact-Sheet.pdf
[iii]https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf, at paragraphs 88 - 91.
[iv]https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf, at paragraph 80.
Entrepreneur, property buyer and investor. Also Helping Law firms and SaaS Businesses to Bridge the Gap between Technology and Legal Obligations | Data Privacy & Cyber Security Professional |
4 年Magali Feys, thanks for publishing. I have a few observations. firstly, not all data is equal. Taking LinkedIn as an example you are able to view a lot of information about me as a data subject from anywhere across the globe. This information is in the clear. My bank account data or health records are more personal and access is more restricted and hopefully not in the clear. Appropriate controls to the data being exported are what is needed and are more realistic for compliance purposes. The EDPB has treated all data the same way. The EDPB suggestion to take a risk based approach with relevant technical measures is sensible but only if based upon the data type being exported. The GDPR can still be met by taking this approach and it does not stifle trade. By not taking a balanced and reasoned view, considering the data type and use, I would argue the EDPB is encouraging no compliance with the GDPR as the alternatives discussed in this thread are not viable in many situations.
Supporting the alumni of the Scindia School present in Europe and the UK, in the capacity of honorary Secretary. Currently not taking on any paid work.
4 年Yes do a lot of this kind of thing when I am working, but the recent publishing of the AZ AB and EU contract could amount to a breach of Schrems II.
IT Consultant / Freelancer
4 年While I understand the need to cancel privacy shield, but with Schrems II there is no good alternative in place. For many businesses psuedonymizing data is not always feasible when using cloud or SaaS offerings. The only solution then is going back 10 years technology wise and host everything internal and not using modern technology. The EDPB should put more effort in regulating and enforcing cloud providers to take supplementary measures. With the current obligation they target the businesses and that should not be their focus. As the EDPB and the supervisor authorities always claim that they do not want to limit businesses in their activities but only offer protection data privacy, Schrems II obligation is the other way arround.