Last Updated: 09.03.2020
The Schrems II Ruling (and Privacy Shield invalidation)
Look no further! Here is all you need to know about the Schrems II judgment and the Privacy Shield invalidation – and what we at Demio are doing to manage this.
On July 16 2020 the Court of Justice for the European Union (EUCJ) announced the “Schrems II” ruling, which affects international transfers of personal data from the EU to the US (and other countries outside of the EU/EEA).
We know that some of you have concerns about the impact of this ruling on your business and your relationship with us. And we want to assure you that you don’t need to worry – we got your back!
We aren’t just one of those companies saying that “we take your privacy seriously”. Since we founded Demio back in 2014, we didn’t only focus on an awesome, frictionless webinar experience, but we’ve constantly tried to stay on top of security and privacy features.
We started preparing for the GDPR, the European data protection and privacy law, early, and got our Privacy Shield certification back in 2018. We’re also continuously assessing and implementing functionality which makes it easier for you, as our customer, to stay compliant on your end.
And while the Privacy Shield might be invalid for EU-US transfers of personal data, we’re still going to adhere to its principles, as another way of demonstrating that we continue to value the privacy of our customers.
We’ve also taken several steps to ensure our customers in the EU/EEA can continue to use us as a data processor – at no higher risk than before.
PS: Demio has never received an access request from any US government entity. Not for the 50 USC §1881a (“Section/FISA 702”), not for the Executive Order 12333 (“E.O. 12333”), or any other US law.
First of all, Demio’s management team is fully committed to manage the ruling as per European guidelines and recommendations. And in accordance with the European Data Protection Board (EDPB)’s FAQ, we have taken the following preliminary steps:
If you need more information, and perhaps input to your own data processor risk assessment, we’ve provided this for you below. 👇
In 2013, the Austrian (then) law student Max Schrems filed a complaint against Facebook’s transfers of his personal data to the US, as he worried about US authorities accessing these in breach of European law. Today Schrems is a lawyer and privacy activist, and the “brain child” (as they write themselves) behind the privacy organization noyb.
Schrems’ initial complaint led to the invalidation of both the Safe Harbor framework in 2015 (“Schrems I”), and now the Privacy Shield framework in July 2020 (“Schrems II”).
The EUCJ’s ruling was on 16 July and still, several weeks later, there isn’t a common guideline from European data protection authorities or the EDPB.
At least the European Commissioner for Justice and the U.S. Secretary of Commerce have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework.
In the meantime, here are the latest guidelines from the EDPB and the ICO:
The EDPB writes, in their FAQ of 24 July:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
The ICO refers to this FAQ in their (updated) statement on 27 July:
… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.
More on that below.
There are a few steps you should take now – not only for your relationship with us here at Demio, but for all data processors you use in your business.
Tip: a “data processor” is someone you use in your business to process personal data on your behalf, like Demio does for your webinars
First and foremost, you need to know where your data processors are located. Demio, for example, is in the US, which is now considered as a third country, that is, a country outside of the EU/EEA.
To lawfully transfer personal data to third countries, you need to check and ensure the data processor has necessary safeguards in place (to ensure the same level of data protection as inside of the EU/EEA, cf. the GDPR Recital 101.)
Until 16 July 2020, Privacy Shield was one such safeguard. Other safeguards are the Standard Contractual Clauses (SCC), also called Model Clauses, and Binding Corporate Rules.
However, the Schrems II ruling also laid down further obligations on the use of any other safeguard, to any other third country (so not just the US). Below is a summary* of the action steps we recommend for all EEA based controllers:
* Reproduced with permission from GDPRstart.com
When conducting your risk assessment as per number 4 above, take into consideration aspects like the data processor’s:
On the 16th of July we were all quite happy and relieved that we had taken the time and investment earlier to get legal help in setting up a GDPR compliant Data Processing Agreement!
And below we’ve provided you with our response to the questions above, so that your risk assessment for Demio is pretty much done! Please feel free to contact us on [email protected] if you have further questions.
PS: We’ve even written it in third person form so you can simply copy and paste the responses.
Privacy, data protection and security track record, and adherence to relevant laws
Demio states that they have had a high focus on privacy, data protection and security since the company was founded, including adhering to the GDPR. They got Privacy Shield certified in 2018, and also worked with their legal team to get in place a GDPR compliant Data Processing Agreement.
Technical and organizational security measures
Demio’s technical and organizational security measures include:
Investments in these areas, for example in legal and compliance help
Demio engages proper legal and compliance counsel when necessary, for example for getting the Data Processing Agreement and the Standard Contractual Clauses in place.
They have appointed a EU Data Representative as per the GDPR Article 27 and Data Protection Officer as per Article 37. In addition, Demio has hired a European based GDPR consultancy to help manage the Schrems II ruling.
Response time and action taken on regulatory changes (like the Schrems II ruling)
Demio was quickly aware of the Schrems II ruling and took immediate action. They started working with their legal team to get Standard Contractual Clauses in place, and review and update the Data Processing Agreement.
In addition, they hired a European based GDPR consultancy to help truly understand the ruling, its implications for Demio, and for their customers. They will work closely with both the legal team and the GDPR advisor until the situation has been fully resolved.
Potential requirement to comply with the US laws of concern, as per the Schrems II ruling
Numerous US based data processors are affected by the Schrems II ruling. Most, like Demio too, is still determining how and if they must comply with any laws that might come in conflict with European laws, like the 50 USC §1881a (“Section 702”/“FISA 702”) or Executive Order 12333 (“E.O. 12333”).
Demio has, however, not to date received a single access request from any US government entity.
Demio will inform their customers about the final legal review of this question.
Business standing: has the data processor had any major privacy and/or security breaches? Do they generally have a good reputation in the market?
Demio has a good business standing with no known privacy and/or security breaches. (The same cannot be said for some of their competitors!)
And there you have it!
Remember to document all considerations you make, so you’ll be able to demonstrate your compliance to your data protection authority, if necessary.
Finally, when you have conducted your risk assessment, you may also want to update your records of processing activities (cf. the GDPR Article 30).
Please contact us on [email protected] if you have any other questions.