Is there a grace period for complying with Schrems II requirements?
No. There is no grace period for complying with Schrems II – the obligation to comply was immediate upon the ruling of the CJEU on 16 July 2020.
Can I just update my SCCs?
No. Updating SCCs is not enough. SCCs “are not capable of binding the authorities of that third country, since they are not party to the contract.” Schrems II requires the implementation of technically-enforced Supplementary Measures for transfers to non-EEA / equivalency countries to be lawful.
Must I stop all processing involving EU personal data that fails to comply with Schrems II?
Yes. Unless you implement Supplementary Measures that ensure an essentially equivalent level of protection, “you must avoid, suspend or terminate” all international data transfers based on SCCs.
What is the penalty for failing to comply with Schrems II?
Under the CJEU ruling, Supervisory Authorities have an affirmative obligation to stop transfers that do not comply with Schrems II requirements. In addition to business operation disruptions from termination of data flows, companies face penalties of €20 million or 4% of their global turnover, whichever is greater.
Is Schrems II a C-Suite / Board level issue?
Yes. Due to the significant publicity regarding the potential negative effects of Schrems II, lack of corporate change may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.” This opens Board members and senior executives to potential personal and criminal liability. In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).
Can I use Encryption or Anonymisation as Supplementary Measures to protect data when in use to comply with Schrems II?
No. Encryption only protects data in transit and in storage. Anonymisation is not recognised as a suitable Schrems II Supplementary Measure by the European Data Protection Board (EDPB). Schrems II requires organisations to protect data when in use by using technically-enforced Supplementary Measures that protect data from unauthorised access. These technical controls must ensure that EU personal data does not reveal the identities of data subjects when processed outside of EEA / equivalency countries. Processing of personal data in the clear outside of the EEA / equivalency countries is unlawful under Schrems II.
Which processing can I no longer do?
The EDPB highlights two use cases of data transfers that are unlawful under Schrems II:
Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear (EDPB Unlawful Use Case 6); and
Remote Access to Data for Business Purposes (EDPB Unlawful Use Case 7).
What are my options to comply?
The EDPB has highlighted the transfer of GDPR Pseudonymised data (EDPB Lawful Use Case 2) as lawful. This means that Cloud Processing and Remote Access for Business Purposes (EDPB Unlawful Use Cases 6 and 7) can be made lawful by using GDPR-Pseudonymised data (Lawful Use Case 2).
Get in touch with us to prevent critical personal and criminal liability risks and avoid potential termination of access to data.
The Anonos Solution Enables Lawful Borderless Data
90% of organisations* realize they now need a
New Defensible Business Position
for lawful cloud processing and other data transfers
*Participants on a Schrems II webinar on 29/10/20 with 1800+ executives from 1700+ companies across 60+ countries.
Key Facts of Anonos Solution
The Anonos solution is software that is securely installed and operated behind your firewall.
Anonos does not have access to your data.
Anonos software is the only software that satisfies all 50 requirements established by the European Cybersecurity Agency (ENISA) for GDPR-compliant Pseudonymisation.
Anonos was granted European Patent 3,063,691 in 2020 for state-of-the-art technology that balances data protection and utility.
Anonos guarantees that it achieves the highest level of Schrems II and GDPR compliance while also enabling high data value and utility. Anonos guarantees that if a court of competent jurisdiction or Supervisory Authority rules that Anonos software is not a suitable Supplementary Measure for compliance with Schrems II, your fees will be refunded.
Anonos software “functionally separates” information value from individual identities in data to enable you to satisfy the new heightened requirements for GDPR-compliant Pseudonymisation.
To prevent critical personal and criminal liability risks and avoid potential termination of access to data, you must implement technical controls that protect data when in use. Get in touch with us to start this process and establish an immediately defensible position.
*Schrems II refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II.” Use of "Schrems II" in no way indicates any relationship or affiliation with, or endorsement by, Max Schrems or by the Non-Governmental Organisation, None of Your Business (NOYB), or any parties directly or indirectly associated with Max Schrems or NOYB.