Three steps to get your business GDPR compliant (again)
On July 16, 2020, the Court of Justice of the European Union (CJEU) decided that the Privacy Shield Framework is invalid. Affecting the exchange of personal data between EU and US businesses, many European companies are in the dark about what is still legal and what is not.
Let’s take a look at the three options EU businesses have.
But First, About Privacy Shield
Privacy Shield facilitated the exchange of personal data between the European Union and the United States. With Privacy Shield, it was ‘guaranteed’ that American companies could still store European data, without violating GDPR legislation (General Data Protection Regulation).
The “safe list.”
Businesses within the European Union (thus falling under GDPR) are allowed to exchange data with countries that are safe enough: the Adequacy Decision. The United States, however, was only on that list because of the Privacy Shield.
With the disappearance of the Privacy Shield program, the legal basis for organizations within the EU to exchange data with the 5368 US organizations affiliated with Privacy Shield also disappears
FISA 702 versus GDPR
The reason that the US is not on the safe list is the same reason why the CJEU eventually rejected Privacy Shield: US legislation (the infamous FISA 702) allows its government services to interfere with data within the private sector.
Schrems II
FISA 702 contradicts the basis of the GDPR, which aims to protect the personal data of EU consumers. Even though most businesses didn’t care, Max Schrems did. Earlier, he fought and won against the Safe Harbor agreement. This time, he won the case against Privacy Shield, called “Schrems II.”
The European Court of Justice found that US surveillance laws violated GDPR:
The Court was clear that the far-reaching US surveillance laws violate the ‘essence’ of certain EU fundamental rights. — NOYB
CJEU Judgment: The Consequences
Since FISA 702 concerns “electronic communication service providers” (ECSP), this judgment and disappearance of Privacy Shield affect almost all tools within EU businesses. It’s not necessarily the tools we use, but the subprocessors that are used by the providers of these tools. These subprocessors, the ECSPs, are the ones that store personal data.
Electronic communication service providers are, i.e., email services, cloud storage, web hosting, cookie tools, video call apps, CRMs, and Social Media platforms that are used by businesses themselves or by the tools these businesses use.
Note: Not all data sharing is now prohibited. Data transfers without personal data do not fall under the GDPR, and “necessary”, incidental data transfers (i.e. a hotel booking in the US) fall under Article 49 of the GDPR and therefore outside the scope of the judgment.
Three Steps to Maintain Your GDPR Compliance
Pretty much every EU business uses US services. The list of US services is endless, making it hard to know precisely how GDPR compliant your business is since the judgment (which is effective immediately).
What to do?
Step 1: Map Your Data Streams
The first step in getting your business GDPR compliant is to map out your current solution(s). Answer these three questions:
- In what countries does the supplier have their data centers?
In the supplier’s Data Processing Agreement, you can find whether the supplier is allowed to store data outside of the EU, and with whom they are allowed to share that data.
Example: European software providers using American infrastructure. This means that data is still sent across the ocean and it’s still likely that your data falls under FISA 702.
- Who has (physical) access to these data centers?
The “thing” about FISA 702 is that it extends beyond the US’s borders, meaning it also has power over American people in other countries. Does someone from the United States have access to data centers in the European Union? If so, data is still transferring to the US.
Example: Several US providers have both US and EU data storage, claiming they’re GDPR compliant. But if their US personnel has access to the EU data warehouse, they fall under FISA 702.
- Have agreements been made with the supplier, or are they to be made?
Data exchange could still be possible based on SCCs (Standard Contractual Clauses), although this has become a bit of a grey area, even for Data Protection Officers. It’s necessary to examine “case by case”, says the CJEU.
Note: Can’t guarantee that data is sufficiently protected in the US? Are there no SCCs available, or are no additional measures (like encryption) taken? Consider whether you can continue to use this tool.
Step 2: Opt for EU Storage
Some US suppliers give their customers the option to make agreements about data processing and data transfers.
Other US suppliers choose to set up a sister company in Europe to comply with local regulations. AMS-IX did the same thing (but reversed).
Not sure if your suppliers are covered by US laws or use sub-processors that fall into that category? The NOYB has two model requests that you can use to find out.
When you know, you can decide whether you can/will use an SCC with this supplier. If you choose not to, there are alternatives within the borders of the EU.
Step 3: Switching to EU Alternatives
Do you use software that is also easily replaceable by an alternative within the EU? It’s best to make a shortlist of EU suppliers that are the best alternative to your current tech stack.
Although there is still some skepticism about the maturity of European software, you can find many (astonishingly) good alternatives in the EU.
Previously, I published this list of almost 80 alternatives for email providers. Some software comparison websites, i.e., Crunchbase, allows you to filter on EU only data storage. Find EU made CRM software, for example.
Reading tip: 70+ EU Alternatives for your Email Marketing
What Happens — When Nothing Happens
Found out that your tools use ECSPs that are not GDPR compliant, but continue using them anyway? You are now in violation of the GDPR since the judgment is valid immediately, which means that the Data Protection Authority is allowed to penalize illegal practices.
Much like the introduction of the GDPR, the DPA probably doesn’t amerce in the first period. However, once the DPA starts imposing fines, businesses risk fines up to 20 million euros or 4% of the worldwide turnover.
Note: It is very important not to wait too long before taking appropriate measures. Is that impossible for any legitimate reason? Then it’s important to communicate clearly and transparently to those involved and to set up a step-by-step plan to become GDPR compliant again. If the supervisor starts asking questions, you can at least demonstrate that you are working on it.