Schrems II Judgement: Use of Microsoft 365 no longer GDPR compliant!

Uncertainty following overturning of the US Privacy Shield by the European Court

On 16 July 2020, the European Court of Justice issued the so-called Schrems II judgement, thus overturning the US Privacy Shield. This regulated – as a successor agreement to the Safe Harbor Agreement – the protection of personal data transferred from Europe to the USA.

Since this judgement, there has been far-reaching uncertainty regarding the use of US cloud services. Initially, clear guidelines and directives were sought in vain. However, more and more data protectors are venturing out of cover and making clear demands for GDPR compliant use of widespread applications such as Microsoft 365 or Salesforce.

Interview

Consequences of the Schrems II Judgement

What does the Schrems II ruling mean for companies in practice?

Find out in the german-speaking Netzpalaver-Interview with our CEO Elmar Eperiesi-Beck and Guenter Esch, Managing Director at SEPPmail, how legally compliant working in the cloud is easily possible even without US Privacy Shield.

YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Information

Data Protectors recommend Pseudonymization

One of the demands of the data protectors is the pseudonymization of personal data. If only illegible data is stored in the cloud, unauthorized third parties cannot establish a personal reference and thus cannot use the data.

Simple and pragmatic solutions for pseudonymization and (quasi) anonymization of data already exist today. The important functionalities of cloud applications are not restricted, the performance of the systems is maintained. This is also stated by TeleTrust in its handbook on the “state of the art” in IT security (German).

Important statements and recommendations by data protectors for data transfer to the USA:

Pseudonymization and anonymization are neccessary as additional protective measures (especially with Standard Contract Clauses).

Europe

Requirements:

  • Examination of the level of protection in the third country (individual case examination)
  • If neccessary, additional measures to ensure an equivalent level of protection as in the EU

Required Action:

  • Pseudonymization
  • An encryption that is also effective against the recepient or
  • Selection of a receipient protected from access by the law of the destination country

Links:

Requirements:

  • SCCs (Standard Contract Clauses) as possible basis for data transfer
  • Responsibility of data exporter and european data protection authorities

Required Action:

  • Examination of the level of protection in the third country (individual case examination)
  • For future data transfers from EU institutions, the EDPS strongly advises against transfers to the US

Links:

Requirements:

  • USA: Additional safeguard measures mandatory

Required Action:

  • The data exporter must consider additional safeguards

Links:

Requirements:

  • The Swiss-U.S. Privacy Shield also does not offer a sufficient level of data protection. A data transfer to the USA could therefore no longer be based on it
  • The risks have to be weighed up on a case-by-case basis as under the GDPR (individual case examination)

Required Action:

  • Addition of SCCs should be considered
  • Additional safeguards would be necessary if the appropriate level of data protection could not otherwise be maintained (e.g. encryption)

Links:

Germany

Requirements:

  • SCCs (Standard Contract Clauses) as possible basis for data transfer
  • Exception USA: Additional safeguard measures neccessary

Required Action:

  • Examining what additional protection measures are possible

Links:

Requirements:

  • SCCs (Standard Contract Clauses) as possible basis for data transfer

Required Action:

  • International data transfer still possible
  • Exception USA: Additional safeguard measures neccessary
  • To be considered: Pseudonymization and encryption

Links:

Requirements:

  • SCCs (Standard Contract Clauses) as possible basis for data transfer
  • Exception USA: No american company is able to guarantee that it is excluded from data access by US-authorities

Required Action:

  • Stop all data exports based on Privacy Shield
  • Add additional safeguard measures: Use of encryption mechanisms where only the data exporter has access to the key

Links:

Requirements:

  • SCCs not sufficient
  • Examination of the level of protection in the third country (individual case examination)

Required Action:

  • Additional safeguard measures not only for USA but also for countries like China, Russia or India

Links:

Requirements:

  • Examination of the level of protection in the third country (individual case examination)
  • USA: Additional safeguard measures mandatory

Required Action:

  • Data transfers to the US based solely on the Privacy Shield must be stopped immediately
  • Additional protective measures may be of a legal, technical or organisational nature

Links:

Requirements:

  • SCCs (Standard Contract Clauses) as possible basis for data transfer

Required Action:

  • Examination of the level of protection in the third country (individual case examination)
  • Additional safeguard measures necessary

Links:

Press

IT-Security made in Germany

China as Data Protection Pioneer: Unbelievable? Unbelievable!

Our privacy is important to all of us and we basically assume that companies and authorities treat our sensitive data accordingly. After all, we don’t have to worry because the GDPR requires companies and authorities to protect our sensitive data in the best possible way, right?

In our german-speaking press article on “IT-Security Made in Germany” you can read more about the tilted US-Privacy Shield, the European handling of the GDPR and what we can learn from China regarding data protection.

Solutions

Full Data Control - sure, with eperi!

Learn more

eperi e-Books & Online Seminars

eBook

Global Compliance

e-Book

What the C-Suite should know about compliance regulations when moving to cloud services.

Learn more
eBook

Microsoft Office 365 - Microsoft 365 Security

e-Book

How to add extra layers of protection to Microsoft Office 365 Security.

Learn more
Remote Control

Schrems II judgement: Is a GDPR compliant use of Microsoft 365 still possible?

Online Seminar

The US-Privacy Shield has been struck down by the so called Schrems II judgement. Since then, there has been far-reaching uncertainty regarding the use of US cloud services. Initially, clear guidelines and directives were sought in vain. However, more and more data protectors are venturing out of cover and making clear demands for GDPR compliant use of widespread applications such as Microsoft 365.
Find out more in our german-speaking online seminar about:
- The effects of the Schrems II ruling on the daily work in companies
- The concrete demands of the European data protectionists
- The protection offered by Microsoft
- Practical solutions for DSGVO compliant use of Microsoft 365 (incl. live demo)

Learn more
Remote Control

How Secure is my Data in the Cloud?

Online Seminar

Cloud Act, Privacy Shield, Schrems II - What impact do current developments have on cloud applications? In this german-speaking online seminar you will learn what the Schrems II judgement means for your daily work with cIoud applications. Based on exemplary statements from Microsoft, our speaker Alex Kurz will explain to what extent Microsoft can guarantee the security of your data and why the use of American cloud applications no longer complies with the DSGVO since the Privacy Shield was removed.

Learn more
Remote Control

Secure Data legally compliant - in any Cloud Application

Online Seminar

Use cloud applications with your customer data while protecting your data legally compliant. In this online seminar, eperi shows how you stay in control of your data while using the eperi Cloud Data Protection solution for any cloud application and even custom workloads.

Learn more
Remote Control

Cloud Data Protection for Mails, Calendars & Files in Microsoft 365

Online Seminar

Imagine there is one solution which protects all your emails, files, chats and calendars in the cloud and integrates with the different Microsoft 365 applications like OneDrive, SharePoint and Outlook/Exchange. The eperi Cloud Data Protection for Microsoft 365 is your way to go!
Watch the online seminar to learn how eperi protects data in Microsoft 365.

Learn more
Remote Control

GDPR compliant Data Protection in Microsoft Teams - in real-time

Online Seminar

Secure your Microsoft Teams data and chats GDPR-compliant with eperi! The eperi solution enables transparent encryption of chats, files, groups, emails, calendars and channels in Microsoft Teams as well as the secure integration into other Microsoft 365 applications. And all this in real-time!
Watch our online seminar to learn more about the eperi Cloud Data Protection for Microsoft Teams!

Learn more