gdpr

The eperi® Gateway: Your solution for compliant data management 

On July 16 in 2020, the Court of Justice of the European Union (CJEU) published its decision in the landmark Case C-311/18, which came to be known as the Schrems II ruling. This judgement completely invalidated the EU-US Privacy Shield, which until then regulated the exchange of data from Europe to the USA.

The legal uncertainty following the Schrems II ruling has far-reaching consequences regarding global data transfer. Initially, clear guidelines and implementation aids were sought in vain. However, more and more data protectors are venturing out to address this lack of guidance and are making clear demands for GDPR-compliant use of widespread applications in all business sectors.

Consequences of the Schrems II Judgement

In order to understand the effect Schrems II has on data transfer outside the EU it is imperative take a look at the reasoning behind this ruling. The European Court of Justice declares that the level of protection of personal data in the U.S. is not essentially equivalent to the European level of protection under the GDPR. Thus, USA is considered an insecure third country according to the GDPR. The transfer of personal data of EU citizens without adequate measures in place for data protection and in line with the legal requirements can lead to a suspension or ban of data transfer by the supervisory authorities along with high administrative penalties for the data exporter.   

Use of US Cloud Applications  

The measures implemented for collecting and processing personal data in a Cloud environment must guarantee an appropriate level of protection. This is not the case without suitable technical and organisational measures (TOMS).  

Native solutions from Cloud Providers 

After Schrems II the obligation of data exporters to assess the security solutions offered by their cloud provider with regards to sensitive data has increasedStandard contractual clauses are no longer sufficient to achieve GDPR-compliance. 

International Data Transfer 

GDPR-compliant data handling requires a revision of all data management and storage policies. The focus lies on the transfer of personal data and not only on its storage. It’s crucial to make sure only encrypted sensitive data is accessed by US administrators.

EU subsidiaries / affiliates

Business entities that are engaged in the processing of personal data in the context of their activities with their US main offices are bound by instructions and dependences with the US. Therefore, penetration and access by three-letter agencies cannot be prevented. 

Interview 

What does the Schrems II ruling mean for companies in practice?

Find out in the german-speaking Netzpalaver-Interview with our CEO Elmar Eperiesi-Beck and Guenter Esch, Managing Director at SEPPmail, how easy it is to work legally compliant in the cloud even without US Privacy Shield.

YouTube

By loading the video, you agree to YouTube's privacy policy.
Learn more

Load video

Recommendations and Guidlines

Final Recommendations for Actions & Guidelines on administrative fines from the European Data Protection Board 

With its final recommendations for action in June 2021, the EDPB created clear and reliable guidelines for businesses to follow. With the guideline for administrative GDPR fines (May 2022), a uniform regulation for administrative fines was created throughout Europe. The federal and state data protection authorities are responsible for the enforcement of / compliance with these guidelines. State data protection authorities have the duty to issue warnings, sanctions, administrative fines and prohibit actions that are illegal under data protection law. 

Sanctions can be severe in case of breach of data protection rules. Data protection officers can impose administrative fines up to €20 million for companies with annual sales <500 million or 4% of the annual global turnover. Concrete provisions have to be taken proactively and preparedness for the adoption of the right transfer mechanism is crucial.

Prerequisites for processing data to US Cloud services 

Data exporter measures for cloud services from insecure third countries

Strong encryption must be applied before data is sent to the cloud

Encryption must be under the sole control of the data exporter 

The Cloud Provider must not have access to the keys and the encryption at any time

Encryption must be performed using a State-of-the-Art technology

Privacy Shield 2.0

Webseite_EU_US_Privacy_Shield

On 7 October 2022 the US president Joe Biden signed an executive order to implement a new framework for the protection of personal data privacy transferred between the U.S. and Europe. Its aim is to align data protection levels between Europe and the USA in order to reach a sustainable agreement for transatlantic data transfers. The new Privacy Shield has been widely criticised, as it does not address clearly the European concerns.

Learn more

eperi® e-Books & Online Seminars