All About Schrems II Compliance

Curious how the Schrems II ruling affects data practices under the GDPR? Wondering whether your organization is in compliance with Schrems II? Worried about whether your data transfer tools are up to par?

Below, we’ll offer an overview of the landmark Schrems II case. We’ll give guidance on staying compliant — though you should always speak with a GDPR legal expert for the most up-to-date information on your industry and organization. We’ll also dive into the GDPR-approved supplementary measures your company can take to safeguard its data transfers.

What is Schrems II?

Schrems II is a groundbreaking 2020 data privacy verdict issued by the European Union’s Court of Justice. The case was brought by Maximillian Schrems, an Austrian lawyer and privacy advocate, against Facebook’s data transfer practices under the EU’s GDPR (General Data Protection Regulation).

The court decision in Schrems II invalidated the 2016 EU-US Privacy Shield data transfer mechanism on the grounds that it was insufficient to protect EU personal data from US intelligence agencies and national security laws. This in turn invalidated the entire legal basis for free data flows to the US.

As the Brookings Institution notes, Schrems II also calls into question the existing data transfer tools used by many organizations, “mak[ing] clear that all the key GDPR mechanisms for transferring personal data from the EU to third countries are unstable.” In other words, SCCs and other previously approved transfer tools are no longer guaranteed to protect personal data.

The result is that organizations must make case-by-case assessments of recipient countries’ data protection policies, and they must supplement their data transfer tools if those policies are found to be inadequate.

Guidelines on Complying with the Schrems II Ruling

In their June 2021 recommendations on Schrems II, the European Data Protection Board (EDPB) outlined an assessment process and a number of supplementary measures to safeguard data sent to third countries.

Below, we’ll dive into the key points that companies need to keep in mind when handling EU personal data.(Note that companies should always check with a legal expert before implementing new data policies for GDPR compliance.)

Know your own transfer

First, data controllers and processors (a.k.a. “data exporters”) need to know and record all their data transfers to countries outside the EU and the EEA (European Economic Area).

They must also assess their own transfer tools and identify whether they’re using standard contractual clauses (SCCs), ad hoc contractual clauses, binding corporate rules (BCRs), or other mechanisms.

Make case-by-case assessments

Then, data exporters must assess whether the third country receiving their data can offer GDPR-equivalent protection. In making their assessment, organizations have to consider whether the laws or security practices of the third country may limit the effectiveness of data transfer safeguards.

If GDPR-equivalent protection can’t be guaranteed, the data exporter must consider whether supplementary measures can ensure an essentially equivalent level of protection. They must also make sure to regularly monitor their data transfer practices — especially if there are developments in the third country like legal or governmental changes that could affect the initial assessment.

Supplement your data transfer tools if necessary

If the third country’s data policies don’t align with the GDPR’s standards, the data exporter must adopt supplementary measures to compensate for the lack of data protection. These measures may be contractual (e.g., legal clauses), technical (e.g., technologies like encryption and split or multi-party processing), or organizational (e.g., internal policies to protect data).

In their June 2021 recommendations, the EDPB describes several measures that are not effective for ensuring an acceptable level of protection for transferred data — generally, scenarios where data cannot be encrypted or pseudonymized. But the EDPB also describes five key use cases, i.e. scenarios that do constitute effective supplementary measures for data protection.

One of these, Use Case 5, describes the situations in which split or multi-party processing allows for unidentifiable pieces of data to be processed jointly by multiple processors in different jurisdictions so that no individual processor can reconstruct the data. We’ll dive into this use case in more detail below.

In general, though, companies should review the detailed EDPB descriptions of these five use cases and ensure that their supplementary measures for data transfer are in alignment. If they aren’t, data exporters must promptly suspend or stop the data transfers.

How ShardSecure addresses Use Case 5 of Schrems II

Use Case 5 describes situations where “split or multi-party processing” function as an acceptable measure to supplement existing data transfer tools. In general, companies will meet the requirements of Use Case 5 if:

The data exporter processes personal data in such a manner that it is split into two or more parts, none of which can be interpreted or attributed to a specific data subject.
The different pieces of data can be stored in different jurisdictions.
No new information is revealed to any of the data processors.
No piece of personal data can be attributed to an identified or identifiable person.

Microshard technology — ShardSecure’s patented split processing technology that can easily be deployed in a multi-party processing environment — allows organizations to meet these requirements and stay compliant with the GDPR and the Schrems II ruling.

How microsharding supports GDPR compliance

Microshard technology works by a three-step process that breaks data into very small pieces (microshards), rearranges and mixes those microshards across multiple logical containers, and then distributes those containers to multiple customer-owned locations. It was created for the express purpose of preventing any unauthorized user or entity from reconstructing or identifying original data.

The three-step microsharding process ensures that data is unintelligible and of no value to unauthorized users, including cloud providers and companies outside the European Union. Microshard containers may be distributed across different regions of a single cloud provider, across multiple cloud providers, or across a hybrid mix of on-premises storage and cloud providers.

Ultimately, Microshard technology helps with GDPR compliance by keeping control of the data in the hands of the data owner. The number and geographic jurisdictions of storage locations are user-configurable, and processors are only granted access to data that the owner specifically allows. Not even ShardSecure can store or read customer data.

For more information on how ShardSecure can help your organization maintain compliance with Schrems II, check out our white paper or watch our BrightTALK webinar. Still have questions? View our additional resources on data security and resilience here.