Published: August 17th, 2020
Updated: December 8th, 2020
On July 16, 2020, the Court of Justice for the European Union’s (EUCJ) ruled on the “Schrems II” case regarding the international transfers of personal data from the EU to the US (and other third countries). This ruling invalidated the Privacy Shield as an accepted measure for transferring personal data between the EU and the US.
We know that some of our customers have concerns about the impact of this ruling on their business and their relationship with us, so we wanted to make sure we provide an overview of the ruling and our response to it. On this page, you’ll find all our updates on the ruling.
Latest updates (November 13th, 2020) #
We’ve already updated this article a few times, so make sure you check back whenever you need to review your risk assessments.
We’ll continue to closely monitor any developments from the European regulators, including the UK’s data protection authority, the ICO. They published their latest update on November 13th. In addition:
- The European Data Protection Board (EDPB) published two key documents: First, their recommendations on supplementary measures (note that this isn’t final – these are on hearing until December 21st) and next, EU Essential Guarantees (EEG) for surveillance measures.
- The European Commission has published a draft for revised Standard Contractual Clauses, which is also on hearing (until December 10th).
EDPB’s documents will help our EEA based customers to manage the ruling – in practice. First, the recommendations outline several required steps you should take, like reviewing your records of processing activities, identifying safeguards for international transfers of personal data (like SCC’s), and conducting privacy risk assessments.
You can view a step-by-step description of these action in this blog post, written by our Data Protection Officer.
The EEG document corresponds, in particular, with step 3 of the recommendations; the assessment of the third country's national laws/practices and whether these may impinge on the effectiveness of the safeguards relied on.
And, finally, the recommendations describe possible alternatives to supplementary measures that may close any identified gaps in the level of protection.
PS: We recommend that you, at a minimum, ensure you have a solid overview of your personal data processing activities, as per the GDPR Article 30 (this is the place to start!).
And when you get to your privacy risk assessments, this article will be helpful. Keep on reading. 👇
Before we dive further in... #
Let’s address some main concerns first:
- We are, as most US-based data processors, affected by the Schrems II judgment.
- We are Privacy Shield certified.
- We have, however, since 2018, also incorporated the Standard Contractual Clauses (SCC), as an extra means of safeguarding your personal data.
- The SCCs are part of our Data Processing Addendum, so if you’ve signed this, you’re already covered (otherwise you can sign it electronically on this page).
- We have taken steps to ensure our customers in the EU/EEA can continue to use us as a data processor – at no higher risk than before.
- In this blog post, we’ve added the information you might need for your own risk assessment.
Now, let’s dig into the details.
Please note that our response here is for informational purposes only. None of this is legal advice. If you need legal advice, please consult with your lawyer.
What is the “Schrems II” judgment? #
Max Schrems is an Austrian lawyer and privacy advocate. He initiated the process that ultimately led to the invalidation of both the Safe Harbor framework in 2015 and now the Privacy Shield framework in July 2020. You can read all about Schrems II on the Court of Justice of the European Union press release site, where you can also download a copy of the judgment.
Read more about the “Schrems” cases and stay up to date here.
What does Schrems II mean for our European based customers? #
The ruling has a few implications. We recommend you go through these in detail below, and that you document all steps you take.
First, to continue to use us, or any other data processor from a third country (countries outside of the EU), you need to have proper safeguards in place. The intention of such a “safeguard” is to ensure that the level of protection the GDPR gives people in the EU, isn’t undermined (cf. the GDPR Recital 101). Until 16 July 2020, Privacy Shield was one such safeguard. Since the framework is now invalidated, you need to find an alternative. This could be for example the Standard Contractual Clauses (SCC), also called Model Clauses, or Binding Corporate Rules.
Second, the Schrems II judgment didn’t only invalidate the Privacy Shield as a safeguard. It also laid down further obligations on the use of any other safeguard, to any other third countries (so not just the US). More on that below.
European recommendations and guidelines (EDPB and the ICO) #
The EUCJ’s ruling was on July 16, 2020. Now, over three months after, we still don’t have a unified point of view or recommended set of actions from European data protection authorities. Since the ruling, we have followed closely any guidelines from the European Data Protection Board (EDPB) and the UK’s Data Protection Authority (ICO).
The European Commissioner for Justice and the U.S. Secretary of Commerce initiated discussions back in August to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework, but nothing further has so far materialized. In the meantime, here are the latest guidelines from the EDPB and the ICO (still only from July):
In their FAQ of 24 July 2020, the EDPB writes:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
The ICO refers to this FAQ in their statement on 27 July 2020:
… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.
How we can help you stay compliant #
We started our GDPR journey in 2017 when we also obtained our Privacy Shield certification. The fact that it’s now invalid doesn’t mean we’re not going to continue to follow these principles. We are, however, glad we also took the time and investment to get legal help in setting up a GDPR compliant Data Processing Addendum (DPA) and to have the Standard Contractual Clauses (SCC) incorporated.
We also set up separate pages on our website to address all GDPR, data protection, and security matters. These are resources you can use in your risk assessment. We recommend you document all your considerations, so you’ll be able to demonstrate your compliance to your data protection authority, if necessary.
First, you need to ensure the data processor has proper safeguards in place. And as you now know, we have these in place – the Standard Contractual Clauses. Just make sure you sign our DPA and store a copy at your end.
Second, conduct your risk assessment. You may want to reach out to other data processors in third countries to get the necessary input if they don’t already have the information on their website (like we do here).
Postmark protects you and your users through several measures. These are the resources you can rely on for your risk assessment:
- This page, including all the links we’ve provided to credible sources.
- Our summary page for privacy and security.
- Our GDPR FAQ page.
- The Security and Privacy page provides an overview of our data center and app security, as well as our data retention policy and details about our Privacy Shield certification.
- The GDPR page provides detailed information about how we have prepared our services for the GDPR.
- The DPA page provides an executable copy of our Data Processing Addendum with our customers (which includes the Standard Contractual Clauses).
- The Sub-processors page provides a list of our sub-processors under GDPR, and a way for you to get notified if/when we add a new sub-processor.
- The further details below on how we work with privacy and data protection, security and compliance in our companies.
Finally, when you have conducted your risk assessment, you may also want to update your records of processing activities (cf. the GDPR Article 30).
How is Postmark managing the Schrems II judgment? #
We have worked with privacy and data protection for a long time. Managing the Schrems II judgment swiftly was important to us, especially because we want our customers to feel safe when using our services. We have tried to answer your questions below. If you have any further concerns, please feel free to reach out to us at firstname.lastname@example.org.
Are you affected by the Schrems II judgment (ruling)? #
Yes. As an American company, also storing personal data in the US, this ruling affects us too.
What safeguards for international transfers of personal data do you rely on? #
Since 2017 we have relied on the Privacy Shield framework. However, we have also incorporated the Standard Contractual Clauses (SCC) in our Data Processing Addendum (DPA) for extra insurance. And even though the Privacy Shield certification scheme has been invalidated, we will still continue to honor the principles of the framework.
How can I sign a copy of your Data Processing Addendum (DPA)? #
To receive and sign a copy of our DPA, please fill in the details and submit the form on this page. Our DPA already includes the Standard Contractual Clauses.
What concrete steps have you taken to manage the ruling? #
In accordance with the European Data Protection Board FAQ on the judgment, our preliminary steps in July and August were:
- Working with our legal counsel (who has assisted us with GDPR matters since 2017) to determine what actions we needed to take.
- We hired a European based GDPR consulting firm to ensure we managed the situation in the best way possible.
- Our leadership team was fully on board and committed to managing the Schrems II judgment and to decide necessary actions to ensure the continued safekeeping of our customers’ personal data.
- We ensured that key employees were fully aware and well informed about the ruling, including our customer support team.
- We reviewed all our data flows and data processors again, including our records of processing activities (as per the GDPR Article 30).
- We also reviewed our other relevant GDPR, privacy and security documentation, to ensure we were fully aligned with the ruling.
- We followed closely the European Data Protection Board (EDPB) and the ICOs.
- We continuously update this page whenever new information gets available. 👇
Following on from that, we have further:
- Hired the European based GDPR consulting firm as our Data Protection Officer (DPO), cf. the GDPR Article 37.
- Reviewed and updated our legitimate interest assessment forms with our DPO.
- Conducted a thorough risk assessment following the ruling, facilitated by our DPO, including asking our data processors to confirm they’ve also taken actions following the ruling.
Do 50 USC §1881a (“Section 702”/“FISA 702”) or Executive Order 12333 (“E.O. 12333”) apply to you? #
Like most countries in the world, the USA also has surveillance and foreign intelligence laws, which means that the US government could request access to personal data from US-based companies.
Examples of such laws are Section 702 of the Foreign Intelligence Surveillance Act ("FISA 702") and Executive Order 12333 ("EO 12333"), which relate to investigations where there is a high concern for the country's national security. These laws were specifically referenced in the Schrems II ruling.
Numerous US-based companies providing online services of some sort will have to comply with these laws, including major corporations like Microsoft, Google, and Amazon (including Amazon Web Services), used by thousands of companies from all over the world, from both the public and the private sector.
We'd like to stress that we have never received any FISA 702 or EO 12333 requests for the disclosure of personal data.
You can read more about how we deal with privacy and security in our GDPR FAQ here.
We’ll continue to follow closely the EDPB and the ICOs recommendations going forward and we’ll update this page whenever new information gets available. If you still have concerns, please feel free to contact us at email@example.com.
- Court of Justice of the European Union press release site where you can download a copy of the judgment
- Joint Press Statement from the European Commissioner for Justice and the U.S. Secretary of Commerce on discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework (10 August 2020)
- The European Data Protection Board FAQ on the judgment (24 July 2020)
- The European Data Protection Board Statement on the judgment (17 July 2020)
- The ICOs updated statement (27 July 2020)
- The ICOs initial statement (16 July 2020)
- The European Commission rules on international data transfers
- The European Commission Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries
- Our DPO, Rie Aleksandra Walle, blog post on Schrems II