On July 16, 2020, the Court of Justice for the European Union’s (EUCJ) ruled on the “Schrems II” case regarding the international transfers of personal data from the EU to the US (and other third countries). This ruling invalidated the Privacy Shield as an accepted measure for transferring personal data between the EU and the US.
We know that some of our customers have concerns about the impact of this ruling on their business and their relationship with us, so we wanted to make sure we provide an overview of the ruling and our response to it. Let’s address some main concerns first:
- We are, as most US-based data processors, affected by the Schrems II judgment.
- We are Privacy Shield certified.
- We have, however, since 2018, also incorporated the Standard Contractual Clauses (SCC), as an extra means of safeguarding your personal data.
- The SCCs are part of our Data Processing Addendum, so if you’ve signed this, you’re already covered (otherwise you can sign it electronically on this page).
- We have taken steps to ensure our customers in the EU/EEA can continue to use us as a data processor – at no higher risk than before.
- In this blog post, we’ve added the information you might need for your own risk assessment.
Now, let’s dig into the details.
Please note that our response here is for informational purposes only. None of this is legal advice. If you need legal advice, please consult with your lawyer.
What is the “Schrems II” judgment? #
Max Schrems is an Austrian lawyer and privacy advocate. He initiated the process that ultimately led to the invalidation of both the Safe Harbor framework in 2015 and now the Privacy Shield framework in July 2020. You can read all about Schrems II on the Court of Justice of the European Union press release site, where you can also download a copy of the judgment.
Read more about the “Schrems” cases and stay up to date here.
What does Schrems II mean for our European based customers? #
The ruling has a few implications. We recommend you go through these in detail below, and that you document all steps you take.
First, to continue to use us, or any other data processor from a third country (everyone outside of the EU), you need to have proper safeguards in place. The intention of such a “safeguard” is to ensure that the level of protection the GDPR gives people in the EU, isn’t undermined (cf. the GDPR Recital 101). Until 16 July 2020, Privacy Shield was one such safeguard. Since the framework is now invalidated, you need to find an alternative. This could be for example the Standard Contractual Clauses (SCC), also called Model Clauses, or Binding Corporate Rules.
Second, the Schrems II judgment didn’t only invalidate the Privacy Shield as a safeguard. It also laid down further obligations on the use of any other safeguard, to any other third countries (so not just the US). More on that below.
European recommendations and guidelines (EDPB and the ICO) #
The EUCJ’s ruling was on July 16, 2020. Now, a few weeks later, there doesn’t seem to be a unified point of view or recommended set of actions from European data protection authorities. We will follow closely any guidelines from the European Data Protection Board (EDPB) and the UK’s Data Protection Authority (ICO).
We know that at least the European Commissioner for Justice and the U.S. Secretary of Commerce have initiated discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework. In the meantime, here are the latest guidelines from the EDPB and the ICO:
In their FAQ of 24 July 2020, the EDPB writes:
Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place. The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
The ICO refers to this FAQ in their statement on 27 July 2020:
… In the meantime you should take stock of the international transfers you make and react promptly as guidance and advice becomes available. The EDPB has recommended that you must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework, whether the transfer is to the US or elsewhere. The receiver of the data may be able to assist you with this.
In other words, in addition to ensuring your data processor has necessary safeguards in place, you also need to conduct a risk assessment.
How we can help you stay compliant #
We started our GDPR journey in 2017 when we also obtained our Privacy Shield certification. The fact that it’s now invalid doesn’t mean we’re not going to continue to follow these principles. We are, however, glad we also took the time and investment to get legal help in setting up a GDPR compliant Data Processing Addendum (DPA) and to have the Standard Contractual Clauses (SCC) incorporated.
We also set up separate pages on our website to address all GDPR, data protection, and security matters. These are resources you can use in your risk assessment. We recommend you document all your considerations, so you’ll be able to demonstrate your compliance to your data protection authority, if necessary.
First, you need to ensure the data processor has proper safeguards in place. And as you now know, we have these in place – the Standard Contractual Clauses. Just make sure you sign our DPA and store a copy at your end.
Second, conduct your risk assessment. You may want to reach out to other third country based data processors to get the necessary input if they don’t already have the information on their website (like we do here).
Postmark protects you and your users through several measures. These are the resources you can rely on for your risk assessment:
- This page, including all the links we’ve provided to credible sources.
- Our summary page for everything privacy and security.
- The Security and Privacy page provides an overview of our data center and app security, as well as our data retention policy and details about our Privacy Shield certification.
- The GDPR page provides detailed information about how we have prepared our services for the GDPR.
- The DPA page provides an executable copy of our Data Processing Addendum with our customers (which includes the Standard Contractual Clauses).
- The Sub-processors page provides a list of our sub-processors under GDPR, and a way for you to get notified if/when we add a new sub-processor.
- The further details below on how we work with privacy and data protection, security and compliance in our companies.
Finally, when you have conducted your risk assessment, you may also want to update your personal data inventory (cf. the GDPR Article 30).
How is Postmark managing the Schrems II judgment? #
We have worked with privacy and data protection for a long time. Managing the Schrems II judgment swiftly was important to us, especially because we want our customers to feel safe when using our services. We have tried to answer your questions below. If you have any further concerns, please feel free to reach out to us at firstname.lastname@example.org.
Are you affected by the Schrems II judgment (ruling)? #
Yes. As an American company, also storing personal data in the US, this ruling affects us too.
What safeguards for international transfers of personal data do you rely on? #
Since 2017 we have relied on the Privacy Shield framework. However, we have also incorporated the Standard Contractual Clauses (SCC) in our Data Processing Addendum (DPA) for extra insurance. And even though the Privacy Shield certification scheme has been invalidated, we will still continue to honor the principles of the framework.
How can I sign a copy of your Data Processing Addendum (DPA)? #
To receive and sign a copy of our DPA, please fill in the details and submit the form on this page. Our DPA already includes the Standard Contractual Clauses.
What concrete steps have you taken to manage the ruling? #
In accordance with the European Data Protection Board FAQ on the judgment, our preliminary steps are:
- We are already working with our legal counsel, who has assisted us with GDPR matters since 2017.
- In addition, we have hired a European based GDPR consultant to ensure we manage the situation in the best way possible.
- Our team is fully committed to managing the Schrems II judgment and to take necessary actions to ensure our customer’s personal data.
- We have ensured that key employees are fully aware and well informed about the ruling, including our customer support team.
- We are in the process of reviewing all our data flows again, including our personal data inventory (as per the GDPR Article 30).
- We are also reviewing our other relevant GDPR, privacy and security documentation, to ensure we get fully aligned with the ruling, today, and for any upcoming updates.
- We will continue to follow closely the European Data Protection Board (EDPB) and the ICOs recommendations going forward.
- We will update this page whenever new information gets available.
Do 50 USC §1881a (“Section 702”/“FISA 702”) or Executive Order 12333 (“E.O. 12333”) apply to you? #
50 USC §1881a and E.O. 1233 refer to US laws and presidential orders pertaining to national intelligence and surveillance. Nearly all data processors in the US offering services could fall under one of the definitions in 50 U.S.C. § 1881(b)(4), like email communication, telecommunication or cloud computing (storage), including us, and companies like Google, Microsoft, Amazon AWS, Facebook (including Whatsapp and Instagram), Twitter, Verizon Media (Oath/Yahoo), MailChimp, Kajabi, ActiveCampaign, Squarespace (including Acuity Scheduling), Asana, Aweber, Calendly, ConvertKit, Zoom, Demio, Dropbox, Evernote, Hubspot, Intercom, PayPal, Slack, Twilio (including SendGrid), Atlassian (including Trello), SurveyMonkey, Stripe, Wix and numerous other companies.
US data processors such as Microsoft and Google insist that the transfer of personal data between the US and the EU are still in line with the GDPR. We’re working with our legal counsel to determine if and how 50 USC §1881a or Executive Order 12333 applies to us.
We’ll continue to follow closely the EDPB and the ICOs recommendations going forward and we’ll update this page whenever new information gets available. If you still have concerns, please feel free to contact us at email@example.com.
- Court of Justice of the European Union press release site where you can download a copy of the judgment
- Joint Press Statement from the European Commissioner for Justice and the U.S. Secretary of Commerce on discussions to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework (10 August 2020)
- The European Data Protection Board FAQ on the judgment (24 July 2020)
- The European Data Protection Board Statement on the judgment (17 July 2020)
- The ICOs updated statement (27 July 2020)
- The ICOs initial statement (16 July 2020)
- The European Commission rules on international data transfers
- The European Commission Standard Contractual Clauses (SCC) for data transfers between EU and non-EU countries
- Bedre Bedrift AS (gdprstart.com)