The EU-US Privacy Shield is Dead
GDPR has been a massive focus for laws and legislations in recent times. The protection of data is so important. Max Schrems, Austrian activist, and author has been successful in the role of pursuing the changes of laws and legislation. Max Schrems is known for campaigns against Facebook for their violation of privacy.
You might be aware, or maybe not, of the major development for international transfers that took place on July 16th 2020, declaring that the EU-US Privacy Shield is INVALID, enter: Schrem ll. Thousands of participating companies were once connected with this the EU-US Privacy Shield, and so are greatly impacted and affected. With the abandonment of the EU-US Privacy Shield comes potential impacts on you (our customers) and for those of you out there using G Suite for your businesses. That’s why this week’s blog with our CEO Fintan Murphy will explore 4 key focus areas that you might experience, to assist you with the change.
Disclaimer: Nothing that you read in this blog is legal advice, please take the advice in this blog to be informational and educational only and if you have any queries we encourage you to get in touch and ask us. If you feel that there is anything missing from this blog, again we would appreciate you getting in touch.
So, let’s take a look at some pressing questions you might have and let’s cover some areas that might have an impact on you readers and users of G Suite:
1. What is the EU-US Privacy Shield?
In 2016, the EU Commission and the US Administration designed and built the EU-US Privacy Shield. According to GDPR, “the transfer of personal data outside of the EEA is not allowed unless appropriate safeguards to protect the transfer of data are put in place”. The most popular mechanism to achieve this up until July 16th 2020 was the EU-US privacy shield. You might know the predecessor of this framework – International Safe Harbour Principles or agreement which was invalidated by Schrem l (stay with us!). The International Safe Harbour Principles or agreement allowed for the flow of data between the EEA and the US.
2. What is Schrem ll?
Schrem ll is the nickname given to the ruling of the (CJEU) Court of Justice in the EU and it was the second case brought by Max Schrems as he campaigned and performed activism for data protection. He brought the case in Ireland against Facebook and it was all about transfer data and GDPR, if you want to learn more about it you can look it up online.
Max Schrems attempts and campaigns were successful as last month, 16th July 2020, the court declared the privacy shield invalid.
3. How does this affect cloud-based tools?
If you are transferring data outside the EU, you will be wondering that this change in policies and legislation means for you and your business.
Well, simply put, the abandonment of the EU-US Privacy Shield means that the only way of transferring data now outside of the EU is to make use of the Standard Contractual Clause (SCC’s). These SCC’s are provided by the EU Commission or a National Advisory Authority.
In the ruling by the Court of Justice in the EU, the SCC’s were validated.
Let’s take a moment to acknowledge what Google have said about all of this as it’s important for our customers and G Suite users.
Google said “In light of the recent Court of Justice European Union ruling on transfer of data, invalidating the EU-US Privacy Shield, Google will be moving toward alliance on the Standard Contractual Claus for relevant data transfers. This as per the ruling can continue to be a legal ruling mechanism to transfer data under GDPR. We will share more information about these updates, including timelines, as soon as possible. The SCC’s are already offered as a transfer mechanism within Google Cloud”.
So these are already available to customers within your G Suite account, which leads us nicely to our 4th and final point.
4. What do I need to do within my G Suite account?
Fintan advises that there are two main things you need to check within your G Suite account.
One is the Legal Section and the other is the Data Regions.
If you’re a super admin, you can perform a search for “legal” within the administrator control section and it’ll show under the legal and compliance section the account settings. You’ll find here the EU Standard Contractual Clause and you can check if it’s been signed, if not you can agree and sign it. Ensure your legal teams review this before you do.
By signing this, it means that you have a SCC in place with Google to keep your data protected and your business protected in terms of GDPR laws and compliance legislations.
If you gave G Suite Business, or you have G Suite Enterprise, then data regions are part of the features available to you. Data Regions allow you to tell Google “I would like my data to be held within the European Union”. If you make this known to Google, Google will migrate all of your data in it’s servers over to European only data centres. You can look in that section where those data centres are.
If you’re a global organisation and you need some data for certain users to be held in EU & some in US, you can actually have data regions via groups of users.
So that’s this week’s blog on the EU-US Privacy Shield, hopefully you got something useful from it. You can learn more about this all, here. Furthermore, please see below for resources where you can read and learn more about this. As always, if you have any questions, please get in touch.
Damson Cloud helps organisations move to new ways of working through collaborative tools like G Suite. We champion the very best practices in remote working and change management, helping companies and their teams collaborate productively from anywhere in the world. To find out more about our services, check out our library of tutorial videos or our blog.