17. Is there a grace period for complying with Schrems II requirements?
No. There is no grace period for complying with Schrems II – the obligation to comply was immediate upon the ruling of the CJEU on 16 July 2020.
18. Can new SCCs be used without Technical Supplementary Measures?
NO. New SCCs cannot be used without Technical Supplementary Measures. Technical Supplementary Measures are required whenever there is a surveillance risk in the initial or any subsequent destination country. In these situations, Contractual and Organisational Supplementary Measures alone are not sufficient.
19. Can current SCCs be used without Technical Supplementary Measures until we migrate to new SCCs?
NO. In the Schrems II ruling, the Court of Justice of the European Union was adamant that SCCs can only be lawful if supplemented by Technical Supplementary Measures when there is any surveillance risk in the initial or any subsequent destination country. In these situations, Contractual and Organisational Supplementary Measures alone are not sufficient.
20. Can I just update my SCCs?
No. Updating SCCs is not enough. SCCs “are not capable of binding the authorities of that third country, since they are not party to the contract.” Schrems II requires the implementation of technically-enforced Supplementary Measures for transfers to non-EEA / Adequacy Countries henever there is a surveillance risk in the initial or any subsequent destination country. In these situations, Contractual and Organisational Supplementary Measures alone are not sufficient.
21. Must I stop all processing involving EU personal data that fails to comply with Schrems II?
Yes. Unless you implement Technical Supplementary Measures that ensure an essentially equivalent level of protection, “you must avoid, suspend or terminate” all international data transfers based on SCCs.
22. What is the penalty for failing to comply with Schrems II?
Under the CJEU ruling, Supervisory Authorities have an affirmative obligation to stop transfers that do not comply with Schrems II requirements. In addition to business operation disruptions from termination of data flows, companies face penalties of €20 million or 4% of their global turnover, whichever is greater.
23. Is Schrems II a C-Suite / Board level issue?
Yes. Due to the significant publicity regarding the potential negative effects of Schrems II, lack of corporate change may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.” This opens Board members and senior executives to potential personal and criminal liability. In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).
24. Can I use Encryption or Anonymisation as Supplementary Measures to protect data when in use to comply with Schrems II?
No. Encryption only protects data in transit and in storage. Anonymisation is not recognised as a suitable Schrems II Supplementary Measure by the European Data Protection Board (EDPB). Schrems II requires organisations to protect data when in use by using technically-enforced Supplementary Measures that protect data from unauthorised access. These technical controls must ensure that EU personal data does not reveal the identities of data subjects when processed outside of EEA / equivalency countries. Processing of personal data in the clear outside of the EEA / Adequacy Countries is unlawful under Schrems II.
25. Which use case can I no longer lawfully process?
The EDPB highlights two use cases of data transfers that are unlawful under Schrems II: (i) Transfer to Cloud Services Providers or Other Processors Which Require Access to Data in the Clear (EDPB Unlawful Use Case 6); and (ii) Remote Access to Data for Business Purposes (EDPB Unlawful Use Case 7).
26. What are my options for complying with Schrems II requirements for data in use?
The EDPB has highlighted the transfer of GDPR Pseudonymised data (EDPB Lawful Use Case 2) as lawful. This means that Cloud Processing and Remote Access for Business Purposes (EDPB Unlawful Use Cases 6 and 7) can be made legal by transforming data into GDPR-Pseudonymised data (Lawful Use Case 2) before processing in the cloud or making it available for remote access.