February 5, 2021

Schrems II: Action Required for Lawful Public Cloud Processing

By: Sarah Pearce, Partner in Data Privacy and Cyber Security Practice at Paul Hastings LLP

Gary LaFever, CEO and General Counsel at Anonos

Issues surrounding Schrems II[1] compliance can be complex and daunting. The CJEU court ruling was rendered 6 months ago and there is no grace period for compliance. As a result, prompt assessment and, in some cases, action are advised to support the business priorities and goals of your organisation.

The graphic below is a modified version of the infographic published on the EDPB twitter feed when announcing its Schrems II recommendations (with the exception of added red highlights) (the “Recommendations”). This graphic shows that if you rely on the public cloud (noting key service providers in the industry are largely US companies) you should start your evaluation at Step 4 of the EDPB Recommendations – with regard to the specific issue of use of the public cloud.

If ongoing use of public cloud capabilities is important to your organisation, you should dual-track other Schrems II evaluation and assessment activities (which will include a transfer risk assessment) with a fast-tracked evaluation in response to the question: “Can Supplementary Measures fill the gaps” identified by the CJEU in Schrems II with regard to this processing activity. To comply, you should analyse the processing activity and seek to implement technically enforced Supplementary Measures so that any EU personal data that you “transfer” outside of the EEA/equivalency countries (which includes processing EU personal data in the public cloud regardless of the physical location of servers) does not reveal identities of EU data subjects to expose them to surveillance.

The Recommendations highlighted the processing of EU personal data in the clear in the public cloud as one of the two scenarios in which no effective supplementary measures could be found under Schrems II. While the Recommendations don’t rule out “further technological development” that “may offer measures that achieve the intended business purpose without requiring access in the clear”, they do not identify any compliant technically enforceable Supplementary Measures. Contractual (regardless of what SCCs you and the cloud providers have in place) and organisational measures alone will generally not suffice.

98% of the participants in a 29th October Anonos’ Schrems II webinar involving 1800+ executives from 1700+ companies from 50+ countries expressed concern over the risks associated with EDPB Use Case 6: Cloud-Based Processing of Cleartext EU Data. The right hand side of the graphic below shows a public twitter comment made by privacy activist Max Schrems, noting the potential relevance of this use case for 90% of Business-to-Business outsourcing to the US (emphasis added).[2]

The significant publicity regarding the potential negative effects of Schrems II means that the lack of corporate action in response to the CJEU’s findings in the case may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.” Various commentators have noted this could open directors and senior executives to potential liability.[3] In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).[4]

A timely analysis and coordinated action plan ensuring ongoing lawful use of public cloud capabilities is advised to allow for uninterrupted business operations and enforcement of the fundamental rights of data subjects.

Contact Sarah Pearce for more information on your legal compliance obligations under Schrems II.

Contact Gary LaFever for information on technically-enforced Supplementary Measures to ensure compliance with Schrems II and global data sovereignty and localisation laws.

To learn more, visit SchremsII.com/KnowledgeCenter



[1] Schrems II refers to the ruling by the Court of Justice of the European Union in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, commonly referred to publicly as “Schrems II.” Use of "Schrems II" in no way indicates any relationship or affiliation with, or endorsement by, Max Schrems or by the Non-Governmental Organisation, None of Your Business (NOYB), or any parties directly or indirectly associated with Max Schrems or NOYB.

[2] Ibid.

[3] See https://normcyber.com/advisory-note/data-protection-directors-personal-liability/ and https://www.financierworldwide.com/roundtable-risks-facing-directors-officers-aug17

[4] See https://www.ifac.org/system/files/publications/files/IESBA-NOCLAR-Fact-Sheet.pdf

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS