Date
February 23, 2021

'Schrems II': How to protect against liability when using non-EEA vendors

In a recent "Schrems II" webinar, a vast majority of participants expressed concern about the risks associated with cloud-based processing of cleartext EU data and remote access to EU data for business purposes. In follow-up meetings and discussions with representatives from hundreds of companies, grave concerns were raised regarding the risk of personal and criminal liability for corporate officers and boards of directors for ongoing use of non-European Economic Area cloud, software-as-a-service and outsourcing solutions.

The significant publicity regarding the potential negative impacts of “Schrems II” means that a lack of corporate action in response may constitute “willful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.” Additionally, auditors are obligated to report data protection violations to authorities under the International Ethics Standards Board for Accountants and Non-compliance with Laws and Regulations.

When dealing with non-EEA/equivalency country vendors claiming that their services occur entirely within the EU, removing them from the realm of “Schrems II” issues, corporate officers and boards of directors are still open to risks. This is because while the data may appear to be accessed and processed solely only within the EU, vendors often retain access to the data or to keys or other methods for accessing the data for purposes of performing services or other contractual obligations.

The ability of non-EEA/equivalency country vendors to access EU personal data raise the following two Unlawful Use Cases identified by the EDPB below:

  • Unlawful Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear.
  • Unlawful Use Case 7: Remote access to data for business purposes.

The existence of Unlawful Use Cases 6 and 7 mean that common vendor practices leave corporate officers and boards of directors open to liability risks from the potential for unlawful data access.

It is also important to note the CJEU did not include any grace period for the “Schrems II” decision, meaning compliance is immediately required. Industry direction may come later, but measures are necessary immediately to ensure risks are mitigated.

To mitigate these risks, we recommend that companies request that the following guarantees be included in contracts with vendors claiming that their services occur entirely within the EU.

Proposed third-party guarantees:

  • [Insert third-party vendor name] guarantees that when using our [software/services], no data is processed or could be processed in the memory of our systems or otherwise so that the data is accessible in the clear at any time by us, or through us to authorities in any non-EEA /equivalency country, with respect to which we are under an obligation to share, provide or disclose the data.
  • [Insert third-party vendor name] guarantees that when using our [software/services], we retain no keys, copies of keys or any other access mechanism (e.g., “break the glass” access in emergency, non-payment or other situations) to provide us with the ability to view or otherwise access your data in the clear at any time.
  • [Insert third-party vendor name] guarantees that our [software/services] protect not only direct identifiers but also indirect identifiers that in combination could reveal the identity of data subjects.

If vendors are unwilling to provide such guarantees, an alternative solution is to transform Unlawful EDPB Use Case 6 and 7 scenarios into lawful processing by pseudonymizing the data before providing for processing by non-EEA providers to satisfy the requirements for Lawful EDPB Use Case 2: Transfer of (EU General Data Protection Regulation) Pseudonymised data.

If organizations cannot give you these guarantees or refuse to do so, you must move your data processing and transfers into Use Case 2 to protect the data when in use or stop data transfers. If you elect not to take this course of action, you should carefully document your decision (and the reasons underlying your decision) for your records.

Photo by Duangphorn Wiriya on Unsplash

This article originally appeared in IAPP. All trademarks are the property of their respective owners. All rights reserved by the respective owners.

CLICK TO VIEW CURRENT NEWS