Anonos received 400+ requests for meetings following up on our Schrems II: Surviving and Thriving
webinar, involving 3200+ from 2300+ companies and 50+ countries. Please read below to clarify the most common misconceptions and FAQs from our meetings to date.
Common Misconceptions & Frequently Asked Questions (FAQs)
Does Schrems II Disrupt Data Supply Chains?
Yes, by eliminating parties from data supply chains that do not have adequate Technical Supplementary Measures. Suppose downstream data supply chain parties do not have adequate Technical Supplementary Measures like GDPR-compliant Pseudonymisation. In that case, upstream data providers will discontinue data flow rather than risk damaging their own business. Data is a precious resource for company performance and innovation, and without data flowing freely, critical opportunities for growth and revenue is lost. Therefore, Technical Supplementary Measures like GDPR-compliant Pseudonymisation are required to ensure ongoing data transfer and processing.
Is there a grace period for complying with Schrems II requirements?
No. There is no grace period for complying with Schrems II – the obligation to comply was immediate upon the ruling of the CJEU on 16 July 2020.
Can I Wait Until I Update My SCCs to adopt Technical Supplementary Measures?
No. The Schrems II ruling states that international data transfers using SCCs without adequate supplementary measures are unlawful. The ruling proscribes that the appropriate remedy for unlawful data transfers is immediate suspension or termination.
Will EU-US Political Solutions Remove Requirements for Technical Supplementary Measures?
No. The philosophical differences between the US and EU approach to privacy are so fundamental that they will not remove requirements for Technical Supplementary Measures. US federal law and supreme court rulings favour a more commerce-friendly approach versus the EU view of privacy as a fundamental personal right that must be respected. If anything, Technical Supplementary Measures like GDPR Pseudonymisation may be required to achieve a new and sustainable treaty for lawful trans-Atlantic data flow.
Can I Accomplish the Same Business Goals That I Did Before Schrems II When Using [insert name of cloud- or remote-based non-EEA software or service]?
Yes, but you may need to change how you use [insert name of cloud- or remote-based non-EEA software or service]. Advances in technology have made it seamless to transition from primary processing (the reason data is initially collected) to secondary (or further) processing like advanced analytics, artificial intelligence (AI) or Machine Learning (ML) using EU personal data. However, the lawful basis for primary processing under the GDPR rarely enables lawful secondary processing of the same data for a different purpose. However, by leveraging GDPR-compliant Pseudonymisation and adopting new processes, you can achieve business objectives while complying with your obligations under Article 6 - Lawfulness of Processing, Article - 25 Data Protection by Design and by Default and Article 26 – Security, as well as other GDPR obligations.
Is Processing Pseudonymised Data as Accurate as Processing Data in the Clear (Cleartext Data)?
Yes. Unlike approaches like differential privacy and synthetic data which generally provide 20-30% or more distortion in results, properly implemented GDPR-compliant Pseudonymisation like that enabled by Anonos Data Embassy software retains 100% accuracy, fidelity, and value.
If I Process Only Business-to-Business (B2B) Data, Do I Need to Comply with Schrems II.
Yes, if any of the data processed by you or by any of your B2B partners include any data that can be used directly or indirectly to identify a natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
If I Do Not Process Personally Identifiable Information (PII), Do I Need to Comply with Schrems II.
Yes. EU personal data is not limited to direct identifiers. It also includes indirect identifiers, characteristics and other information that can be used directly or indirectly to identify a natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.
Are Schrems II Costs Just Another Compliance Expanse?
No. Anonos Data Embassy software embeds controls into your data, enabling it to lawfully flow across departments, divisions, companies, and borders to ensure compliance while simultaneously retaining 100% analytical accuracy and allowing 100% relinkability. This maximises data value and improves the scalability of operations while reducing the time to achieve insights, thereby turning the cost into an investment with a positive return.
Can I use Encryption or Anonymisation as Supplementary Measures to Protect Data When in Use to Comply with Schrems II?
No. Encryption only protects data in transit and in storage. Anonymisation is not recognised as a suitable Schrems II Supplementary Measure. Schrems II requires organisations to protect data processed using SCCs by using Technical Supplementary Measures that “travel with the data wherever it goes” – including when in use – to ensure that EU personal data does not reveal the identities of data subjects when processed outside of the EEA / equivalency countries except as permitted by Article 49(1) derogations.