We’re super excited here at Keepabl with our shiny new datacenter, solving for the Schrems II decision. And it comes with our shiny new front end, which we’ll be writing about separately.
Schrems II made it very hard to use any cloud provider in the US (or, for that matter, pretty well anywhere outside the EEA and adequacy-decision countries) if they could see your data in plain text. It created an instant headache for every organisation in the UK and EEA.
We fully believe that all organisations (bar a few bad actors) want to comply with applicable laws – but Schrems II created a particular headache for SaaS providers and those who use them.
Basically everyone.
Here’s how we ‘solved for Schrems‘ at Keepabl.
Note: Just like your organisation, all the vendors we mention here have their own individual contexts and responses to GDPR and Schrems II, from being compliant already, to moving to compliance in their individual way and at their own speed. Nothing in this article is legal advice and nothing in this article states whether or not any vendor is compliant at any given date.
In summary, the CJEU (the highest court in Europe) held that:
The effect was jarring to say the least.
It’s fair to say that most organisations use Software as a Service (SaaS), with examples from productivity SaaS such as Google Workspace, Microsoft Office 365, CRM from Salesforce or HubSpot, and support software from Zendesk. Plus, many organisations use Platform as a Service solutions – the leading providers being Microsoft, Google and AWS. So, lots of possible US exposure.
And – speaking from experience – it’s also fair to say that pretty well every tech startup used a short list of leading, interoperable services including the above and tools such as Heroku, SendGrid (Twilio), New Relic, Papertrail and others – again, lots of US exposure.
Schrems II‘s taking down Privacy Shield made the use of a number of these solutions … ‘problematic’.
Privacy pros had to rapidly grapple with questions such as:
Customers and vendors alike needed time to understand the practical ramifications of the lengthy decision – partly because they were so bleak. With no transition period from the court or regulators, there was a huge need for rapid assistance (or even a replacement adequacy decision) at the governmental level.
But help and interpretation was slow to come and, when it did, it offered nothing to resolve the major issue: use of US-based cloud services when they can see data in plain text, which is endemic in the UK and EU – including amongst EU Institutions.
In the meantime, everyone had to become used to a new acronym: TIA or Transfer Impact Assessment. And through this timeline, the transition period for Brexit ended, with the UK being granted an adequacy decision with just a couple of days to spare.
With no practical solutions put forward at an EU-US level, vendors have been working hard to review their supply chain to see what steps could be taken, and ‘Schrems II compliant‘ has become a new shorthand for dealing compliantly with any transfer under the GDPRs.
The situation developed from hoping for a Privacy Shield 3 through 2020/21, to regulatory and court decisions starting to roll out in early 2022. You’ve probably seen the recent, high-profile decisions from DPAs in Austria and France as well as the EDPS that the use of Google Analytics was not compliant with GDPR (at least in those cases). Expect more decisions soon, as a result of NOYB’s 101 complaints against Google and Facebook.
After our supplier review, the lack of practical solutions to the US-transfer problem from regulators and governments, and the (understandably) slow pace of data sovereignty solutions from some of our own vendors, in early 2021 we decided we needed to proactively identify Schrems-compliant providers.
This meant, at a minimum:
That was already a tough ask: most leading solutions are US-based as above, EU hosting is often by the US entity, or the US entity is a sub-processor to any EU entity. And it was indeed hard to find European alternatives.
Any alternative provider also had to match our usual requirements of being resilient, well-used (and so constantly QA’s and de-bugged) solutions, with excellent Privacy and Security practices. We needed to solve for Schrems, but we couldn’t throw the baby out with the bath water.
We started looking at all our tech stack components, then for alternatives to each, which became frankly overwhelming and with rapidly diminishing returns. So we focussed on PaaS and reviewed numerous, home-grown solutions in EU, EEA and adequacy decision countries. There may well be some we missed but, in our subjective view, none of the ones we looked at met our requirements.
So we looked again at the big 3, this time with the additional Schrems lens. We already used AWS S3 for data storage and backups pre-Schrems II and were delighted to confirm some things we already knew:
We also reviewed the AWS equivalents we were interested in, to replace the tools and services used in our prior datacenter setup that we’d identified as raising potential Schrems II issues. Typical examples include monitoring, logging, and certain app security. What we found was excellent:
So: our contractual counter-party is in the EU. The only sub-processor for the services we use is AWS UK. There is no US or other ‘problematic’ country involvement. We can replace a myriad of solutions with AWS equivalents within our AWS instance. And on top of all this the Nitro System means neither AWS nor their sub-processors can see our data.
Our Schrems II project has many facets, this is just one, but we hope this article has given you a good background and overview of how we addressed, and continue to address, these issues. We’ll be posting more on this topic, for example how we found a compliant meeting-booking solution in the EU – so watch this space.
Do you know all your processors, or all your transfers? Keepabl’s Privacy Management Software is your out of the box Privacy Framework that leads you through the process, identifying all the loose ends, pulling it all together in instant reports and visuals.
Did you see our users believe we save between 50 and 70% of your ongoing compliance?
We’re delighted to issue an update on the BPM Index, with data from 23 Member States through the end of April 2019. Compared to November 2018, the general trend is…
Trick question: is it legal for a national postal service to guess your political opinions from what they know about you, such as age and address, and sell that data…