Keepabl's Schrems II-compliant datacenter

We’re super excited here at Keepabl with our shiny new datacenter, solving for the Schrems II decision. And it comes with our shiny new front end, which we’ll be writing about separately.

Schrems II made it very hard to use any cloud provider in the US (or, for that matter, pretty well anywhere outside the EEA and adequacy-decision countries) if they could see your data in plain text. It created an instant headache for every organisation in the UK and EEA.

We fully believe that all organisations (bar a few bad actors) want to comply with applicable laws – but Schrems II created a particular headache for SaaS providers and those who use them.

Basically everyone.

Here’s how we ‘solved for Schrems‘ at Keepabl.

Note: Just like your organisation, all the vendors we mention here have their own individual contexts and responses to GDPR and Schrems II, from being compliant already, to moving to compliance in their individual way and at their own speed. Nothing in this article is legal advice and nothing in this article states whether or not any vendor is compliant at any given date.

What Schrems II said

In summary, the CJEU (the highest court in Europe) held that:

• the adequacy decision in favour of Privacy Shield was invalid, primarily because of the scope of US surveillance laws and the lack of rights provided to EEA data subjects who are surveilled,
• while Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) remain a valid transfer tool to consider, as they’re instantly overridden by laws where the processor is based, exporters of personal data have to undertake a legal review of destination countries, with a particular focus on surveillance laws and rights and remedies for data subjects and decide if any ‘supplemental measures’ can close any gap to GDPR compliance, and
• there was no transition period.

The impact

The effect was jarring to say the least.

It’s fair to say that most organisations use Software as a Service (SaaS), with examples from productivity SaaS such as Google Workspace, Microsoft Office 365, CRM from Salesforce or HubSpot, and support software from Zendesk. Plus, many organisations use Platform as a Service solutions – the leading providers being Microsoft, Google and AWS. So, lots of possible US exposure.

And – speaking from experience – it’s also fair to say that pretty well every tech startup used a short list of leading, interoperable services including the above and tools such as Heroku, SendGrid (Twilio), New Relic, Papertrail and others – again, lots of US exposure.

Schrems II‘s taking down Privacy Shield made the use of a number of these solutions … ‘problematic’.

What people did next

Privacy pros had to rapidly grapple with questions such as:

• is it ok if your provider is in the US but they host your data in the EU? [probably not]
• is it ok if your provider is the EU subsidiary of a US parent company and your data is hosted by the EU entity in the EU? [it depends, more detail is needed on access by the US (and other) entities – eg, are they sub-processors with access to the personal data? If no, then it’s probably fine as the EU entity isn’t subject to US law. If yes, then probably not.]
• is it ok if you encrypt the data before sending it to the US? [again, more detail needed such as whether the data is decrypted in the US and who holds the keys – at the time of writing, encryption is the subject of heated discussion]

Customers and vendors alike needed time to understand the practical ramifications of the lengthy decision – partly because they were so bleak. With no transition period from the court or regulators, there was a huge need for rapid assistance (or even a replacement adequacy decision) at the governmental level.

But help and interpretation was slow to come and, when it did, it offered nothing to resolve the major issue: use of US-based cloud services when they can see data in plain text, which is endemic in the UK and EU – including amongst EU Institutions.

In the meantime, everyone had to become used to a new acronym: TIA or Transfer Impact Assessment. And through this timeline, the transition period for Brexit ended, with the UK being granted an adequacy decision with just a couple of days to spare.

With no practical solutions put forward at an EU-US level, vendors have been working hard to review their supply chain to see what steps could be taken, and ‘Schrems II compliant‘ has become a new shorthand for dealing compliantly with any transfer under the GDPRs.

The situation developed from hoping for a Privacy Shield 3 through 2020/21, to regulatory and court decisions starting to roll out in early 2022. You’ve probably seen the recent, high-profile decisions from DPAs in Austria and France as well as the EDPS that the use of Google Analytics was not compliant with GDPR (at least in those cases). Expect more decisions soon, as a result of NOYB’s 101 complaints against Google and Facebook.

Keepabl’s response

After our supplier review, the lack of practical solutions to the US-transfer problem from regulators and governments, and the (understandably) slow pace of data sovereignty solutions from some of our own vendors, in early 2021 we decided we needed to proactively identify Schrems-compliant providers.

This meant, at a minimum:

• no contractual counter-party in the USA subject to FISA 702, or in a ‘non-adequate country’ (meaning outside the EEA and the 13 third countries with an adequacy decision)
• no sub-processor in the USA subject to FISA 702, or in a non-adequate country

That was already a tough ask: most leading solutions are US-based as above, EU hosting is often by the US entity, or the US entity is a sub-processor to any EU entity. And it was indeed hard to find European alternatives.

Any alternative provider also had to match our usual requirements of being resilient, well-used (and so constantly QA’s and de-bugged) solutions, with excellent Privacy and Security practices. We needed to solve for Schrems, but we couldn’t throw the baby out with the bath water.

We started looking at all our tech stack components, then for alternatives to each, which became frankly overwhelming and with rapidly diminishing returns. So we focussed on PaaS and reviewed numerous, home-grown solutions in EU, EEA and adequacy decision countries. There may well be some we missed but, in our subjective view, none of the ones we looked at met our requirements.

Our new tech stack

So we looked again at the big 3, this time with the additional Schrems lens. We already used AWS S3 for data storage and backups pre-Schrems II and were delighted to confirm some things we already knew:

• our contractual counter-party is AWS Luxembourg – big tick, they’re not subject to US law, they have to comply with EU GDPR, other EU law and Luxembourg law,
• they have fantastic security practices,
• as we host in the UK, their sub-processor list indicated that the only sub-processor for GDPR was AWS UK – and we were able to confirm this with AWS Solution Architects, and
• the excellent confidential computing solution that is AWS’s Nitro System, which means it’s operationally and technically not possible for any Amazon operative or entity to see the data we put into AWS.

We also reviewed the AWS equivalents we were interested in, to replace the tools and services used in our prior datacenter setup that we’d identified as raising potential Schrems II issues. Typical examples include monitoring, logging, and certain app security. What we found was excellent:

• again, their sub-processor list indicated that the only sub-processor for those tools and services was AWS UK – and we were again able to confirm this with AWS Solution Architects,
• we were able to replace all the ‘problematic’ providers and solutions with AWS equivalents that are provided by our 2 AWS entities, and
• all of those tools and services operate within our AWS UK instance (save as necessary, for example with Route 53, if our solution’s accessed in a third country.)

So: our contractual counter-party is in the EU. The only sub-processor for the services we use is AWS UK. There is no US or other ‘problematic’ country involvement. We can replace a myriad of solutions with AWS equivalents within our AWS instance. And on top of all this the Nitro System means neither AWS nor their sub-processors can see our data.

Confidently forward

Our Schrems II project has many facets, this is just one, but we hope this article has given you a good background and overview of how we addressed, and continue to address, these issues. We’ll be posting more on this topic, for example how we found a compliant meeting-booking solution in the EU – so watch this space.

How we can help you

Do you know all your processors, or all your transfers? Keepabl’s Privacy Management Software is your out of the box Privacy Framework that leads you through the process, identifying all the loose ends, pulling it all together in instant reports and visuals.

Did you see our users believe we save between 50 and 70% of your ongoing compliance?

Contact us for your demo!