What is Schrems II and how does it affect your data protection in 2021?

After more than six months, Schrems II is still proving to be difficult to manage for many organisations across the world. In 2021, Schrems II – the landmark data privacy verdict issued in July 2020 – continues to prevent businesses from carrying out basic data transfers to non-EU countries.

What’s more, in a context of unprecedented home working and the adoption of public cloud platforms, the implications of Schrems II have become more complex as the world has adapted to the conditions enforced by the COVID-19 pandemic.

And, with the news that the UK is set to leave GDPR following Brexit, guidance around data protection in Europe has never been more unclear.

In this blog, we discuss what exactly Schrems II is, the impact it’s had on modern working, and what businesses can do to manage data in accordance with this new regulation.

What is Schrems II?

On July 16 2020, the Court of Justice of the European Union (EU) issued a verdict that ruled that the EU-US Data Protection Shield, on which many companies relied on to transfer their data between the US and the EU, was invalidated due to concerns around surveillance by US state and law enforcement agencies. This verdict later came to be colloquially known as Schrems II (after Max Schrems, an activist and lawyer who initiated this legal saga following his complaints against Facebook back in 2013).

Before Schrems II, over 5,000 US companies relied on the Data Protection Shield to conduct trans-Atlantic trade. With the shield in place, these companies could easily transfer data in compliance with GDPR.

What’s more, Schrems II now requires European companies are to conduct individual assessments of each data transfer to a non-EU country in order to ensure compliance.

The potential consequences of Schrems II could be massive. In the modern business landscape, data transfer has become a core process for many different companies across the world. So, the prevention of data transfer between the EU and other countries could see these companies grind to a total halt.

The rise of remote working and cloud computing

With the COVID-19 pandemic forcing millions around the world to work from home, the business world has had to adapt in order to survive these new, often complex conditions.

In turn, public cloud platforms, such as Microsoft Azure and Amazon Web Services, have become almost indispensable to businesses. This trend is set to continue, with researchers predicting that worldwide end-user spending on public cloud services will grow 18.4% in 2021. In monetary terms, total spending will rise to a total of $304.9 billion, up from $257.5 billion in 2020.

However, in the context of Schrems II, remote working and the adoption of cloud services has added another layer of complexity to the equation. For example, if a European organisation was looking to store customer data on servers based in a non-EU country, any data transfer to these servers would have to undergo an individual risk assessment to ensure it is compliant with GDPR.

With security and data protection already being a key priority when using public cloud platforms, the additional complexities emanating from Schrems II offers a tough challenge for Chief Technology Officers (CTOs) to handle.

So, what can businesses do?

With all this to consider, how can businesses navigate the challenges arising from Schrems II?

One technical measure that can be put in place to help organisations is the encryption of data.

In November 2020, the European Data Protection Board released a set of guidelines that give organisations advice on measures they can take to stay compliant when making data transfers. Amongst various recommendations, encryption stands out as a key measure that organisations can use.

By encrypting the data, organisations can ensure that third parties cannot gain access to sensitive information which is being transferred between regions. This, combined with an effective encryption key management system, could go a long way to ensure that an organisation stays compliant with regulation.

What’s more, ensuring that all vectors are secure within a cybersecurity framework is crucial to protecting customer data. By implementing a ‘security by design’ strategy, CTOs can ensure that their employees and their devices, no matter where they are based, will keep sensitive customer data safe from hostile actors.

The data protection landscape has undergone monumental changes in the past 12 months, including the European Commission’s recent draft decision for a data adequacy agreement with the UK which, depending on approval from member states, will allow the easy transfer of data between companies the UK and the EU.

With the Schrems II verdict and the UK leaving GDPR, the uncertainty around how businesses should handle their data has never been higher. This is particularly true with the boom in cloud platforms and remote working. But, through leveraging ‘security by design’ strategies and encryption, businesses can best position themselves to stay compliant with regulation when it comes to transferring and protecting data.

Interested and want to learn more? Leave a comment below or tweet us @ThalesDigiSec if you have any questions.

*** This is a Security Bloggers Network syndicated blog from Enterprise Security – Thales blog authored by Sebastien Cano. Read the original post at: