August 11, 2020 – GDPR
A New EU Ruling Impacts Your Choice of an SMS Gateway – Learn Why
The EU-US Privacy Shield Framework was declared invalid by an EU ruling (also known as the Schrems II-judgment) on 16 July 2020.
And why should you care?
Some may continue as usual, but for the vast majority of companies in the EU the ruling has a significant impact on their GDPR compliance as well as the legality of their processing of data outside the EU.
We therefore review the significance of the judgment in this blog post, where we also get into why you can still use GatewayAPI with peace of mind, knowing that your choice of GatewayAPI still puts you in full compliance with the General Data Protection Regulation.
What is the EU-US Privacy Shield Framework?
The EU-US Privacy Shield Framework was a framework for regulating the transatlantic exchange of personal data for commercial purposes between the European Union and the United States.
The framework was declared invalid since the court ruled that the US does not ensure ”an adequate level of data protection”, consequently placing the US in the category of “third countries” outside the EU that are no longer considered safe to share data with.
Quick outline of the implications of the ruling
The Schrems-II ruling affects a large number of companies that either directly or indirectly send personal data to the US via the IT services they use. There is no grace period for companies that relied on the EU-US Privacy Shield Framework, so it may already now be necessary for many of them to reassess the services they are using, since they will be at odds with GDPR by continuing to use them.
Currently, it is not clear what EU-based companies have to do to ensure that they still comply with GDPR when they are using US-based services. There are new standards that have to be complied with, which we will get to below, but the new standards are not sufficient on their own.
Several experts point out that it is very doubtful that companies will currently be able to transfer personal data to the US, as the data exporter must ensure that the protection of the data corresponds to the level of protection in the EU, which in the light of the ruling must be considered impossible.
What does this mean for you as a GatewayAPI customer?
You can safely continue to use GatewayAPI after the Schrems II-ruling. First and foremost, GatewayAPI – as well as the parent company ONLINECITY.IO – is founded in Denmark, where we also operate from and are headquartered in.
Your data, for which we are data processors, is stored in the EU and does not leave the five data centers we use in Belgium, Ireland, Finland, the Netherlands and in Denmark. In addition, we have an ISAE 3000 auditor’s statement from BDO that we comply with all the requirements for good and secure data processing, which are set in the General Data Protection Regulation.
Finally, we have taken several steps to ensure that we continue to be fully GDPR-compliant going forward, which you can read more about below.
Detailed information for the GDPR experts
In the light of the judgment of the European Court of Justice in the Schrems-II case, which resulted in the invalidation of the EU-US Privacy Shield Framework as a valid transfer basis for data transfers to insecure third countries, we would like to give our customers and partners a brief overview of the action we have now started to take and will continue to take until both the real consequences and official guidelines have been presented by the authorities, and until we at GatewayAPI have updated the current basis of the transfer to a valid basis for transferring personal data outside of the EU, which is a requirement under this judgment.
The requirements for a valid transfer basis are as follows:
- Incorporation of the EU Standard Contractual Clauses (SCC) into the agreement with all suppliers, that either
- are located in an insecure third country (such as the US) or
- had their headquarter in an insecure third country (as it can be assumed that data will be transferred from, for example, an European data center to a US head office in connection with, for example, the provision of data to the authorities in connection with national security), or
- have subcontractors to whom they transfer data to / entrust data, which are located in an insecure third country.
- An assessment of the data exporter and whether the provisions and legislation maintained in the SCC or GDPR can be complied with in the importing country, ie. whether the data subject can exercise his rights, whether EU law can be complied with and whether the level of protection is appropriate in the importing country.
- Depending on and in light of the above mentioned assessment and the circumstances of the transfer, implementation of additional measures to ensure that US law does not affect the appropriate level of protection guaranteed by the SCC and GDPR.
- A confirmation from the data importer that compliance with the above data protection clauses is possible for the importer, as well as an addition in the agreement with the data importer regarding additional obligation on the data importer to inform the data exporter in the event of any inability to comply with the above mentioned data protection clauses and, if necessary, any additional measures to those added to these clauses, with the data exporter in turn being obliged to suspend the transfer of data and/or to terminate the contract with the data importer.
We would like to point out that GatewayAPI’s hosting partner is Google Cloud, where the data centers used for GatewayAPI are all located in the EU – in Saint-Ghislain, Belgium, in Dublin, Ireland, in Hamina, Finland, in Eemshaven, the Netherlands and in Fredericia, Denmark.
Google LLC has its headquarters in the United States and we have contacted Google with the demand of them incorporating the SCCs into their agreements, as well as asking when they will be able to provide confirmation of the ability to comply with them. In addition, we are awaiting a change in their terms and conditions, which will enable compliance with the SCCs.
We are in close dialogue with Google, and will continue to send follow-up inquiries to them so that we can respond promptly to the Schrems-II ruling. Google meanwhile refers to the fact that they have already incorporated the SCCs in their agreements (cf. their Google Cloud website), and that they will return shortly with a more detailed announcement regarding the remaining requirements. We will of course keep you informed of any developments in this case.
In addition, we have contacted the Danish Data Protection Agency to clarify which requirements there are in the assessment of the legal system, the judiciary and the possibility of compliance with EU rights, standards, requirements and legislation, which are what is now required of data processors, and we are currently awaiting answers in this case.
We have also met with the Danish Chamber of Commerce about the consequences of the ruling and further measures that can be implemented, as well as whether the responsibility for the assessment of the rule of law in the third country may lie with the individual data controller, or rather with the European Data Protection Supervisory, EDPS, or the European Data Protection Council, EDPB, respectively.
Our measures going forward
In addition, GatewayAPI in its ongoing compliance and governance work is reviewing suppliers located outside the EU, so that data currently located in data centers outside the EU is migrated to the EU or suppliers who do not offer this option are replaced with European suppliers. This applies to both suppliers who are part of our role as data processor and our role as data controller. An example is Slack, where we are migrating to “data residency” in the EU, which means that all data from Slack and Chatlio is stored in the EU. All remaining suppliers will be contacted regarding the requirements and fulfillment of them, and on the basis of their efforts it is assessed whether the cooperation can continue and thus be subject to the above mentioned requirements.
We will also ensure that the SCCs are incorporated into the data processor agreements with all data controllers in the near future, so that these are easier to enforce in relation to the sub-processors and suppliers who will also be subject to the requirements to comply with these provisions.
Do you have further questions?
We are available to any registrant and any customer, or customer’s customer who wishes to discuss our compliance with us. We are transparent in our efforts to adapt to the Schrems-II ruling, as we – regardless of EU ruling or not – want to provide our customers with complete security and safety by using us as a supplier.
If you have specific questions or follow-ups regarding Privacy Shield or this blog entry, we are here to help.
Just contact us on firstname.lastname@example.org.