Schrems II: The invalidated Privacy Shield and its aftermath – a walkthrough with Jitty van Doodewaerd

Schrems II: The invalidated Privacy Shield and its aftermath – a walkthrough with Jitty van Doodewaerd

In episode 6 of “under CTRL” we interview Jitty van Doodewaerd, director privacy at DMCC Netherlands. She participated in the Big Data Expert Group of the Dutch Ministry of Economic Affairs. In her previous job, she was responsible for public affairs of the Dutch Marketing Trade Association and a member of the Legal Affairs Committee of the Federation for European Direct and Interactive Marketing (FEDMA) and the Privacy Commission of VNO-NCW.

DMCC Nederland B.V. is a consultancy firm offering independent advice on compliance, data privacy, e-privacy, telecommunications, and IT security. We talk with Jitty about the effect of the invalidation of the Privacy Shield on B2B companies and we also ask her about the consequences of this and what companies can and should do now.

The challenge of data protection, privacy and compliance

Ensuring business data protection and being compliant has never been easy. Data security, secure storage and usage of stored data are big topics for every organization regardless of its size, as the ruling does not differentiate between larger companies and SMEs. Having the right infrastructure has been essential, especially in the current pandemic when many team meetings happen online and collaboration is done remotely.

Now, with the invalidation of the Privacy Shield, many organizations need to check how they can ensure a GDPR adequate level of data protection, and they might need extra agreements, data regulations, and changes in contractual causes to process the data of European citizens in a compliant way. Organizations using American suppliers might be in trouble, as they currently pose a certain risk until a solution can be found. And this does not even take into account the level of surveillance in the US, which has been a major issue as companies cannot protect you from surveillance by the American government.

The EU law says that companies cannot process personal data outside of the EU if there is no adequate level of protection. And this is exactly what is currently missing.

What actions should companies take now?

Jitty also gives some useful advice for companies during our conversation with her. The first step should be to look at the suppliers they use and check if there are contractual clauses in place. If not, they need to make sure to introduce some. It is important to be aware of which kind of data is stored where.

All organizations that store data in the US need to rethink their approach, encrypt the data, or, even better, change to a European provider in order to store the data with encrypted services within the borders of the EU. There are many solutions and data protection technologies available which make compliance easier. American suppliers may be used with the right precautions. Turning to European providers and looking for data residency options is a smart step in the current climate and ensures that no data is leaving the GDPR area.

Jitty sums this up as follows:

“Companies themselves will have to come up with smarter ways of processing data and storing data to comply with the GDPR.”

Listen to the episode on Spotify or Apple Podcasts to learn more, and let us know what you think. Scroll down to read the transcript of the recording.

Show transcript Hide transcript

Paul: Good afternoon to Jitty and welcome to under CTRL. Good to have you on the show today. What I’d like to do is to get started with a bit of a background of your company and the sectors you are working in and we will just go from there. We’ll have one particular topic which is going to be very interesting for the listeners around the Schrems II.

Jitty: Great, thank you. Well, I’m Jitty van Doodewaerd and I’m a director at DMCC Netherlands. We are basically a consulting firm and more over in the area of privacy, E-privacy, security, telecommunications. What you see is that in the past years organizations had to be diligent with data and we advise a lot of companies (charitable organizations, NGOs, telecoms, publishers) about their use of data mostly for commercial purposes such as marketing, campaigns, the use of ads and Google.

Paul: So you basically focus right across the border. When you say privacy, what does that cover? Obviously, there is GDPR but what else is there that you advise on?

Jitty: Within privacy we also do consumer protection such as unfair commercial practices. In the Netherlands there are very strict regulations on for example: the sales of an energy to consumers – you have to make a measured offer for the customers on the actual use of their gas or electricity. They used to do these sales via telemarketing or doorstep selling. What we do is we get all the telemarketing conversations with potential consumers and we see if they are compliant with the rules and regulations. So not only privacy, but also the telecommunication for example if the measured offer was based on the consumer data.

Paul: How many are you currently in your organization?

Jitty: We have about 20 people working for us right now, but we also work with a lot of independent contractors that are basically doing the auditing of phone conversations and also some mystery shopping. They are trained for that particular purpose.

Paul: Okay, mystery shopping? That’s interesting. But we got another topic that I’m keen to know more about, which is the Schrems II. results. What was the outcome of that? I take it had something to do with the US Privacy Shield.

Jitty: Yes, true. I think the Schrems II is a topic that basically profound impact on all European organizations. Schrems II is the outcome of a very long court case and now it has a final decision within the European Court of Justice. It basically says all data transformation within the US under the Privacy Shield – which I will explain in a bit – are illegitimate.

The Privacy Shield was a privacy regulation, a set of mutual agreements between the European Commission and the American Chamber of Commerce. Agreements about data protection allowing American companies – that would stick to those agreements – to also process data of European citizens. It is because under the Privacy Shield the agreement could ensure an adequate level of data protection compared you’d have under the GDPR (General Data Protection Regulation).

Paul: Okay.

Jitty: So that was found illegitimate by the European Court of Justice so basically all organizations using US based supplier such as Google, Facebook, SalesForce, MailChimp – whatever you can think of – might be in trouble.

Paul: I see. In what case then? How would they be in trouble? What can companies expect or not expect now?

Jitty: I’m not sure. We are in a situation where the reality does not reflect the legal reality one bit. Because many organizations using American supplier with the ruling of the European Court of Justice – but most of that now became illegitimate. So those basically using a suppliers without having any legal basis. Of course, there are still ways to process the data in a legitimate way but the outcome is very profound because – as mentioned before – the ruling says that you cannot use American suppliers under the Privacy Shield.

There are some alternatives, so the European Commission has some standard contractual clauses, so for example if you use Google, Facebook or MailChimp you can get into one of these standard contractual clauses with them – in which they contractually promise to ensure an adequate level of data protection.

But the EU court also says that you need to check if these standard contractual clauses can be uphold against the company in question and this provides with a whole new problem. Because if you look at the ruling the basic problem is that American surveillance – even under the Privacy Shield – still had too much access to European citizen data while European citizens didn’t have enough means to take the case to court if they felt that their privacy was fringed. So even if you have this contract in place the questions still remains: whether or not the company who has the contract can protect you against the American surveillance?

Paul: What would happen now as a lot of companies are in dilemma with US companies?

Jitty: Yes, many of them made major investments and using Google Docs or Microsoft Office. Probably the European Commission will look into this and will be updating the standard contractual clauses and will be looking if we can make a Privacy Shield again – but it will probably remain very much insecure. So what we advise our customers is to take a look at the US based supplier that you use and check if they have in place a standard contractual clause. If they don’t then make sure you receive one and also use some common sense. And perhaps reconsider the storage of sensitive data within the US, such as patient and personal information, medical history, sexuality and maybe think about moving it to a European based company.

Paul: Which industries do you see the most affected? I can think of a few that I’m working with such as pharmaceutical companies with clinical trials and whether they should collaborate and share data cross Atlantic.

Jitty: I think the impact there is the highest. The GDPR requires you to provide an adequate level of data protection but if you process special categories – the one you described – you need to provide the utmost level of data protection. Also with this ruling you should be wondering about whether or not storing your data within a US based provider is fitting the requirements. So that’s definitely an issue.

Also Max Schrems who is a privacy activist and who initiated this court case has issued complaints to - I think - about a 100 European based companies about their use of Google and Facebook. You can already feel where this is going, right? So these complaints have to be responded to. Also GDPR can offer very much possibilities for collective redress for consumers to issue a complaint and it can be a court case with remedies. So it is very much exciting to see what’s going to happen.

Paul: For some people it can be exciting, but some people it can be very daunting at the moment, certainly for US companies.

Do you see something personally that could resolve this? Or is it so big of an issue that each sector has to look at it separately so they might be able to manage?

Jitty: For me, I actually wonder if a new Privacy Shield or updated clauses can actually tackle the problem. It will probably lead to a situation where we will be allowed again *to process data* for a couple of years, but when you truly investigate what the US government can do – even with these contracts in place – you’d have to come to the conclusion that it is more than what the European government can do about. Either that should be fundamentally changed or you should look for alternatives, as perhaps you can still store your data in US but maybe in an encrypted format or as some providers do, consider moving your data to European servers. So if you move your data to Europe and its encrypted, it can be a good alternative rather then wait for a new court ruling and be in the same situation four years later.

Paul: When you touching upon data sovereignty, data residency option – where does it come in play? Does it sooth the problem, even if it’s with an American company, promising that the data is not leaving the GDPR protected region? Is this potentially a solution?

Jitty: I think this is the best way to find the solutions. I don’t think the US surveillance will change the method of working hence the companies themselves have to look for solutions and smarter ways of processing data and storing data. In a couple of years – having an American based supplier could be a potential risk if these issues aren’t tackled anytime soon.

Paul: That being said, we all being affected to some extend to COVID19 and personally my son has been studying online with Google Classroom for example – which is again a US provider – and it could seem like in the future a lot more people will work and study remotely and that presents an additional challenge as well. Is that your feeling as well?

Jitty: Yes, definitely. So the infrastructure that organizations provide has been essential also in the times of COVID , I’ve been having so many Teams meeting myself, and on one hand you have the efficiency it brings, but on the other hand you have a threat for privacy and I think that’s a problem for all kinds of organizations. My mother-in-law is a doctor and they needed to talk to the other doctors and peers and they looked for a long time to find a video conference tool that is actually safe. There is a lot of questions about reliable and secure infrastructure solutions, I think.

Paul: I just wanted to step back and understand about the US Privacy Shield. What does it mean in simple terms? Does if effect a small Holland company, or it is more relevant to Microsoft sized companies? Where is the potential impact, is it SMEs or large customers?

Jitty: I think it is for both SMEs and big companies, but most likely it will first impact the large ones. However, if you look at the data economy we live in, you can have an SME with 20 employees and still have a lot of data they process. Probably if you are an SME you don’t have the money to develop your own tools hence you are more inclined to use existing ones such as Google or Microsoft. The ruling does not make any difference between large and small companies. If the ruling says its illegitimatize it is relevant for both SMEs and large companies, so I believe it has an effect on all of them. It’s more important what category of data do you process. If you process very sensitive categories of data I’d seriously start considering to move all of it to a European supplier, if its regular customer data and with the right precautions you can still use the US provider.

But the impact is quite profound because basically European law says “you can not process personal data outside of the EU if there’s no adequate level of protection” and with the invalidation of the Privacy Shield, US doesn’t not provide a valid level of data protection anymore.

Paul: When we take the US Privacy Shield – where does it come from?

Jitty: It was a practical solution to a problem. It used to be called Safe Harbor. The EU says that you cannot process data outside of its countries because those don’t have an adequate level of data protection. However, there are some measures which can be taken to ensure an adequate level. Those are standard contractual clauses, regulatory schemes that companies promise to keep, but also you need a mechanism for customers to issue a claim if they think that the companies are not obeying these rules – and all these had to be in writing. So Safe Harbor and later Privacy Shield were a set of rules designed for American companies which they would adhere by and because they lived by these rules they were thought to have an equal level of privacy protection as offered to European citizens under the GDPR.

But now these rules were found invalid so the entire scheme of these regulations are not possible so you have to look at individual regulations again.

Paul: You mentioned earlier the world “surveillance”. Are they collecting more information then they need?

Jitty: Yes, that is a major issue. The companies even with the Privacy Shield in action cannot really protect the data from surveillance of the American government. There are some extra steps in the Privacy Shield regarding the US surveillance, but it’s not as strict as in Europe. It is basically too broad and as a European citizens were investigated under the Privacy Shield one can feel that you don’t have a mechanism to issue complaints and see justice done.

Paul: There is one another question is a bit closer to my heart – what do you think of Brexit? How will that impact the privacy – are we going to see something similar? I see customers talking about Data Residency Option and if they can move their data to UK servers.

Jitty: Of course, as UK will not be a part of EU it will not have the same level of data privacy as the GDPR offers for European countries. However, it is possible that even as a country outside of EU you still adapt to GDPR, just as Scandinavians has done. They might not have the GDPR but they do have privacy legislation with which they can ensure adequate level of data protection. It is already a case for Argentina, and I think a similar scenario will be worked out for UK as well.

Those companies that are based in London or UK and have tentacles operations in EU could add a lot of complexity to this Privacy Shield.

Jitty: You are right. Especially after the introduction of GDPR it had a profound impact because it requires a lot of administration so you have to be able to show GDPR compliance with auditing, paper trail and the compliance steps you’ve taken. If there’s a Brexit, it definitely means that you need to do more research, more contracting, more auditioning to make sure that the supplier and partners are also compliant with the rules of GDPR.

Paul: I follow Australia closely as there is a law that requires providers to share information with law enforcement agencies. I wanted to get your thoughts about how would that play out in the future?

Jitty: We already see that most business that we work with wants to comply with GDPR but if you look at the complexity and landscape of IT contracting, the IT infrastructure – you kind of can’t do it without a specialist anymore. You need someone who knows privacy because it gets so complicated.

Paul: It has been fascinating to have you on the show Jitty, thank you!