Do you know where your data resides? It seems like a straightforward question, but the answer is far from simple. This question is putting new privacy laws to the test, both in Europe and the United States, and making device manufacturers and software developers reconsider what data they can include in their products.
Last year, the European Union’s Court of Justice (CJEU) made a significant ruling in a case known as ‘Schrems II,’ which restricted crucial mechanisms for transferring personal data from the EU to the US. Data transfers are crucial for driving innovation, enhancing trade relationships, and broadening consumer access to digital products and services.
This decision directly impacted companies involved in such data transfers, including tech giants like Facebook and other small and medium enterprises. However, it also had ripple effects on the trade and advancement of tech sectors such as cloud computing, artificial intelligence, and the Internet of Things (IoT). Let’s explore how companies and tech innovators can navigate this new era of data rights.
What is Schrems II?
Schrems II, named after activist Maximilian Schrems, is a legal case that began when Schrems discovered that Facebook was transferring personal data from Europe to its US headquarters. Schrems voiced concerns that this data could be accessed by US intelligence agencies, potentially violating the EU’s General Data Protection Regulation (GDPR), which prohibits such data transfers to the US.
In 2013, Schrems challenged the validity of the European Commission’s Standard Contractual Clauses (SCCs) for EU-US data transfers, which was initially rejected. However, the case eventually reached the CJEU seven years later, culminating in a final verdict in July 2020. The CJEU declared the EU-US Privacy Shield invalid for complying with EU data protection laws while upholding the validity of SCCs, subject to case-by-case scrutiny to ensure adequate data protection in the recipient country.
Subsequently, the EU introduced updated SCCs to ensure more secure transfers of personal data.
What Does This Mean for Cross-Border Data Transfers?
The Schrems II decision not only impacted Facebook but also presented challenges for other tech companies engaged in international data transmissions.
Following the ruling, companies transferring data from the EU to the US need to consider:
Data in General: Companies should understand the types of data being processed and where it is being sent. EU companies should be cautious when data leaves EU territory.
Reasons for Data Transfer: Companies must be aware of the grounds for transferring data internationally.
Data Protection: IoT companies need robust measures in place to protect personal data as recommended by the EU, encompassing technical and organizational security protocols.
Third Countries: Understanding and adhering to the laws and regulations of countries data passes through is crucial, along with implementing additional controls where necessary.
Regional and Continental Rules
Diverse regional and continental data regulations pose legal challenges. While the EU benefits from the comprehensive GDPR, the US has varying state laws, such as the California Consumer Privacy Act. This mismatch necessitates US cloud companies to cater to the data rights of European and Californian customers, underscoring the need for companies to stay updated as states enact privacy laws.
This disparity between continental and regional regulations demands vigilant attention.
What Does This Mean for IoT Companies?
Fortunately, companies can comply with laws by utilizing encryption to facilitate US transfers under EU regulations. Encryption, if managed securely, can guard against data interception and manipulation by outside parties. Additionally, IoT device vendors can optimize connectivity to enable direct communication between users and devices, bypassing cloud storage and its associated risks of data exposure.
Adhering to the revised SCCs is crucial to ensure compliance with IoT GDPR standards, placing responsibility on individual companies for meeting these requirements.
Right Now, The Onus Is On Companies
Companies pursuing SCCs should assess cross-border transfers’ compliance with GDPR standards and analyze recipient countries’ data protection levels, especially those in the Five Eyes Alliance: Australia, Canada, New Zealand, the UK, and the US. Companies on both sides of the Atlantic must carefully manage data practices amid varying regulations and jurisdictions.
Closing Thoughts
Amid the pandemic’s influence on data security, prioritizing security and privacy remains essential for IoT compliance. Collaboration between international governments is also imperative to align data surveillance practices and develop new data transfer mechanisms to address evolving challenges in the tech industry.
