How Osano Keeps You GDPR Compliant in Light of the Schrems II Decision

  • by Noah Ramirez, JD / CIPP
  • last updated August 28, 2020
How Osano Keeps You GDPR Compliant in Light of the Schrems II Decision

If you've been following the news, you're probably aware that the European Union Court of Justice (CJEU) invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). Essentially, the court ruled that the Privacy Shield isn't a sufficient mechanism to transmit personal information into and out of the European Union.

The court decision's impact is far-reaching, even if you don't reside in the European Union or do business in the European Economic Area (EEA). It applies to any organization that collects personal information from EU residents. Thus it will dramatically change the way we transfer data between Europe and the United States. Does your business have a website? Chances are Europeans visit it, so this applies to you as well.

We've received numerous questions about whether it impacts them and to what degree. Many businesses are nervous about this decision. We get it. We wouldn’t want EU regulators knocking on our door either. If you use Osano, you have no reason to be concerned about the Schrems II decision. No EU resident’s personal data ever leaves the EU.

Quick Primer on the Privacy Shield

Before we dive into how Osano keeps you compliant with the GDPR, let's explain what the Privacy Shield is and why it was necessary. 

The General Data Protection Regulation (GDPR) sets standards for collecting, processing, and transferring data in the European Union. But since regions like the United States (and others) don't have similar data privacy laws, we need a mechanism to control data transferred in or out of the EU. The EU wants to ensure their residents' data isn't merely moved outside their borders and abused elsewhere. 

Privacy Shield is a framework for transferring data between the United States and the European Economic Area. Organizations could provide "adequate" protection of personal data as required by the GDPR by abiding by Privacy Shield's seven principles and self-certifying with the Department of Commerce. 

Both countries originally approved Privacy Shield to safely transmit personal information across the Atlantic without violating the GDPR. Privacy Shield isn't mentioned in the GDPR, but it's a way to meet the GDPR's requirements. Check out our full writeup for more information.

What the Privacy Shield Means for You

The European Union Court of Justice's decision invalidates the EU-US Privacy Shield. If you or any of your vendors rely on the Privacy Shield mechanism  to transfer personal information to or from the EU, you muststop or find a different GDPR-approved mechanism.

Standard Contractual Clauses (SCC), however, are still valid in most countries, so you'll want to check if you have SCCs in place with your vendors. If you're transferring data within a corporate family, you can still use GDPR-approved binding corporate rules (BCRs) although certain EU countries have voice opposition to the reliance on BCRs as well. Of course, you can also collect explicit consent from data subjects for each transfer or transfer scheduled by a contract. 

How Osano Keeps You Compliant

As an Osano customer, you probably want to know what this all means for you in the context of our platform. If you use Osano, are you still compliant with the GDPR even though Privacy Shield is no longer a valid mechanism to transfer data?

In short, yes. The invalidation of Privacy Shield does not affect data that is collected, processed, or transferred with Osano. Even though Osano is Privacy Shield certified and we fully expect that the EU and US authorities will eventually reach a new agreement, our data privacy platform remains compliant with the GDPR. 

Osano uses a regionalization system to avoid transferring personal data in ways that could cause you to become non-compliant with the GDPR. For example, if a user in Germany requests any file or accesses any API from our servers, we deliver it via a German server to that person. The data remains localized to that region. No transfer means no cross-border transfer compliance issues. 

All of the non-regional systems that touch personal data are located in the European Union - Ireland, to be specific. That personal data never leaves the EU, even if it represents a user in the USA, China, Germany, or anywhere else. This Irish datacenter has specific systems and processes to comply with the GDPR. Again, no transfer means no cross-border transfer compliance issues. 

 Osano is private by design, so rather than work around data transfer mechanisms (like Privacy Shield and whatever follows it), it's simpler and safer to isolate personal information in the EU so that not even an IP address ever crosses from the EEA into another region. We simply avoid transferring the data in the first place. 

Osano is Always Compliant

As a privacy company, we know security and compliance are paramount, which is why our platform is compliant with all new regulations and changes to the data privacy landscape. We will ensure that your data transfers are secure and lawful. We have thousands of EU users who use our process and practices to stay compliant every day. 

If you have any questions about the Privacy Shield decision and how it affects your compliance with EU law, our support team is here to help. If you haven't opened your Osano account yet, you can get started today.

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.