How Osano keeps you GDPR-compliant in light of the Schrems II decision

  • by Noah Ramirez, JD / CIPP
  • last updated December 9, 2020
  • 3 min read
How Osano keeps you GDPR-compliant in light of the Schrems II decision

If you've been following the news, you're probably aware that the European Union Court of Justice invalidated the EU-US Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II). Essentially, the court ruled that the Privacy Shield isn't a sufficient mechanism to transmit personal information into and out of the European Union.

The court decision's impact is far-reaching, even if you don't reside in the European Economic Area. It applies to any organization that collects personal information from EU residents. Thus it had the potential to dramatically change the way we transfer data between Europe and the United States. Does your business have a website? Chances are Europeans visit it, so this applies to you as well.

We've received numerous questions about impact and to what degree. Many businesses are nervous about this decision. We get it. We wouldn’t want EU regulators knocking on our door, either. If you use Osano, you have no reason to be concerned about the Schrems II decision. No EU resident’s personal data ever leaves the EU.

Quick primer on the Privacy Shield

Before we dive into how Osano keeps you compliant with the General Data Protection Regulation, let's explain the Privacy Shield and why it was necessary. 

The GDPR sets standards for collecting, processing and transferring data in the European Union. But since regions like the United States (and others) don't have similar data privacy laws, and many cross-border data transfer mechanisms can be expensive and timely, there had to be a mechanism to control data transferred in or out of the EU. The EU wanted to ensure its residents' data wasn't merely moved outside its borders and abused elsewhere. 

Curious about privacy? Find out how Osano automates compliance & saves you time! Learn more

Privacy Shield is a framework for transferring data between the United States and the European Economic Area. Before its invalidation, organizations could provide "adequate" protection of personal data as required by the GDPR by abiding by Privacy Shield's seven principles and self-certifying with the U.S. Department of Commerce. 

What the Privacy Shield means for you

The European Union Court of Justice's decision invalidated the EU-US Privacy Shield. If you or any of your vendors were relying on the Privacy Shield mechanism to transfer personal information to or from the EU, you must stop those operations, or find a different GDPR-approved mechanism.

Standard Contractual Clauses (SCCs), however, are still valid in most countries, so you'll want to check if you have SCCs in place with your vendors. If you're transferring data within a corporate family, you can still use GDPR-approved binding corporate rules (BCRs), although certain EU countries have voiced opposition to the reliance on BCRs as well. Of course, you can also collect explicit consent from data subjects for each transfer or transfer scheduled by a contract. 

How Osano keeps you compliant

As an Osano customer, you probably want to know what this all means for you in the context of our platform. If you use Osano, are you still compliant with the GDPR even though Privacy Shield is no longer a valid mechanism to transfer data?

In short, yes. The invalidation of Privacy Shield does not affect data that is collected, processed, or transferred using Osano. Even though Osano is Privacy Shield certified and we fully expect that the EU and U.S. authorities will eventually reach a new agreement, our data privacy platform remains compliant with the GDPR regardless.

Try Osano Free!

Osano uses a regionalization system to avoid transferring personal data in ways that could cause you to become non-compliant with the GDPR. For example, if a user in Germany requests any file or accesses any API from our servers, we deliver it via a German server to that person. The data remains localized to that region. No transfer means no cross-border transfer compliance issues. 

All of the non-regional systems that touch personal data are located in the European Union: Ireland, to be specific. That personal data never leaves the EU, even if it represents a user in the U.S., China, Germany or anywhere else. This Irish data center has specific systems and processes to comply with the GDPR. Again, no transfer means no cross-border transfer compliance issues. 

Osano is private by design, so rather than work around data transfer mechanisms (like Privacy Shield and whatever follows it), it's simpler and safer to isolate personal information in the EU so that not even an IP address ever crosses from the EEA into another region. We simply avoid transferring the data in the first place. 

As a privacy company, we know security and compliance are paramount. We have thousands of EU users who use our process and practices to stay compliant every day, and that's why we ensure our own compliance with emerging data privacy laws. 

If you have any questions about the Privacy Shield decision and how it affects your compliance with EU law, our support team is here to help. 

Noah Ramirez, JD / CIPP

About The Author · Noah Ramirez, JD / CIPP

Noah is an Osano staff attorney focusing on data privacy best practices, legislative monitoring, and policy monitoring. When he's not writing about or researching data privacy Noah enjoys rock climbing and yoga.