Schrems II: What businesses need to know to comply

If you’re a business operating in the EU or dealing with EU customers, you’ve probably heard about Schrems II. It’s a landmark ruling that has significant implications for data protection and privacy, and it’s important for businesses to understand what it means for them.

In this blog post, we’ll cover everything you need to know about Schrems II, including the ruling itself, impact on businesses in the EU, and the rest of the world, and how Infobip can help in complying with the EU data transfer requirements imposed by the judgment.

Schrems II is a ruling by the European Court of Justice (ECJ) that invalidates the EU-US Privacy Shield framework, which was used by thousands of businesses to transfer personal data from the EU to the US. The ruling was made in July 2020 and followed a legal challenge by Austrian privacy activist Max Schrems.

The ruling also placed strict new requirements on the use of Standard Contractual Clauses (SCCs), which are another way that businesses can transfer personal data from the EU to countries outside the EU. SCCs are legal agreements that set out the terms for the transfer of data and are used by businesses of all sizes.

The ECJ found that the Privacy Shield did not provide adequate protection for EU citizens’ personal data when it was transferred to the US. This was due to US surveillance laws, that allowed authorities to access the personal data of non-US citizens without adequate safeguards.

The ECJ also ruled that businesses using SCCs must carry out a case-by-case assessment of the laws and practices in the destination country to ensure that EU citizens’ personal data is adequately protected. This means that businesses must ensure that the recipient country has appropriate safeguards in place to protect personal data.

In recent years we have seen a rise in remote working and businesses adopting cloud communication technologies for workforce management and to deliver superior customer experiences.

Think of it: public cloud platforms, such as Microsoft Azure and Amazon Web Services, have become almost indispensable to businesses. This trend is set to continue, with worldwide end-user spending on public cloud set to grow 20.7% to total $591.8 billion in 2023, up from $490.3 billion in 2022, according to Gartner.

And to add to that the global cloud communication platform market size was valued at $3.15 billion in 2022 and is expected to expand at a CAGR of 14.18%, reaching $6.98 billion by 2028 (Source: MarketWatch).

However, in the context of Schrems II, this has added another layer of complexity to the equation. For example, if an EU business was looking to store customer data on servers based in a non-EU country, any data transfer to these servers would have to undergo an individual risk assessment to ensure it is compliant with appropriate requirements published by European Data Protection Board (EDPB), a body that includes representatives from data protection authorities of all EU member states.

With security and data protection already being a key priority when using public cloud platforms, the additional complexities emanating from Schrems II offer a tough challenge for Chief Technology Officers (CTOs) to handle and businesses to manage.

The impact of Schrems II on businesses in the EU is significant. Many businesses relied on the Privacy Shield framework to transfer personal data from the EU to the US, and its invalidation has left them without a clear way to do so.

Businesses using SCCs now face increased scrutiny and must ensure that the recipient country provides adequate protection for personal data. This can be a complex and time-consuming process, and many businesses may need to review their data protection processes and procedures to ensure compliance. And this includes their communication technology to interact with customers.

The ruling has also highlighted the importance of data protection and privacy for businesses operating in the EU. Customers are increasingly concerned about the security of their personal data, and businesses that fail to take appropriate measures to protect it risk damaging their reputation and losing customers.

The Schrems II requirement is that any business that transfers personal data from the EU to countries outside the EU, must comply with the new requirements set out by the ECJ.

This means that businesses must ensure that they have appropriate safeguards in place to protect personal data. and that they comply with the law in the destination EU country. This can be a complex and time-consuming process, and businesses may need to review their data protection processes and procedures to ensure compliance.

However, Schrems II also presents an opportunity for businesses to differentiate themselves by demonstrating their commitment to data protection and privacy. By investing in robust data protection measures and demonstrating compliance with the new requirements, businesses can build trust with customers and gain a competitive advantage.

Schrems II has significant implications for customer experience. Customers are increasingly concerned about the security of their personal data, and businesses that can demonstrate their commitment to data protection and privacy are likely to build trust and loyalty with customers.

The ruling requires businesses to carry out a case-by-case assessment of the laws and practices in the destination country before transferring personal data from the EU to countries outside the EU.

Customers are more likely to trust businesses that are transparent about their data protection practices and can demonstrate compliance with the latest regulations and standards. By investing in robust data protection measures and demonstrating compliance with the new requirements, businesses can improve customer experience and build long-term relationships with customers.

Businesses should keep several things in mind about Schrems II:

Schrems II presents several opportunities for businesses.

However, to do all this and gain a competitive edge it’s imperative that your cloud communication platform is linked to a regionally locked data center, that safeguards any personal information.

One of the main implications of the Schrems II ruling is that businesses must carry out a case-by-case assessment of the laws and practices in the destination country before transferring personal data from the EU to countries outside the EU. This means that businesses must ensure that the personal data they are transferring is adequately protected, and that the destination country provides an adequate level of data protection.

One of the great ways that businesses can ensure compliance with the Schrems II ruling is by storing and accessing personal data only from the EU and adequate countries. By storing and accessing personal data in or from the EU, and adequate countries businesses can ensure that the data is subject to EU data protection laws and regulations, and that the data is adequately protected.

Storing personal data in a local EU data center also has other benefits. For example, it can increase trust and credibility, along with a better understanding of the personal data that’s being collected and how it’s managed.

In addition, storing personal data in an EU region-locked data center can also improve customer experience. By storing personal data in an EU region-locked data center, businesses can communicate their commitment to data protection and privacy to customers and improve customer experience.

At Infobip, we’re committed to helping businesses stay compliant with the latest regulations and standards, including Schrems II. One of the ways we’re helping businesses stay compliant is by offering an EU region-locked data center.

Our EU region-locked data center provides businesses with a secure and reliable data storage solution that is compliant with the latest regulations and standards. By storing personal data in this EU region-locked data center, businesses can ensure that the data is subject to EU data protection laws and regulations, and that the data is adequately protected.

Thereby making our EU region-locked data center an important solution for businesses looking to stay compliant with the latest regulations surrounding Schrems II.