Schrems II Explained: How the Legal Decision Affects IoT

Where does your data live? It is a simple question with an incredibly complex answer. In fact, it’s a response that is increasingly testing new privacy laws on both sides of the Atlantic and forcing device makers and software developers to question what data, if any, they can use in their products.

Last year, the Court of Justice of the European Union (CJEU) issued a verdict for a court case known as ‘Schrems II’ that severed key mechanisms for transferring personal data from the European Union to the United States. International data transfers are necessary to promote innovation, strengthen business relationships, and expand consumer access to digital products and services.

This ruling directly affected companies that engage in this type of data transfer, including large tech giants such as Facebook and other SMEs. But the decision also had consequences on trade and the development of technology industries such as cloud computing, artificial intelligence and IoT. Let’s consider how companies and technology creators can address this new era of data rights.

What is Schrems II?

The name of activist, lawyer and author Maximilian Schrems, Schrems II is a legal case. After discovering that Facebook was transferring personal data from Europe to its US headquarters, Schrems realized that the data could be used by US intelligence agencies and thus violate the GDPR. which prohibits data transfers from the EU to the US.

In 2013, Schrems asked the Irish Data Protection Commissioner to invalidate the Standard contractual clauses (CEC) for data transfers between EU countries and outside the EU. Despite being rejected by the Irish Data Protection Commissioner at the time, the Schrems II case, subsequently labeled, eventually escalated to the European Union’s judiciary, known as CJEU, seven years later.

In July 2020, the CJEU issued its final verdict, declaring that the EU-US Privacy Shield. It is an invalid mechanism to comply with EU data protection requirements. Despite maintaining the validity of the SCC, the court ruled that SCC should be verified on a case-by-case basis to assess whether the law of the host country provides adequate data protection.

This led the EU to issue Modernized SCCs to ensure more secure exchanges of personal data.

What does this mean for cross-border data transfers?

Schrems II’s decision didn’t just affect Facebook. It has also caused problems for other technology companies whose services involve sending data internationally.

Following the ruling, companies transferring data from the EU to the US should consider:

General data: It may sound simple, but the most important action companies can take after the verdict is to be aware of as much information as possible about their data transfers. Know what kind of data is being processed and where it is going. For EU companies, the alarms should start to sound as soon as the data leaves the EU territory.

Reasons for data transfer A seemingly simple task, but companies moving data internationally must also be aware of why the data is being transferred in the first place.

Data Protection: Another element to consider is exactly what measures your IoT company has in place to adequately protect personal data. What suggested by the EU, technical measures to protect data include appropriate actions to address online security, risk of data loss, and data alteration or unauthorized access. Organizational measures, on the other hand, include restricting access to personal data only to authorized persons.

Third World countries: Finally, it is important to have a good knowledge of the laws and regulations of the third countries through which the data passes and the level of protection they provide. This also means implementing additional controls when necessary.

Regional and continental rules

Meanwhile, it’s worth mentioning that different regional and continental data rights present more legal hurdles. While the EU receives blanket protection from its GDPR, the US is a patchwork of state laws. The most prominent IoT security bill to date is the California Consumer Privacy Act, which clarifies that individuals can choose not to sell and share their personal information with third parties.

Therefore, US cloud companies must consider the data rights of European customers and Californians. Interestingly, the same consideration still doesn’t apply to Texans or Floridians. As with many decisions in the US, state legislatures decide data rights. The mosaic resolutions mean that companies must stay current as other states pass data privacy mandates. For example, New York, Maryland, and Hawaii have varied and upcoming rules on the horizon.

This ongoing discrepancy between general continental regulations and regional resolutions requires increased vigilance.

What does this mean for IoT companies?

The good news is that companies can comply with the laws. For example, encryption offers a simultaneous solution for making transfers from the US according to EU regulations. Strong encryption can provide an efficient measure for data transfers as long as the keys are reliably managed. If the most advanced protocols are followed, encryption can provide adequate protection against any interception and manipulation of data by a third party. Additionally, multi-part IT protocols that divide data into parts for independent processing may prevent reconstitution of personal data.

Another way to comply with data rules is to stay away from the cloud whenever possible. In IoT, for example, device providers can adapt the type of connection to ensure direct communication between the end user and the device. This type of connection bypasses the cloud to allow private communication and thus avoids the risk of storing personal data.

Of course, the best practice is to stick to the rules. The new SCCs clarify what is and what is not acceptable. But at the same time, the revised clauses continue to place the responsibility on individual companies to comply. IoT GDPR standards.

Right now, the responsibility lies with the companies

Businesses looking to take advantage of SCCs must identify cross-border transfers under their responsibility. This includes conducting a detailed analysis of the recipient country’s data protection compliance level with the GDPR. Also, if any of the countries are part of the Five Eyes Alliance, an in-depth analysis will be required. The alliance countries include Australia, Canada, New Zealand, the United Kingdom, and the United States.

Regardless of the method, companies on both sides of the Atlantic need to think deeply about the way they handle data. The various jurisdictions and laws result in a delicate situation for today’s technology companies. Going forward, my advice is to encrypt all data and follow the letter of the law as best as possible. It is not a small thing, but it is necessary to avoid the interior of a courtroom.

Final thoughts

In addition to the verdict, the impact of the pandemic has made data security and cybersecurity top concerns. To ensure your IoT solutions remain compliant, it is simply a matter of prioritizing security and privacy.

However, as the Foundation for Innovation and Information Technologies Points out, this challenge should not be assumed by the private sector alone. International governments must also reconcile their data surveillance systems by cooperating and working to implement new data transfer mechanisms.

Carsten Rhod Gregersen

Carsten Rhod Gregersen is the CEO and founder of Nabto, a peer-to-peer (P2P) platform for IoT devices. Carsten has nearly two decades of experience leading software and innovation companies with the goal of creating technology that continually improves and makes the world a better place, one line of code at a time.

Leave a Reply

Your email address will not be published. Required fields are marked *