{"id":103097,"date":"2020-11-02T16:00:27","date_gmt":"2020-11-02T13:00:27","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/"},"modified":"2020-11-02T16:00:27","modified_gmt":"2020-11-02T13:00:27","slug":"what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/","title":{"rendered":"#What Does Schrems 2 Mean For Cloud Computing? \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2c4212ce2ca\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2c4212ce2ca\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Data_Protection_and_Cybersecurity\" >Data Protection and Cybersecurity<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#GDPR\" >GDPR<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Personal_Data\" >Personal Data<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Actually_Its_Global\" >Actually, It\u2019s Global<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Crossing_Borders\" >Crossing Borders<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#The_UK_and_Brexit\" >The UK and Brexit<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#The_US_and_Privacy_Shield\" >The US and Privacy Shield<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Schrems_2\" >Schrems 2<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Now_What\" >Now What?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Derogations\" >Derogations<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Codes_of_Conduct_and_Certification_Mechanisms\" >Codes of Conduct and Certification Mechanisms<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Binding_Corporate_Rules\" >Binding Corporate Rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Standard_Contractual_Clauses\" >Standard Contractual Clauses<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/buradabiliyorum.com\/en\/what-does-schrems-2-mean-for-cloud-computing-cloudsavvy-it\/#Is_That_the_Solution\" >Is That the Solution?<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#What Does Schrems 2 Mean For Cloud Computing? \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7744\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/0773c7797451e0b14e0f6aca07a1b9af\/p\/uploads\/2020\/10\/72808892.png\" alt=\"\" width=\"700\" height=\"300\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The reach of GDPR doesn\u2019t stop at the borders of Europe. Using non-European cloud platforms and Software-as-a-Service from within Europe just got a lot more complicated.<\/p>\n<h2 id=\"data-protection-and-cybersecurity\"><span class=\"ez-toc-section\" id=\"Data_Protection_and_Cybersecurity\"><\/span>Data Protection and Cybersecurity<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Data protection and cybersecurity are different, but related topics. Cybersecurity is the collection of technologies, controls, and behaviors that combine to form an organization\u2019s response to the risk of cyberthreats. Cybersecurity means keeping the bad guys out and the data in.<\/p>\n<p>Data protection is the suite of governance and controls\u2014mainly, policies and procedures\u2014designed to <em>safeguard<\/em> personal data and ensure it is <em>used<\/em> within the letter of the law.<\/p>\n<p>Some of the safeguarding requirement is satisfied by your cybersecurity measures, and that\u2019s the point where data protection and cybersecurity intersect. Safeguarding also means making sure your staff don\u2019t leak data through simple mistakes like sending a spreadsheet to the wrong recipient. And that\u2019s where your data governance policies and procedures come into play.<\/p>\n<p>How those documents are structured and which measures they must enforce is driven by the laws and regulations that you must adhere to. That is established by local legislation which in turn is a function of geography and politics.<\/p>\n<p>Businesses that employ cloud computing can be based thousands of miles away from their line of business <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>lications, data, and servers. A company based in Europe, for example, might make use of a service physically sited in a data center in the United States.<\/p>\n<p>Transferring personal data to non-European countries is complicated. And it just got more complicated.<\/p>\n<h2 id=\"gdpr\"><span class=\"ez-toc-section\" id=\"GDPR\"><\/span>GDPR<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32016R0679&amp;qid=1600605964569&amp;from=EN\">General Data Protection Regulation 2016<\/a>\u00a0became enforceable in 2018.<\/p>\n<p>What the GDPR is concerned with is the processing, storage, and transmission of personal data, or personally identifiable information (PII). <em>Processing<\/em>\u00a0means performing any action on or with personal data. Running a complicated SQL query to extract records matching a certain demographic, or sending a single email to a single recipient are both examples of processing.<\/p>\n<p>There is a legal requirement for organizations that process, store, or transmit personal data to apply satisfactory governance and safeguards on the data. The purpose of that requirement is to protect and uphold the rights and freedoms of the data subjects\u2014the people that the data belongs to.<\/p>\n<p>That\u2019s a very fast run through\u2014the GDPR is 88 pages of terse bureaucracy. There\u2019s a lot of it, a lot to it, and the devil is in the details.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Personal_Data\"><\/span>Personal Data<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Personal data is any information relating to an individual whether it relates to his or her private, professional, or public life. That\u2019s a massive scope. It can be anything from a name, a home address, a photo, an email address, bank details, posts on <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a> networking websites, medical information, a computer\u2019s IP address, and so on.<\/p>\n<p>And you don\u2019t need to hold enough information to identify a person for it to be classed as personal data. It\u2019s like a digital jigsaw. If hold a single piece of the jigsaw that could be used with the other pieces\u2014even if they have to be sourced elsewhere\u2014to identify a person, your single piece of information is classed as personal data and must be treated in accordance with the GDPR.<\/p>\n<h2 id=\"actually-its-global\"><span class=\"ez-toc-section\" id=\"Actually_Its_Global\"><\/span>Actually, It\u2019s Global<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The biggest myth with GDPR is that it only applies to the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/europa.eu\/european-union\/about-eu\/countries_en\">member states<\/a>\u00a0of the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/europa.eu\/european-union\/index_en\">European Union<\/a>\u00a0and it\u2019s something only European organizations have to deal with.<\/p>\n<p>The reality is, if you employ Europeans, have any premises in Europe, trade with European companies or citizens,\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/gdpr.eu\/companies-outside-of-europe\/\">the GDPR applies to you<\/a>. The GDPR is a regulation that protects European citizens and their personal data and it applies to any organization that processes any personal data belonging to Europeans. That\u2019s how\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.cnil.fr\/en\/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc\">Google was fined over USD 50 million<\/a>.<\/p>\n<p>There are a few exemptions. Non-European businesses of fewer than 250 employees must still safeguard the data and use it in accordance with the GDPR, but they are spared a bit of the paperwork and recordkeeping.<\/p>\n<p>And the word\u00a0<em>belonging<\/em>\u00a0is an interesting one in this context.<\/p>\n<p>We\u2019re used to thinking along the lines of my database, my spreadsheet, my mailing list, and so on. And that\u2019s correct, they\u2019re yours. But if my data is in any of your digital systems, legally it is\u00a0<em>my data<\/em>\u00a0and you have a\u00a0<em>copy<\/em>\u00a0of it. It isn\u2019t your data. It\u2019s mine. And I have\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32016R0679&amp;qid=1600605964569&amp;from=EN#d1e2161-1-1\">data subject rights<\/a>\u00a0dictating what you can and cannot do with that data.<\/p>\n<p>Gone are the days when you could harvest data without a care, do what you wanted with it, and could share it with whom you saw fit. Now, you need a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32016R0679&amp;qid=1600605964569&amp;from=EN#d1e1888-1-1\">lawful basis<\/a>\u00a0even to\u00a0<em>collect<\/em>\u00a0the data in the first place, as well as a lawful basis to process it.<\/p>\n<h2 id=\"crossing-borders\"><span class=\"ez-toc-section\" id=\"Crossing_Borders\"><\/span>Crossing Borders<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The GDPR says you can only transmit personal data to other countries if they are:<\/p>\n<p>If you\u2019re not in the European Union, nor the European Economic Area you\u2019re classed as a\u00a0<em>third country<\/em>.<\/p>\n<p>So far Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay are third countries with adequacy decisions.<\/p>\n<p>Personal data can be transmitted to any of these third countries where it will be processed, stored, and transmitted with the same degree of safeguarding and governance as if it were being handled in a region subject to the GDPR.<\/p>\n<p>Two names are missing from that list. Conspicuous by their absence are the United States, and the United Kingdom.<\/p>\n<h2 id=\"the-uk-and-brexit\"><span class=\"ez-toc-section\" id=\"The_UK_and_Brexit\"><\/span>The UK and Brexit<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The United kingdom is in the process of transitioning out of the European Union. If the United kingdom leaves the European Union without a trade deal allowing it to remain a functioning member of the Economic European Area, it will become a third country, and will require an adequacy decision on a suitable data protection framework and legislation.<\/p>\n<p>The United kingdom does have legislation ready for this. Chapter Two of the United kingdom\u2019s\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.legislation.gov.uk\/ukpga\/2018\/12\/contents\/enacted\">Data Protection Act 2018<\/a>\u00a0contains (more or less) the whole of GDPR. So the legislation is ready, it is already enshrined in British law, and it must surely be adequate because it\u00a0<em>is<\/em>\u00a0the GDPR.<\/p>\n<p>The trouble is, the adequacy decision process is very slow.<\/p>\n<h2 id=\"the-us-and-privacy-shield\"><span class=\"ez-toc-section\" id=\"The_US_and_Privacy_Shield\"><\/span>The US and Privacy Shield<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The United States has a partial adequacy decision. The\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.privacyshield.gov\/welcome\">EU-U.S. and Swiss-U.S. Privacy Shield Frameworks<\/a>\u00a0were designed by the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.commerce.gov\/\">U.S. Department of Commerce<\/a>, the European Commission and the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.admin.ch\/gov\/en\/start.html\">Swiss Administration<\/a>\u00a0to provide an acceptable mechanism for the transfer of personal data between the European Union, Switzerland and the United States.<\/p>\n<p>The United States was awarded a <em>partial<\/em> adequacy decision because Privacy Shield isn\u2019t country-wide legislation and it isn\u2019t mandatory. Organizations decide whether they need to participate or not. It\u2019s opt-in.<\/p>\n<p>Actually, it\u2019s more accurate to say that the United States\u00a0<em>had<\/em>\u00a0a partial adequacy decision.<\/p>\n<h2 id=\"schrems-2\"><span class=\"ez-toc-section\" id=\"Schrems_2\"><\/span>Schrems 2<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The Privacy Shield framework worked well. It allowed American cloud platform providers and\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Software_as_a_service\">Software-as-a-Service<\/a>\u00a0companies to trade in Europe and to service European customers even though their data centers may have been located in the United States.<\/p>\n<p>It worked well that is, until <a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Max_Schrems\">Maximillian Schrems<\/a>, an Austrian data protection activist, brought a case to the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/europa.eu\/european-union\/about-eu\/institutions-bodies\/court-justice_en\">Court of Justice of the European Union<\/a>\u00a0(CJEU). He won the case, and a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/curia.europa.eu\/jcms\/upload\/docs\/application\/pdf\/2020-07\/cp200091en.pdf\">judgement was made<\/a>\u00a0by the CJEU on July 16, 2020. This was followed by a\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.edoeb.admin.ch\/edoeb\/en\/home\/latest-news\/media\/medienmitteilungen.msg-id-80318.html\">position statement<\/a>\u00a0from the Swiss\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.edoeb.admin.ch\/edoeb\/en\/home\/the-fdpic\/task.html\">Federal Data Protection and Information Commissioner<\/a>.<\/p>\n<p>The case boiled down to whether the Privacy Shield framework was sufficiently robust to warrant even a partial adequacy decision. By winning the case, Privacy Shield was invalidated.<\/p>\n<p>Part of the case hinged on the United States\u2019 mass data gathering and surveillance initiatives such as\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/PRISM_(surveillance_program)\">PRISM<\/a>\u00a0and\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Upstream_collection\">UPSTREAM<\/a>, and the ability of the\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.nsa.gov\/\">National Security Agency<\/a>\u00a0and other similar agencies to request customers\u2019 personal data from American companies.<\/p>\n<h2 id=\"now-what\"><span class=\"ez-toc-section\" id=\"Now_What\"><\/span>Now What?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<figure id=\"attachment_7746\" style=\"width: 669px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7746 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/00fa7e8cf7ef2411ebf76d3d89a803d7\/p\/uploads\/2020\/10\/5f014601.png\" alt=\"\" width=\"669\" height=\"339\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-vector\/question-marks-symbols-set-blue-grunge-703221688\" data-credittext=\"Shutterstock\/Natalya Timofeeva\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-vector\/question-marks-symbols-set-blue-grunge-703221688\">Shutterstock\/Natalya Timofeeva<\/a><\/span><\/figcaption><\/figure>\n<p>Large organizations like\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/about.google\/\">Google<\/a>\u00a0and\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com?u=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2F&amp;key=204a528a336ede4177fff0d84a044482\">Microsoft<\/a>\u00a0have data centers strategically positioned in different regions such as Europe, Africa, the Middle East, and Asia. This is done specifically to service those regions from within those regions. But having data centers in Europe doesn\u2019t overcome the issue. The NSA can still force them to hand over the data, regardless of the location of the data center. Simply having a data center in Europe doesn\u2019t solve anything.<\/p>\n<p>So to sum up, the United States is a third country without an adequacy decision and it seems extremely likely that the United Kingdom will shortly be in exactly the same position.<\/p>\n<p>There will not be a straightforward means for the transfer of personal data between European companies and British or American companies. Even within an international corporation, or group of companies, moving data from an office in Europe to a branch in London or New York will be complicated.<\/p>\n<p>But there has to be some way for a European company to be able to send data to a third country without an adequacy decision. The European Data Protection Board surely couldn\u2019t expect GDPR to drop like a guillotine to sever existing business ties to, for example, the Middle East?<\/p>\n<p>In fact, provisions exist for that very contingency.\u00a0They are:<\/p>\n<ul>\n<li>Derogations<\/li>\n<li>Codes of Conduct and Certification Mechanisms<\/li>\n<li>Binding Corporate Rules<\/li>\n<li>Standard Contractual Clauses<\/li>\n<\/ul>\n<p>That\u2019s something. But even so, it won\u2019t be plain sailing.<\/p>\n<h3 id=\"derogations\"><span class=\"ez-toc-section\" id=\"Derogations\"><\/span>Derogations<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Derogations are country-specific deviations from the letter of the GDPR that have been approved by the European Commission and the Supervisory Authority of the country in Europe. Each business must forward its own case.<\/p>\n<p>Derogations allow a degree of flexibility in certain conditions and are a condoned and justified departure from the usual requirements. Unfortunately, they must be applied restrictively, and they cannot become the norm. They are by definition the exception to the rule. Additionally, they relate to \u201cprocessing activities that are occasional and non-repetitive.\u201d<\/p>\n<p>So, derogations are impractical for regular business transfers of personal data.<\/p>\n<h3 id=\"codes-of-conduct-and-certification-mechanisms\"><span class=\"ez-toc-section\" id=\"Codes_of_Conduct_and_Certification_Mechanisms\"><\/span>Codes of Conduct and Certification Mechanisms<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>The European Data Protection Board say that\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32016R0679&amp;qid=1600605964569&amp;from=EN#d1e3885-1-1\">Codes of Conduct and Certification Mechanisms<\/a>\u00a0can offer appropriate safeguards for transfers of personal data to third countries if there are binding and enforceable commitments on the company in the third country.<\/p>\n<p>Associations and professional bodies may prepare codes for approval and registration.\u00a0Article 42 of the GDPR states \u201cdata protection certification mechanisms, seals or marks \u2026 may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors that are not subject to this Regulation.\u201d<\/p>\n<p>A tremendous amount of work would have to go into such a scheme.<\/p>\n<ul>\n<li>A suitable code of conduct and certification mechanism would have to be developed by trade associations or professional bodies in the third country.<\/li>\n<li>The code would need to be appraised and approved by the European Data Protection Board.<\/li>\n<li>Businesses represented by the trade association or body in the third country would need to adopt the code, and be able to evidence their compliance.<\/li>\n<li>The participating businesses would need to be examined and, if they pass, certificated. That requires the establishment of a certification body.<\/li>\n<li>The participating businesses would then need to be monitored to ensure ongoing compliance with the code.<\/li>\n<\/ul>\n<p>There are no approved codes of conduct in the United States nor in the United Kingdom, although the United Kingdom\u2019s\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/ico.org.uk\/\">Information Commissioners\u2019 Office<\/a>\u00a0says they have processes in place to accept applications. Don\u2019t expect a fast turnaround.<\/p>\n<h3 id=\"binding-corporate-rules\"><span class=\"ez-toc-section\" id=\"Binding_Corporate_Rules\"><\/span>Binding Corporate Rules<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Binding Corporate Rules are internal rules which define the international policy in multinational groups of companies and international organizations regarding cross-border\u2014but still within the same organization\u2014transfers of personal data.<\/p>\n<p>Binding corporate rules are detailed and comprehensive, and very similar to contracts. There is a standard set of information and topics which are mandatory for inclusion. Binding corporate rules have to be submitted for review and authorization by the Supervisory Authority of the European country.<\/p>\n<p>Binding Corporate Rules are complex and time-consuming to create but for a multinational or large international organization, they will simplify data transfers greatly once they are implemented.<\/p>\n<h3 id=\"standard-contractual-clauses\"><span class=\"ez-toc-section\" id=\"Standard_Contractual_Clauses\"><\/span>Standard Contractual Clauses<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Both the European company and the company in the third country must agree to use a contract of\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/international-dimension-data-protection\/standard-contractual-clauses-scc_en\">standard contractual clauses<\/a>\u00a0approved by the European Commission. These contracts provide additional data protection safeguards that are required in the case of a transfer of personal data to any third country.<\/p>\n<p>The standard contractual clauses must be signed by both parties. If they are not signed, they are not considered as being in place.<\/p>\n<p>Standard contractual clauses may be included in a wider contract and additional clauses might be added, so long as they do not contradict, directly or indirectly, the standard contractual clauses. You can\u2019t add clauses to the contract to try and override any requirements of the standard contractual clauses that you don\u2019t like.<\/p>\n<p>You can modify the standard contractual clauses to take into account a specific or particular situation. Once they have been changed, of course, they are no longer standard contractual clauses. They become\u00a0<em>ad hoc<\/em>\u00a0contractual clauses and before they can be used they must be authorized by the European company\u2019s data protection Supervisory Authority.<\/p>\n<p>The European Commission has produced sets of\u00a0<a rel=\"nofollow noopener noreferrer\" target=\"_blank\" href=\"https:\/\/ec.europa.eu\/info\/law\/law-topic\/data-protection\/international-dimension-data-protection\/standard-contractual-clauses-scc_en\">standard contractual clauses<\/a>, and out of the four available options, they do seem to be the best <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/general\/\" data-internallinksmanager029f6b8e52c=\"3\" title=\"General\" target=\"_blank\" rel=\"noopener\">general<\/a> solution.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Is_That_the_Solution\"><\/span>Is That the Solution?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Possibly. It\u2019s hard to imagine how companies like Microsoft, Amazon, and Google are going to be able to agree and sign a copy of standard contractual clauses for every European company that wishes to work with them.<\/p>\n<p>Some Software-as-a-Service providers have included standard contractual clauses in their terms and conditions. But will their wording satisfy the demands of the European Commission? Another issue is the signature. The service providers are hoping that your agreement to their terms and conditions will stand in lieu of a signature.<\/p>\n<p>It might well require a test case to set a precedent before this becomes clear.\n<\/p><\/div>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/7694\/what-does-schrems-2-mean-for-cloud-computing\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#What Does Schrems 2 Mean For Cloud Computing? \u2013 CloudSavvy IT&#8221; The reach of GDPR doesn\u2019t stop at the borders of Europe. Using non-European cloud platforms and Software-as-a-Service from within Europe just got a lot more complicated. Data Protection and Cybersecurity Data protection and cybersecurity are different, but related topics. Cybersecurity is the collection of&#8230;<\/p>\n","protected":false},"author":1,"featured_media":103098,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2020\/10\/72808892.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-103097","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/103097","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=103097"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/103097\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/103098"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=103097"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=103097"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=103097"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}