Schrems II: How to Protect Against Liability When Using Non-EEA / Equivalency Country Vendors

98% of the participants in an Anonos Schrems II webinar held on 13 January, involving 2000+ executives representing 1700+ companies from 50+ countries, expressed concern about the risks associated with cloud-based processing of cleartext EU data and remote access to EU data for business purposes. In follow-up meetings and discussions with representatives from hundreds of companies, grave concerns have been raised regarding the risk of personal and criminal liability for corporate officers and Boards of Directors for ongoing use of non-EEA Cloud, SaaS and outsourcing solutions.

The significant publicity regarding the potential negative impacts of Schrems II means that a lack of corporate action in response may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.”[i] In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).[ii]

When dealing with non-EEA/equivalency country vendors claiming that their services occur entirely within the EU, removing them from the realm of Schrems II issues, corporate officers and Boards of Directors are still be open to risks. This is because while the data may appear to be accessed and processed solely only within the EU, vendors often retain access to the data or to keys or other methods for accessing the data for purposes of performing services or other contractual obligations.

The ability of non-EEA/equivalency country vendors to access EU personal data raise the following two Unlawful Use Cases identified by the EDPB below:[iii]

Unlawful Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear.
Unlawful Use Case 7: Remote access to data for business purposes.

The existence of Unlawful Use Cases 6 and 7 mean that common vendor practices leave corporate officers and Boards of Directors open to liability risks from the potential for unlawful data access.

It is also important to note that the CJEU did not include any grace period for the Schrems II decision, meaning that compliance is immediately required. Industry direction may come at a later date, but measures are necessary immediately to ensure risks are mitigated.