Last year, the Court of Justice of the European Union (CJEU) issued a verdict for a court case known as Schrems II that cut off key mechanisms for transferring personal data from the European Union to the United States.
International data transfers are necessary for furthering innovation, strengthening trade relationships, and widening consumer access to digital products and services.
It goes without saying that this ruling directly impacted companies that engage in this type of data transfer, including big tech giants such as Facebook and other SMEs. But the decision also had knock-on consequences for the trade and development of tech industries such as cloud computing, AI, and IoT.
In this blog post, we’ll explore how the ruling affects IoT solutions in particular. But first, we’re going to go into a bit more detail on the case itself.
What is Schrems II?
Named after Irish activist, lawyer, and author Maximilian Schrems, Schrems II is a legal case.
After finding out Facebook was transferring personal data from Europe to its U.S. headquarters, Schrems realized the data could be used by U.S. intelligence agencies and therefore violate GDPR, which prohibits data transfers from the EU to the U.S.
In 2013, he called for the Irish Data Protection Commissioner to invalidate the European Commission’s Standard Contractual Clauses (SCCs) for data transfers between EU and non-EU countries.
Despite being rejected by the Irish Data Protection Commissioner at the time, the later-labeled Schrems II case eventually escalated all the way to the judicial branch of the European Union, known as the CJEU, seven years later.
In July 2020, the CJEU issued its final verdict, ruling the EU-U.S. Privacy Shield is an invalid mechanism to comply with EU data protection requirements.
Despite upholding the validity of SCCs, the court ruled that SCCs must be verified on a case-by-case basis to assess whether the law in the recipient country provides adequate data protection.
This prompted the EU to issue modernized SCCs to ensure safer exchanges of personal data.
What Does This Mean for Cross Border Data Transfers?
Facebook wasn’t the only company to be affected by the Schrems II decision. It has also caused problems for other tech companies whose services involve sending data internationally.
Following the ruling, companies that transfer data from the EU to the U.S. would benefit from a solid level of awareness around the following:
Data in General
It may sound simple, but the most important action companies can take following the verdict is to be aware of as much information as possible about their data transfers.
This involves knowing exactly what type of data is being processed at what stage, but most importantly, where it’s going. For EU companies, alarm bells should start ringing as soon as data moves out of EU territory.
Reasons for Data Transfer
A seemingly simple task, but companies that move data internationally should also be aware of the grounds upon which the data is being transferred in the first place.
Another element to be aware of is exactly what measures your IoT company has in place to adequately protect personal data.
As suggested by the EU, technical measures to protect data include appropriate actions to address online security, risk of data loss, and data alteration or unauthorized access. Organizational measures, on the other hand, include restricting access to personal data only to authorised persons.
Finally, it’s important to have a good understanding of the laws and regulations in the third countries that data passes through and the level of protection they provide. This also involves implementing additional controls where necessary.
What Does This Mean for IoT Companies?
As we know, every action by IoT devices creates data that is sent, stored, and analyzed.
However, whether the Schrems II ruling will affect your IoT company really depends on whether or not it operates internationally or in just one country.
If your IoT company does engage in international data flow, there are several actions it can take to protect itself:
1. Encrypt Data
If your company is sharing data across borders, one of the easiest measures to take is to encrypt this data so that third parties cannot access anything sensitive.
If you choose to encrypt data, it’s a good idea to also invest in an encryption key management system to keep your cryptographic keys safe and secure. It will also help you to comply with regulations.
2. “Security By Design”
In IoT, security should be at the forefront of product development and creation, not something considered at a later stage in the game.
In order to ensure your IoT company is designing with security in mind, be sure to dedicate extra time and attention to the pre-planning stage, which can ultimately be just as important as other stages of development.
3. Decentralized IoT Platform
A final solution you could consider using to protect your IoT business is to use a Decentralized Application Enablement Platform (AEP). This means data won’t be stored in centralized databases like the cloud and instead securely in the IoT device itself.
Here at Nabto, our IoT connectivity platform operates using P2P technology, which ensures direct and secure communication between end-user client devices and their IoT devices.
If you want to safeguard against cross-continental data transfer difficulties, contact us for a free consultation today.
In addition to the Schrems 2 verdict, the impact of the pandemic and the shift to remote working have made data security and cybersecurity prime concerns for users. In order to ensure your IoT solutions remain compliant with current regulations, it’s simply a matter of prioritizing security and privacy ahead of everything else.
However, as the Information Technology and Innovation Foundation points out, this challenge is not one for the private sector to assume alone. Different international governments must also reconcile their data surveillance systems through cooperation and new data transfer mechanisms, as transatlantic data flow is not set to slow down any time soon.
Read Our Other Resources
We’ve also published a range of IoT resources for our community, including:
- Get to grips with GDPR by reading IoT and GDPR: How to Stay Compliant in 2021
- Further your understanding of IoT regulation in Europe by reading EU IoT Regulation: What Your Business Needs to Know
- If you’re based stateside, have a read of What You Need to Know about the US and California IoT Security Laws
- Improve your device’s safety by reading A Developer’s Guide to IoT Encryption Algorithms