Schrems 2 and how it affects whistleblowing systems
We have recently been asked questions about Schrems 2 and how it affects whistleblowing systems. In this article we answer a number of key questions relating to Schrems 2, with a specific focus on whistleblowing and WhistleB’s continued commitment to data security.
What is Schrems 2?
Schrems 2 is a ruling from the Court of Justice of the European Union (CJEU) which means that the EU-US Privacy Shield framework is now an insufficient mechanism to ensure compliance with EU data protection requirements. The ruling was passed in July 2020, when the CJEU invalidated the EU:US Privacy Shield Framework as a transfer mechanism for exports of personal data to the US on the basis that the protections it afforded did not meet EU standards.
How is this issue related to whistleblowing?
Depending on their location, structure and choice of whistleblowing solution vendor, certain organisations may transfer whistleblowing data between the EU and the US.
What areas of US and EU legislation are relevant?
The EU GDPR restricts transfers of personal data outside of the EU to countries which cannot guarantee an adequate protection unless an exception applies or an alternative approved mechanism is adopted.
Until now, Standard Contractual Clauses (SCC) and Privacy Shield (for transfers to the US) have been the most common mechanisms used to protect the personal data transferred.
Under the US Cloud Act of 2018, US government agencies can ask a US court to issue a warrant demanding that suppliers that are subject to US law hand over data they store for customers, even if that data is stored outside the United States, including the EU.
What is WhistleB’s viewpoint?
As an EU-based provider of cloud services, WhistleB is subject to and fully complies with the EU GDPR.
Security has always been at the heart of everything we do at WhistleB – to protect both whistleblowers and our customers’ data. Since the beginning, we have purposefully designed market-leading security into our whistleblower system and selected the most secure IT providers.
Data security and compliance with all applicable laws are and will remain focus points of the WhistleB whistleblowing system. Find out more about this at our Trust Centre.
How and where does WhistleB store data?
WhistleB has selected market-leading Microsoft Azure as its supplier of secure data hosting services for customer data. Microsoft Azure is an industry leader in terms of information security, IT security and data protection.
All customer data is stored and processed in the EU, with the primary data centre in Ireland and a secondary data centre in the Netherlands. However, the parent company of Microsoft Azure is Microsoft Corporation, an American company that is therefore potentially subject to the Cloud Act.
How does the WhistleB system manage data disclosure?
WhistleB adheres strictly to the GDPR and the EU Whistleblower Protection Directive. Any request for disclosure of data would create a material risk that we would violate one or both of these.
WhistleB cannot disclose customer data to anyone. WhistleB customer data is protected against any disclosure through strong encryption technology in the whistleblowing system. This encryption technology ensures that data is accessible by the customer only, not by WhistleB, any supplier, any authority nor any other third party. A WhistleB customer has full and sole control of the encryption key. Only the customer can decrypt and give anyone access to their data.
How does Schrems 2 affect WhistleB’s compliance with GDPR?
The invalidation of the EU-US Privacy Shield framework does not affect compliance of the WhistleB system with the GDPR. WhistleB and Microsoft Azure Ireland do not transfer data to the US or any third party outside the EU. However, the customer may decide to open access to its case management tool for any country outside the EU. It is the customer who supervises data security and guarantees the restrictions on user access to customer data.
WhistleB’s position is that Microsoft Azure offers sufficient guarantees that the GDPR’s rules on the transfer of personal data to third countries will be respected based on the Standard Contractual Clauses. WhistleB therefore stands behind these guarantees.
Data security and compliance with all applicable laws are and will remain focus points of the WhistleB whistleblowing system. We will therefore continue to monitor the current situation and the lack of agreement between the EU and the US very closely.
How can I find out more?
If you would like to discuss Schrems 2 and how it affects whistleblowing systems, please get in touch.