In this article we answer a number of key questions relating to Schrems II, with a specific focus on whistleblowing and NAVEX’s continued commitment to data security.
What is Schrems II?
Schrems II is a ruling from the Court of Justice of the European Union (CJEU) which means that the EU-US Privacy Shield framework is now an insufficient mechanism to ensure compliance with EU data protection requirements. The ruling was passed in July 2020, when the CJEU invalidated the EU-US Privacy Shield Framework as a transfer mechanism for exports of personal data to the US on the basis that the protections it afforded did not meet EU standards.
How is this issue related to whistleblowing?
Depending on their location, structure and choice of the whistleblowing solution vendor, certain organisations may transfer whistleblowing data between the EU and the US.
What areas of the US and EU legislation are relevant?
The EU GDPR restricts transfers of personal data outside of the EU to countries which cannot guarantee an adequate protection unless an exception applies or an alternative approved mechanism is adopted.
Until now, Standard Contractual Clauses (SCC) and Privacy Shield (for transfers to the US) have been the most common mechanisms used to protect the personal data transferred.
Under the US Cloud Act of 2018, US government agencies can ask a US court to issue a warrant demanding that suppliers which are subject to US law hand over data they store for customers, even if that data is stored outside the United States, including the EU.
What is NAVEX’s viewpoint?
As an EU-based provider of cloud services, NAVEX is subject to and fully complies with the EU GDPR.
Security has always been at the heart of everything we do to protect both whistleblowers and our customers’ data. We have purposefully designed market-leading security into the WhistleB system and selected the most secure IT providers.
Data security and compliance with all applicable laws are and will remain focus points of the WhistleB whistleblowing system. Find out more about this at our Trust Centre.
How and where is data stored for the WhistleB system?
NAVEX has selected market-leading Microsoft Azure as its supplier of secure data hosting services for customer data. Microsoft Azure is an industry leader in terms of information security, IT security and data protection.
All customer data is stored and processed in the EU, with the primary data centre in Ireland and a secondary data centre in the Netherlands. However, the parent company of Microsoft Azure is Microsoft Corporation, an American company that is therefore potentially subject to the Cloud Act.
How does the WhistleB system manage data disclosure?
The WhistleB system adheres strictly to the GDPR and the EU Whistleblower Protection Directive. Any request for disclosure of data would create a material risk that we would violate one or both of these. NAVEX cannot disclose customer data to anyone.
Customer data is also protected against any disclosure through strong encryption technology in the whistleblowing system. This encryption technology ensures that data is accessible by the customer only, not by NAVEX, any supplier, any authority nor any other third party. A WhistleB customer has full and sole control of the encryption key. Only the customer can decrypt and give anyone access to their data.
How does Schrems II affect NAVEX’s compliance with GDPR?
The invalidation of the EU-US Privacy Shield framework does not affect compliance of the WhistleB system with the GDPR. Neither we or Microsoft Azure Ireland transfer data to the US or any third party outside the EU. However, the customer may decide to open access to its case management tool for any country outside the EU. It is the customer who supervises data security and guarantees the restrictions on user access to customer data.
NAVEX’s position is that Microsoft Azure offers sufficient guarantees that the GDPR’s rules on the transfer of personal data to third countries will be respected based on the Standard Contractual Clauses. NAVEX therefore stands behind these guarantees.
Data security and compliance with all applicable laws are and will remain focus points of the WhistleB whistleblowing system. We will therefore continue to monitor the current situation and the lack of agreement between the EU and the US very closely.