What about the Schrems II decision and data transfers?

Last Updated: 2021-10-04


Q: In light of the invalidation of Privacy Shield by the Court of Justice of the European Union (CJEU) why does MaxMind still reference the Privacy Shield program in its privacy statement? 


A: MaxMind adheres to the safeguards, requirements and standards that underlie the Privacy Shield. The underlying protections that previously applied to Privacy Shield are still important and effective in the protection of data protection rights and freedoms.  Moreover, the US Department of Commerce has dictated through its official channel that companies that previously used the Privacy Shield program are not relieved of their obligations under the program. Thus, as an organization that complies with the regulations in all jurisdictions in which we operate, we must comply with the changes based on the Schrems II decision, as well as continuing to implement the protections that underlie the Privacy Shield. 


For cross border data transfers, MaxMind relies on the European Commission’s approved standard contractual clauses (SCC) and associated guidance released by the European Data Protection Board (EDPB), as adopted on June 18, 2021 to further protect our customers’ data. 


Q: What steps has MaxMind undertaken for its data transfer program in reliance on the SCC? 


A: In accordance with guidance from the EDPB, MaxMind has enhanced and updated its data transfer program to review, assess and verify its data transfer needs and obligations, including-

  • To map its data inventory and transfer of personal data governed by the GDPR; 
  • To verify its transfer tool, including transfers to the US where MaxMind customer data may be processed; 
  • To assess the laws, regulations and practices in the US and elsewhere where personal data is processed. 


Q: What is the outcome of MaxMind’s assessment for its reliance on the SCC tool for transfer of GDPR personal data? 


A: MaxMind conducted transfer impact assessments for its products related to the use of personal data governed by GDPR. Based on its assessments, MaxMind determined that for its particular circumstances and data processing needs for customers, the legislation deemed problematic is not relevant to MaxMind. 


This is based on a totality of factors, including the lack of a history of problematic law enforcement requests at MaxMind; lack of externally available information that contradicts MaxMind’s experience and MaxMind’s policy and technical privacy-by-design measures that provide very stringent controls against third party law enforcement or cloud provider access.  


Thus, MaxMind’s data transfer impact assessment demonstrates an equivalent set of protections without a level of risk that would require additional supplementary measures to accompany the SCC tool.  MaxMind has no reason to believe that the problematic legislation will be interpreted or applied in practice to the personal data processed by MaxMind on behalf of its customers. 


Q: Are there any other aspects of MaxMind’s data transfer program that are relevant to GDPR personal data?  


A: In addition to our assessment that problematic legislation is not, in practice, relevant to MaxMind customer data, we continue to provide strong protective security measures as part of our GDPR program, including- 

  • Scrutiny of law enforcement requests to establish legality and appropriate limitations in scope, in accordance with a formal, written MaxMind Policy on public authority and law enforcement requests.
  • Data minimization efforts designed to result in timely deletion of data and pseudonymization of records. 
  • Multi-factor authentication (MFA) requirements for internal MaxMind resources, for external MaxMind resources where supported, and MFA support for MaxMind customer portal accounts. 
  • Holistic  accountability procedures, including enhancing the transparency of the customer portal account activity displayed in each customer portal account. 
  • Continually reviewing and enhancing custom monitoring and alerting around services and internal network, including third party access on customer accounts.
  • A robust data protection awareness program and overall work culture with a heavy emphasis on privacy.
  • Strong technical, process and contractual based controls, including  authentication controls to prevent access without explicit authorization as one of the primary pillars of our networks’ zero trust architecture.
  • Transmission of data is encrypted from end to end.