What about the Schrems II decision and data transfers?

Last Updated: 2021-03-29


Q: In light of the invalidation of Privacy Shield by the Court of Justice of the European Union (CJEU) why does MaxMind still reference the Privacy Shield program in its privacy statement? 


A: MaxMind adheres to the safeguards, requirements and standards that underlie the Privacy Shield. The underlying protections that previously applied to Privacy Shield are still important and effective in the protection of data protection rights and freedoms.  Moreover, the US Department of Commerce has dictated through its official channel that companies that previously used the Privacy Shield program are not relieved of their obligations under the program. Thus, as an organization that complies with the regulations in all jurisdictions in which we operate, we must comply with the changes based on the Schrems II decision, as well as continuing to implement the protections that underlie the Privacy Shield. 


For cross border data transfers, MaxMind relies on standard contractual clauses (SCC) and supplementary measures to further protect our customers’ data. 


Q: What supplementary measures does MaxMind employ in addition to the SCC? 


A: Following guidance from the European Data Protection Board (EDPB), MaxMind has assessed the circumstances of its cross border data transfers. For those data transfers from the EU or UK to the US, MaxMind employs the standard contractual clauses together with certain supplementary measures to achieve a level of security appropriate to the risk represented by the processing and the nature of the data to be transferred.  These supplementary measures include:


  • Scrutiny of law enforcement requests to establish legality and appropriate limitations in scope. 
  • Data minimization efforts designed to result in timely deletion of data and pseudonymization of records. 
  • Multi-factor authentication (MFA) requirements for internal MaxMind resources, for external MaxMind resources where supported, and MFA support for MaxMind customer portal accounts. 
  • Holistic  accountability procedures, including enhancing the transparency of the customer portal account activity displayed in each customer portal account. 
  • Continually reviewing and enhancing custom monitoring and alerting around services and internal network, including third party access on customer accounts.
  • A robust data protection awareness program and overall work culture with a heavy emphasis on privacy.
  •  Strong technical, process and contractual based controls, including  authentication controls to prevent access without explicit authorization as one of the primary pillars of our networks’ zero trust architecture.
  • Transmission of data is encrypted from end to end.