The European Union Schrems II consumer data protection legislation requires “adequate levels of data protection" for all E.U. consumer Personal Identifiable Information (PII) data. The E.U. maintains an Adequacy List of countries with sufficient data protection, which does not include the United States.
The Schrems II regulation requires that all businesses that collect E.U. consumer PII data must store that data in the E.U. and prevent staff users based outside the Schrems II compliant region from accessing that data.
Configured Commerce Solution for Schrems II
The Optimizely team has created a system that will allow its clients to be maintain Schrems II compliance using a combination of settings in the Admin Console and data geofencing:
- Administrators can configure three Configured Commerce product attributes to protect PII data:
- Indicate which data fields in the Application Dictionary are PII.
- Indicate which Admin Console users are in a Schrems II compliant region within the user profile.
- Hide PII data fields from unauthorized users through System Lists.
- You can request to have your E.U. consumer PII data stored in the E.U. Contact your CSM to opt-in to Optimizely’s geofencing solution for E.U. data
Although we expect the above solution to allow our clients to maintain Schrems II compliance, the ultimate responsibility falls to the owner of the website that captures the E.U. consumer PII data.