Blog

Privacy Shield ruled invalid: The way forward for organizations

With the legal basis for transferring personal data from the EU to the U.S. gone after the ECJ's Privacy Shield ruling, organizations have only a few options to ensure GDPR compliance.

We’re in the aftermath of the ruling by the European Court of Justice (ECJ) to pull the adequacy decision of the European Commission with respect to the EU-U.S. Privacy Shield agreement. Many companies and organizations across Europe now ponder their options for handling customer data.

The ruling means there is now no legal basis for transferring personal data from the EU to the U.S., including public cloud data centers based in Europe but run by U.S. tech firms. For breaking EU privacy rules, there are fines in the magnitude of up to 20 million euro or 4 percent of worldwide revenue per year.

The European Commission and its U.S. counterparts are already said to be negotiating a future framework for data transfers to replace Privacy Shield. But still, this probably won’t satisfy the ECJ because the US government won’t give up comprehensive access provisions for its national security services anytime soon.

Even the Irish data privacy watchdog, usually friendliest among EU regulators towards US tech giants, has issued Facebook with an order to stop transferring user data from the EU to the US.

So, what are the options after Privacy Shield?

For organizations that work with user data in clouds located in the US or run by US companies, neither inaction nor blind activism is in order.

Organizations could try to deny US government agencies access to data by encrypting it heavily before exporting it. This isn’t easy, can mostly not be implemented overnight and is not 100 percent reliable. Such strategies should be cleared with the local data protection agencies first.

Another way is to get the explicit approval of each and every EU user for transferring their personal data to a server that can be accessed by US government agencies. It isn’t particularly straightforward to phrase those kinds of agreements in such a way that they are legally secure, but with a small and trusting customer base this might work.

Organizations that seek to avoid any risk end up with only one option: Processing the data of their EU users outside the reach of US tech firms. This can also mean outside the EU, in countries that provide adeqacy to the EU data privacy framework. This means the protection level in the destination country must match the protection level inside the EU.

Bottom line, organizations should carefully examine their internal and external shortcomings regarding their EU customers user data. They should then make two plans, one short term and one long-term. The long-term one should include hosting and processing all of the relevant data in a digital sovereign way inside the EU.

ownCloud

September 28, 2020

Read now:

Understanding Web Applications in oCIS

Understanding Web Applications in oCIS

In today’s fast-paced digital world, web applications play a crucial role in enhancing user experience and functionality. Infinite Scale comes with a world-class web interface to manage file resources, but it can be extended by utilizing ownCloud Infinite Scale (oCIS) as a construction set for custom web apps.

read more
Full digital sovereignty has 3 levels

Full digital sovereignty has 3 levels

Digital sovereignty is becoming increasingly important for public authorities and companies – and they already have the option of using fully sovereign software stacks. Content collaboration specialist ownCloud explains what sets them apart.

read more