Privacy Shield ruled invalid: The way forward for organizations

With the legal basis for transferring personal data from the EU to the U.S. gone after the ECJ's Privacy Shield ruling, organizations have only a few options to ensure GDPR compliance.

We’re in the aftermath of the ruling by the European Court of Justice (ECJ) to pull the adequacy decision of the European Commission with respect to the EU-U.S. Privacy Shield agreement. Many companies and organizations across Europe now ponder their options for handling customer data.

The ruling means there is now no legal basis for transferring personal data from the EU to the U.S., including public cloud data centers based in Europe but run by U.S. tech firms. For breaking EU privacy rules, there are fines in the magnitude of up to 20 million euro or 4 percent of worldwide revenue per year.

The European Commission and its U.S. counterparts are already said to be negotiating a future framework for data transfers to replace Privacy Shield. But still, this probably won’t satisfy the ECJ because the US government won’t give up comprehensive access provisions for its national security services anytime soon.

Even the Irish data privacy watchdog, usually friendliest among EU regulators towards US tech giants, has issued Facebook with an order to stop transferring user data from the EU to the US.

So, what are the options after Privacy Shield?

For organizations that work with user data in clouds located in the US or run by US companies, neither inaction nor blind activism is in order.

Organizations could try to deny US government agencies access to data by encrypting it heavily before exporting it. This isn’t easy, can mostly not be implemented overnight and is not 100 percent reliable. Such strategies should be cleared with the local data protection agencies first.

Another way is to get the explicit approval of each and every EU user for transferring their personal data to a server that can be accessed by US government agencies. It isn’t particularly straightforward to phrase those kinds of agreements in such a way that they are legally secure, but with a small and trusting customer base this might work.

Organizations that seek to avoid any risk end up with only one option: Processing the data of their EU users outside the reach of US tech firms. This can also mean outside the EU, in countries that provide adeqacy to the EU data privacy framework. This means the protection level in the destination country must match the protection level inside the EU.

Bottom line, organizations should carefully examine their internal and external shortcomings regarding their EU customers user data. They should then make two plans, one short term and one long-term. The long-term one should include hosting and processing all of the relevant data in a digital sovereign way inside the EU.


September 28, 2020

Ready to see what’s next?

Having trouble viewing or submitting this form?

Contact Us

We care about protecting your data. Here’s our Privacy Policy.

Read now:

Go for Enterprise: ownCloud Infinite Scale

Go for Enterprise: ownCloud Infinite Scale

Tim Schürmann, a seasoned IT journalist from Germany, specializes in open source and programming languages. Over the last several years, he has authored many articles on Go, including several related to ownCloud. We sought his expert insights on Go in the context of ownCloud Infinite Scale. Here is his op-ed.

read more