We’re in the aftermath of the ruling by the European Court of Justice (ECJ) to pull the adequacy decision of the European Commission with respect to the EU-U.S. Privacy Shield agreement. Many companies and organizations across Europe now ponder their options for handling customer data.
The ruling means there is now no legal basis for transferring personal data from the EU to the U.S., including public cloud data centers based in Europe but run by U.S. tech firms. For breaking EU privacy rules, there are fines in the magnitude of up to 20 million euro or 4 percent of worldwide revenue per year.
The European Commission and its U.S. counterparts are already said to be negotiating a future framework for data transfers to replace Privacy Shield. But still, this probably won’t satisfy the ECJ because the US government won’t give up comprehensive access provisions for its national security services anytime soon.
Even the Irish data privacy watchdog, usually friendliest among EU regulators towards US tech giants, has issued Facebook with an order to stop transferring user data from the EU to the US.
So, what are the options after Privacy Shield?
For organizations that work with user data in clouds located in the US or run by US companies, neither inaction nor blind activism is in order.
Organizations could try to deny US government agencies access to data by encrypting it heavily before exporting it. This isn’t easy, can mostly not be implemented overnight and is not 100 percent reliable. Such strategies should be cleared with the local data protection agencies first.
Another way is to get the explicit approval of each and every EU user for transferring their personal data to a server that can be accessed by US government agencies. It isn’t particularly straightforward to phrase those kinds of agreements in such a way that they are legally secure, but with a small and trusting customer base this might work.
Organizations that seek to avoid any risk end up with only one option: Processing the data of their EU users outside the reach of US tech firms. This can also mean outside the EU, in countries that provide adeqacy to the EU data privacy framework. This means the protection level in the destination country must match the protection level inside the EU.
Bottom line, organizations should carefully examine their internal and external shortcomings regarding their EU customers user data. They should then make two plans, one short term and one long-term. The long-term one should include hosting and processing all of the relevant data in a digital sovereign way inside the EU.