Privacy Shield ruled invalid: The way forward for organizations

With the legal basis for transferring personal data from the EU to the U.S. gone after the ECJ's Privacy Shield ruling, organizations have only a few options to ensure GDPR compliance.

We’re in the aftermath of the ruling by the European Court of Justice (ECJ) to pull the adequacy decision of the European Commission with respect to the EU-U.S. Privacy Shield agreement. Many companies and organizations across Europe now ponder their options for handling customer data.

The ruling means there is now no legal basis for transferring personal data from the EU to the U.S., including public cloud data centers based in Europe but run by U.S. tech firms. For breaking EU privacy rules, there are fines in the magnitude of up to 20 million euro or 4 percent of worldwide revenue per year.

The European Commission and its U.S. counterparts are already said to be negotiating a future framework for data transfers to replace Privacy Shield. But still, this probably won’t satisfy the ECJ because the US government won’t give up comprehensive access provisions for its national security services anytime soon.

Even the Irish data privacy watchdog, usually friendliest among EU regulators towards US tech giants, has issued Facebook with an order to stop transferring user data from the EU to the US.

So, what are the options after Privacy Shield?

For organizations that work with user data in clouds located in the US or run by US companies, neither inaction nor blind activism is in order.

Organizations could try to deny US government agencies access to data by encrypting it heavily before exporting it. This isn’t easy, can mostly not be implemented overnight and is not 100 percent reliable. Such strategies should be cleared with the local data protection agencies first.

Another way is to get the explicit approval of each and every EU user for transferring their personal data to a server that can be accessed by US government agencies. It isn’t particularly straightforward to phrase those kinds of agreements in such a way that they are legally secure, but with a small and trusting customer base this might work.

Organizations that seek to avoid any risk end up with only one option: Processing the data of their EU users outside the reach of US tech firms. This can also mean outside the EU, in countries that provide adeqacy to the EU data privacy framework. This means the protection level in the destination country must match the protection level inside the EU.

Bottom line, organizations should carefully examine their internal and external shortcomings regarding their EU customers user data. They should then make two plans, one short term and one long-term. The long-term one should include hosting and processing all of the relevant data in a digital sovereign way inside the EU.


September 28, 2020

Ready to see what’s next?

Having trouble viewing or submitting this form?

Contact Us

We care about protecting your data. Here’s our Privacy Policy.

Read now:

Digital Sovereignty: Shared Values of OSB Alliance, ownCloud

Data security and user control: Public vs. private cloud

In this interview with IT-Zoom, Tobias Gerlinger, CEO and Managing Director of ownCloud, discusses why public cloud is not the right place for sensitive data, and what measures enterprises can implement to protect data and exercise full user control.

read more
Infinite Scale in the Press

Infinite Scale in the Press

A list of resources featured in various publications tracing the journey of Infinite Scale so far and delving deep in to the technology that makes up its core.

read more