Privacy shield has fallen. This changes everything.

The European Court of Justice, ECJ, has decided in the Schrems II-case (C-311/18). They declare the Privacy Shield, an arrangement created by the by the U.S. Department of Commerce and the European Commission, invalid under European law.

The Privacy Shield has been used by many data processors as a legal ground for using American subtractors for the processing of personal data (Microsoft, Google, AWS etc).

ECJ also conclude that the SCC, Standard contractual clauses for data transfers between EU and non-EU countries, might be valid, but only if the controller makes sure that the processor, in each individual case, can uphold the rights established by the GDPR. They also conclude that this will be close to impossible for US-companies, due to capabilities given to intelligence authorities in the US (eg. NSA).

This means that:

Any transfer of personal data from the EU to US-controlled companies based on Privacy Shield must seize immediately or be based on another ground (of which none seems available).

Any transfer of personal data from the EU to US-controlled companies based on SCC must be individually analyzed to ensure the individual rights of data subjects (which seems impossible).

The clarification from the European court of justice must also be taking into consideration for information security assessments for any other kind of sensitive data, such as public records and data related to banking and insurance. US-owned operators, and their subsidiaries, must not be used for such processing.

Furthermore, the European Court of Justice also declares that the supervisory authorities’ primary responsibility is to monitor the application of the GDPR and to ensure its enforcement. This is important in the light of the fact that less than 1% of all complaints to national DPAs have led to investigations, and many fewer to enforcement.

What must be done?

The first thing any organization must do is to make an inventory of all transfers of personal data (including type, legal basis etc) that is made to any US company, and determine what legal ground is used for that transfer.

If the legal ground for the transfer is Privacy Shield, the transfer must stop (and all data must be retrieved) or another legal ground must be found. If the legal ground is, or will be, SCC a case-by-case analyze must be done, and a possibility to, for instance, immediately seize the transfer must be secured. (which the ECJ founds impossible due to American legislation).

If possible, personal data should be stored within the EU, and on servers controlled by EU companies who does not fall under US legislation.

In general, the need to know your data just became utterly more important. The ECJ ruling does not affect where data is stored, only personal data, and performing a personal data inventory is now mandatory to ensure a lawful business operation.

Aigine does exactly that.